QR/Bar Code Security

Question

I'm trying to learn a bit about QR codes and trying to brainstorm some uses for them. One thing I've come to wonder is about things like iOS's Passbook app. For example, I have an account card in there that can be scanned via a QR code (unless I'm mistaken in thinking that it's a QR code?). This code obviously has to somehow uniquely point to my account. My understanding is that they could simply put a unique ID behind that code that points to my account. So what prevents someone else from masquerading as me by creating a code with my ID somehow (if they were able to get a hold of it)? Is there a way to secure something like that? How is this typically done?

Answer 1

A QR code is just a long sequence of characters, much like a normal barcode is a sequence of digits (or characters for some symbologies). In themselves they are no safer than writing a sequence of characters on a piece of paper, if I can see and copy your QR code, then yes I can become you.

Generally for loyalty type schemes the QR code contains some form of identifier referencing you, but how this is done is completely up to the scheme implementor.

What is good about QR codes though is that you can encode a lot more information into the identifier string. If the codes are being electronically displayed rather than physically printed you also have the ability to encode 'single use' keys so the the server will only process each code once, so even if you copy the QR code it has already been used.

Loyalty schemes somewhat rely on the physical plastic card as a security token, if you present a QR code on a scrappy piece of paper to a cashier it will technically work, but should raise eyebrows. If you present the same code on a plastic credit card with correct logos it should be more acceptable to the cashier.