China’s favorite mobile payment technology has a security problem
QR codes are cheap and easy to use, but also vulnerable to scammers
Mr. Kwok hadn’t even finished paying for his meal when he received an SMS on his phone, saying that 999 yuan (US$148) was just deducted from his electronic wallet. What’s more, even though he was at a restaurant, the money was sent to a billiard hall, according to Shaanxi Television.
Kwok, a police officer, asked to check the surveillance footage. The culprit turned out to be someone who surreptitiously photographed Kwok’s phone screen, which was showing his personal QR code on Alipay -- Alibaba’s payment app. Using that picture, the offender was able to spend with Kwok’s account.
(Abacus is a unit of the South China Morning Post, which is owned by Alibaba.)
QR codes have spread far and wide as a payment method in China because they are so simple. They don’t require fancy technology to operate: Shoppers either scan the merchant’s code with their phone’s camera, or have the shop scan their personal code with a reader. It’s cheap and easy to use.
Unfortunately, that also means QR codes can be easily stolen, replaced, or manipulated for nefarious purposes. Among the various risks of mobile payment, scanning QR codes from unknown sources is considered one of the most serious. According to a recent survey by UnionPay, some respondents said they habitually scan every QR code they come across that claims to offer some kind of shopping discount.
Here, we should explain there are actually two types of QR codes: Static and dynamic.
As their name implies, static codes contain fixed information. They’re the ones you can found printed on billboards and magazines, leading you to a fixed address. On the other hand, dynamic codes can be edited to change the destination it leads to, or even disabled once used. They’re usually found on payment apps in China.
China’s Central Bank considers static QR codes far less secure than dynamic ones. And it’s not hard to see why.
Anyone can easily create a static QR code: There are plenty of online tools readily available. One common way to scam unsuspecting victims is to replace a legitimate code with a bad one.
In one case reported by People’s Daily last year, a college student in the southern province of Guangdong scanned a QR code on a rental bike near his dorm. It directed him to a billing page asking for 299 yuan (US$44) as a deposit. After he paid, the bike still wouldn’t unlock. That’s when he realized he was tricked: The QR code he scanned was a sticker that covered the original code, likely glued on by fraudsters.
On the Quora-like Q&A site Zhihu, one user recounted another case she heard. A vegetable seller had placed an Alipay-sponsored QR code in her stall that would give her a commission whenever a customer scanned it. Later, she realized someone had replaced her QR code with their own, hijacking her traffic.
Despite the dangers, it’s unlikely people will stop using QR codes anytime soon. There are now some 570 million mobile payment users in China -- that’s 1.75 times the US population. Among them, the QR code remains the most popular choice of payment method.
Authorities are aware. In a new government measure that went into effect last year, transactions conducted via static codes are subject to a daily limit of 500 yuan (US$74) per customer. For dynamic codes, the limit starts far higher at 1,000 yuan (US$148). It can go even higher if additional security measures are adopted, such as two-factor authentication.
Meanwhile, more phone makers are including NFC as an option on their devices -- an encrypted technology that is far more secure than QR codes, but also requires more expensive hardware. It’s what Apple Pay is based on, but so far, it has yet to catch on among Chinese consumers.
In the third quarter of 2018, Alibaba and Tencent still held more than 92% of the mobile payment market, according to research firm Analysys.
And Apple Pay? It wasn’t even among the top eight.