Phony QR Codes Everywhere

2D barcodes are everywhere in Japan as introduced by my previous blog article. (above picures are from http://www.atpress.ne.jp/view/5401 and http://blog.goo.ne.jp/qr_quel/e/f109124f6ee13baf0bb9c065ceb4e0a5) Real objects are linked to related information sources. The observation, linkage between the real world and the cyberspace, reminds us two key concepts: digital signage and crossmedia communication. You may see digital signs with flat displays in downtowns. That emobies the concept of digital signage. If a 2D barcode appears at the display, you can switch the storyline from that display media to your cell-phone. In general, signs (including digital ones) can be found everywhere, and those invite you to another medium, in this context, mobile communication. Insight found here is that such crossmedia communication gains coarse-to-fine information retrieval, in other words, public-to-personal level shift in communication. Shifting communication from public to dedicated medium exposes a risk of privacy violation and resulting a phishing crime, which attempts to acquire usernames, passwords, credit card numbers etc. In 2007, Prof. Sakamura and his research team of University Tokyo conducted a interesting experiment at Shinjuku district, a downtown of Tokyo. In thier experiment, 2D barcodes were attached onto 300 telegraph poles. They tried to prove vulnarability of 2D barcodes for phishing, in comparison with their trusted code schemes. That intent was proved successfully. Three hundred 2D barcodes were maliciously replaced by someone with phony barcodes which invited potential customers to adult content providers. Here is an example which I and my colleagues demonstrated.

Prof. Sakamura’s paper “Verifying Identifier-Authenticity in Ubiquitous Computing Environment(2007) ” proposes an authentication mechanism of 2D barcodes. We need more bits for authentication of barcodes, supposing PKI based technologies are adopted. Microsoft’s High Capacity Color Barcode(HCCB) is a typical technology. (see my article Minoru Etoh, "Cellular Phones as Information Hubs," Proc ACM SIGIR Workshop on Mobile Information Retrieval, Singapore, July, 2008.) On one hand, we can add an authentication mechanism to a code system as proposed by University of Tokyo and Microsoft, on the other hand it’s hard to see “conjunction integrity” of the code and the real object. We can paste verified codes to any objects. The code itself is not phony though, the integrity where the right code is attached to the right object is not guaranteed. Verifying the integrity of code attachment, in other word, indivisible authentication of integral objects: code and object is the key technical issue.