curiouswebster
asked on
I need to make my QR code bullet proof
I need to make my QR code bullet proof
I want to make sure nobody "hacks" my QR code by reading the number, and incrementing the value by one...
for example:
www.mydomain.com/codes/1234567
They may be cute and create a URL:
www.mydomain.com/codes/1234568
and find a way to hack into my system. Perhaps, "1234568" would be a valid QR code, IF I used some serial numbering methodology.
Do I need to go through the effort of using a QUID? Long numbers scare people.
Shall I select 10 digits and randomize the values?
And many throw in a few letters into the mix?
Thanks.
You've mentioned a few different "what-if's" here and even if you have the most secure QR code in the world, nothing will stop someone that has physical access (A poster, flier, etc...) to the QR code barcode from simply sticking their own QR code on top of yours.
It all stems back to a person being "security conscious". A QR code usually displays where it's going before you interact with it. It's up to the user to pay attention.
Someone with malicious intentions usually won't bother trying to hack your system, they'll just stick their own code on top of yours and call it a day.
It all stems back to a person being "security conscious". A QR code usually displays where it's going before you interact with it. It's up to the user to pay attention.
Someone with malicious intentions usually won't bother trying to hack your system, they'll just stick their own code on top of yours and call it a day.
Sorry, but this has nothing to do with QR-codes.
Guessing a number is only bad, when there is data involved, which requires authentication. Many people think using an arbitrary large domain for a random number is sufficient, but it is not. Cause it does not eliminate the need for authentication at all.
Thus you need to start at the beginning: What does this URL or URI represent? What security targets do apply?
Guessing a number is only bad, when there is data involved, which requires authentication. Many people think using an arbitrary large domain for a random number is sufficient, but it is not. Cause it does not eliminate the need for authentication at all.
Thus you need to start at the beginning: What does this URL or URI represent? What security targets do apply?
ASKER
>> Someone with malicious intentions usually won't bother trying to hack your system, they'll just stick their own code on top of yours and call it a day.
Exactly. But, if they can crack my back end, by inferring a code which exists, they can also steal my business, by using stolen QR code for their own use.
It's a long shot, I know. But, I want to feel some safety.
The easiest thing to do is to sequence the codes:
www.mydomain.com/codes/1234567
www.mydomain.com/codes/1234568
www.mydomain.com/codes/1234569
But, if the guy buys a five pack, he can pirate my algorithm.
So, my question is, what method should I use to select numbers?
Exactly. But, if they can crack my back end, by inferring a code which exists, they can also steal my business, by using stolen QR code for their own use.
It's a long shot, I know. But, I want to feel some safety.
The easiest thing to do is to sequence the codes:
www.mydomain.com/codes/1234567
www.mydomain.com/codes/1234568
www.mydomain.com/codes/1234569
But, if the guy buys a five pack, he can pirate my algorithm.
So, my question is, what method should I use to select numbers?
But, if they can crack my back end, by inferring a code which exists [..]Why should this be possible with the knowledge of a single number?
Again: Security targets! They must be identified first, otherwise you cannot implement processes (properly).
a QR code is usually just a link to a webpage. so anyone with the link can guess the values after the ampersand or the final part of the url. It has absolutely no security at all. A
By itself a QR code has no security at all. you can make induvial QR codes tailored to an individual, a single use qr code..
any security has to come AFTER the user browses to the kink contained in the QR Code
By itself a QR code has no security at all. you can make induvial QR codes tailored to an individual, a single use qr code..
any security has to come AFTER the user browses to the kink contained in the QR Code
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- How does someone get a valid QR code?
- Is it unique, or can everybody get and use the same code?
- Who determines that the code is valid? Is it only valid for the first user?
- What event does the QR trigger? A login? A download? A purchase?
- How long is the code valid? Does it time out, or is it good forever?
All QR codes look alike. But a code that is different by one bit, is a completely different code.