In the crypto world, it is common knowledge that public keys can be shared freely, as those keys simply represent an address that can be used to receive money. Unlike private keys, public keys cannot be used to withdraw funds from an address. However, it seems that public key sharing is quickly becoming the target of attackers who exploit QR codes.
QR codes are simply scannable images that represent a string of text. Mobile wallets commonly rely on QR codes because they provide a way for users to share a wallet address without the need for typing. The problem is that QR codes are easy to generate and hard to distinguish, and various malicious sites are taking advantage of that fact.
The Rise of Malicious Sites
Plenty of legitimate sites and wallets can convert crypto addresses to QR codes. However, a number of malicious sites are also offering the same function while surreptitiously inserting their own address. This technique is called a man-in-the-middle attack because attackers don’t actually gain access to a wallet — they simply intercept and redirect a transaction.
Since malicious sites frequently change the addresses that they use, it is hard to say exactly how much cryptocurrency these sites have stolen. However, after examining three different sites that rank highly in Google’s search results, it becomes clear that a small number of sites have stolen a substantial amount of money in a short time:
Received: $2,833.88 Active for: 32 days
Used by: bitcoinqrcodegenerator.win
Received: $6,022.64 Active for: 145 days
Used by: bitcoin-qr-code.com
Received: $161.74 Active for: 108 days
Used by: bitcoin-btc-qr-code-generator.com
Assuming that these numbers remain more or less consistent over time, these three sites would collectively be responsible for stealing over $47,000 worth of Bitcoin in a year. This doesn’t account for the fact that one of the sites also owns Ethereum, Litecoin, and Bitcoin Cash addresses, meaning that the total amount of stolen crypto could be even higher.
Preventing An Attack
This sort of attack is very effective due to the fact that nearly every QR code looks identical to the naked eye. Human-readable (or at least human-recognizable) QR codes would partially solve the problem, but since addresses themselves aren’t human readable, this solution can only go so far. Alternately, transaction verification features such as Ardor’s vouchers could ensure that crypto transfers reach the right person.
Neither of these solutions are widespread, though. Until cryptocurrencies or wallets implement a feature that prevents this sort of attack, the best solution is to use a reputable wallet with a built-in QR code generator. Ideally, you should also verify your QR code by reversing it and seeing if it produces the correct address, but selecting a trustworthy wallet is an important first step.
The post QR Code Fraud Could Result In $50,000 of Stolen Bitcoin Each Year appeared first on UNHASHED.