Avoiding a QR Code Nightmare
This blog is the first in a small series of articles aimed at “Protecting Your Crypto.”
In this series, we will explore the latest tools and tricks being used in the cryptocurrency space to steal and cheat honest investors. The series will include investigations on QR code scams, spear phishing, SIM-swapping, and 2FA. This blog is the first in the series where will take a look at a relatively new way to scam bitcoin users using QR codes.
Researchers from cryptocurrency wallet app ZenGo are warning the public about a rise in bitcoin QR code related scams. The research released in a blog article titled QR Code Degenerators: Unmasking a Crypto Scam found that four of the top five search results on Google for “Bitcoin QR Generators” leads to websites trying to scam users.
If a user on one of these websites tries to generate a QR code for their own Bitcoin address, then the sites instead generate a QR code for the scammer’s own wallet. As the author of the ZenGo article Tal Be’ery explains, “These sites generate a QR code that encodes an address controlled by the scammers, instead of the one requested by the user, thus directing all payments for this QR code to the scammers (Be’ery, 2019)”.
Stated more simply, if the user on one of the scam websites is unaware of the QR code scam, then anyone transferring funds to that user’s wallet will end up unknowingly sending the funds to the scammer’s wallet. Greg Thomson of Cryptocurrency News explains that the crime goes even further by adding that “when a user of one of these websites copies an address to their clipboard in order to paste it, the websites silently replace the address with that of the scammer’s (Thomson, 2009).” The scammer’s make the process of recovering the assets even more difficult by switching Bitcoin addresses to avoid detection.
Scanning QR codes has become popular by making the process of sharing of Bitcoin faster and easier compared to using the long string of characters in Bitcoin addresses. Most often, users scan a QR code with a camera to send or receive cryptocurrencies directly from their smartphones.
QR codes are commonly used person-to-person point-of-sales transactions when it is difficult to copy and paste a user’s Bitcoin address (Cryptocurrency Facts, 2019). QR codes are also helpful when sending cryptos between two devices and when sharing wallet addresses. Thomson explains that “the QR code has become a staple of the cryptocurrency space in recent times. They are used by vendors, content creators, and tippers on a constant basis - all over the internet.”
At NDAX we provide QR codes in a secure way that prevents our users from being scammed by online QR code generators. NDAX automatically turns a user’s wallet address into a QR code, eliminating the need for the user to generate a QR code when sending funds to their NDAX account or giving another user their own wallet QR code. Websites that do not automatically generate the QR code require the user to generate one themselves, opening up the possibility of being scammed by ill-intentioned generators.
To avoid being scammed, ZenGo has listed three recommendations to users needing to export their bitcoin address as a QR code:
· Don’t Google it! If you need a QR code, use a known site, such as your favorite block explorer (Be’ery, 2019).
· Verify: Before sharing the QR, scan it with a wallet app and verify the scanned address is your original address (Be’ery, 2019).
· Threat intelligence service: Using a threat intelligence service as a browser add on (e.g., MetaCert’s Cryptonite) and wallet that alerts on scammy sites and addresses can be useful sometimes, but is not a silver bullet as these services’ coverage cannot be hermetic (Be’ery, 2019).
The ZenGo researchers discovered that nearly $20,000 has been stolen using QR scams, admitting that this amount is likely to be just “the tip of the iceberg.” As Cointelegraph reported in July, the South Korean Justice Ministry estimates that cryptocurrency-related crimes have caused about $2.28 billion in financial damages between July 2017 and June 2019 (Zmudzinski, 2019).
For these reasons, it is more important than ever that cryptocurrency traders and investors know about the latest scams and thefts that can threaten your cryptocurrency holdings. Keep an eye out for the second part of our “Protecting Your Crypto” series where we explore the world of spear phishing.
Referenced Articles:
Bambrough, B. (2019, September 12). Researchers Have Issued A serious Bitcoin Security Warning. Retrieved from https://www.forbes.com/sites/billybambrough/2019/09/12/researchers-have-issued-a-serious-bitcoin-qr-code-warning/#1bc1263e6d12
Be’ery, T. (2019, August 29). QR Code Degenerators: Unmasking a Crypto Scam. Retrieved from https://zengo.com/qr-code-degenerators/
Thomson, G. (2019, August 30). 4 of 5 Bitcoin QR Code Generators Are Complete Scams. Retrieved from https://www.ccn.com/4-of-5-bitcoin-qr-code-generators-are-complete-scams/
Zmudzinski, A. (2019, September 6) Four Out of Five Bitcoin QR Generators are Scams: Report. Retrieved from https://cointelegraph.com/news/four-out-of-five-top-bitcoin-qr-code-generators-are-scams-report
If you are based in Canada and looking for a Canadian Bitcoin exchange, then take a look at NDAX. NDAX is an easy-to-use, beginner-friendly exchange that can give you easy access to trade Bitcoin and other cryptocurrencies like Ethereum, Ripple, Litecoin, Cardano, Dogecoin, EOS and Stellar.