Malicious Detection of Links using Extension of Quick Response Codes

MALICIOUS DETECTION OF LINKS USING EXTENSION OF QUICK RESPONSE CODES

Shamil Aripov

Master degree, Department of Computer Engineering & Information Security, IITU University,

Kazakhstan, Almaty

Abdul Razaque

Full Professor and IT Director, PhD Computer Science & Engineering, Department of Computer Engineering & Information Security, IITU University,

Kazakhstan, Almaty

 

ABSTRACT

Many people use Quickly Response codes for payment operations, transactions in their daily life, which is comfortable for them. On the other hand, Quickly Response codes have spaces in security. As consequences, a lot of private information are stolen and people do not even realize it. Some researchers and scientists tried to solve the problem of unsecure Quickly Response codes, but unfortunately, this problem is not completely resolved yet. We introduce Save Quick Response codes extension for people to avoid unsecured Quickly Response codes. Save Quickly Response code’s algorithm, which is based on Hypertext Preprocessor platform, able to detect unsafe links provided by Quickly Response codes and helps to avoid or at least notify people that unsecured Quickly Response code is going to be used. Based on results taken from experiments, private information kept safe and untouched, meaning that safety provided by this extension is much higher in comparison with the other solutions.

 

Keywords: QR codes, information, Malicious code, Verification, Unsafe Detection of links.

 

I. INTRODUCTION

With the increase of modernity of human society, information becomes the most important resource. This information needs to be protected. That is why information is encoded by the sender and then decrypted by the reciever. A Quickly Response code is just an encoded information that can be decrypted by any person with a scanning device. These 2-D array codes can help to get the information that a person needs more conveniently, modernly and quickly [1].

2-D codes are barcodes. First barcode was 1D and was used to identify products. The limitation of storage in the 1D barcode was the cause to create 2D barcodes, which could contain not only product identification information, but also description [2].

The concept of "Quickly Responce code" made in Japan in 1994, where the Denso-Wave company, which was part of a large Toyota organization, needed to develop these codes [3]. The company needed to store a large amount of information on a small surface area. Initially, QR codes were used only for industrial purposes. Then, the range of their usage was significantly expanded, taking a certain place in our life.

A QR code [4] is a two-dimensional representation of a common barcode that can be placed on any manufactured product. A barcode is a machine-readable mark, which contains information about the object to which it is linked. At first sight, it may seems that a QR code is not able to contain a large amount of information, but in fact, the capacity of such a code is quite large. The QR code itself may contain up to 3000 bytes of encoded data [5].

QR code can provide protection of information by itself [6]. But firstly, it has to be confirmed that QR codes are safe to use.

The COVID-19 – hard pandemic time, when people started to avoid touching anything because of possible infection [7]. QR codes makes our health safer, with opportunity to make transactions without touches.

Nowadays there are many features to get COVID-19 and other results by QR code, which surfs the user to the site where results are provided [8]. This information is also private and significance to keep this data safe is high.

It is important to ensure that the data transmitted through the QR code is not harmful to the user, if in one word - secured. Currently there are two potential vulnerabilities in QR systems: human interaction attacks and automated attacks [9].

Automated attack’s purpose is to change SQL queries in the program, which can change the receiver’s address. This attacks could be cause of money, private information stealing.

Human interaction attacks [10] are based on the fact that people cannot decode QR code without naked eye, however, they just rely on QR decoder programs (scanners). Fake QR codes, which are used for phishing (QRishing) [11], might be instead of normal QR code, so then private information could be easily stolen by hacker.

The other attack to mention is email spoofing [12]. The attacker sends fake email with phishing or malicious software’s link. When user surfs through it, information existing on PC is vulnerable.

We propose possible solutions to QR code attacks, with introducing third-party Save Quick Response Codes (SaveQR) extension. It provides safety of QR codes by checking security of protocols.

Stimulated by possible interaction, automated attack problems, we contribute:

• The proposed SaveQR extension for browsers, which compares currently scanned QR code with the original one to identify spaces in security;
• Demonstrated algorithms for request to check QR code and to verify its security;
• Compared and detected the advantages of our proposed extension.

Below we explain the rest of our organized plan:

Section II describes identification of the problem with its significance. In Section III the works related with QR safety problems are briefly explained. In section IV the system module of our extension illustrated. Section V demonstrates the proposed SaveQR extension. The rest of the work, based on QR security solution, experiments and discussion, is concluded in the section VI and section VII.

II. PROBLEM IDENTIFICATION

Attackers use malicious QR codes as a way to carry out phishing. For example, hacker can produce a thousand leaflets, name them like they are from some certified company, with the fake description, which attracts people’s attention, and a malicious QR code. When it is scanned, the smartphone will surf a website labeled “Thank you for joining” and receive the trojan. A targeted attack can also be carried out using cross-site scripting, when the original QR code is replaced with a malicious one [13] through a hole in safety in a legitimate site. While infecting your smartphone with a malicious QR code, a hacker can also access your messages, GPS navigation, and turn on cameras. Trojans are also capable of sending spam via SMS or arranging DDoS attacks through your device.

For society, the main problem comes from financial crimes – when information of a transaction is changed by malicious QR code and money transfers to malicious code creator.

According to Central bank of the Russian Federation calculations [14], nearly 14,5 million dollars were stolen in China up to this day, through the malicious QR codes.

III. RELATED WORK

The salient features of related work are summarized in this section. A third party extension Save QR may work as a connector and verifier between QR codes and URLs. The advantage of this approach is that user could see is URL safe or connection trusted, before surfing through the URL. When QR code scanner scans 2-D matrix, the whole domain name with hypertext protocol is shown, so it is more understandable for users if QR secured or not. Another possible solution for increasing security of QR codes is to create application for user, who wants to create his own QR code (banks, markets and etc.). In this application, user able to press button to generate random secure key, which then spreads in whole 2-D matrix. When our barcode is attempted to be changed, secure key also changes, which means that QR code stop working as a URL.

Focardi et. al. [15] proposed an idea to use JSON (JavaScript Object Notation) as a standard to be used while encrypting or decrypting QR Codes. He mentioned that third party applications and tools have weak crypto mechanisms, which then leads to spaces in security. It is good idea, if there is no other possibility to make for existing applications one encryption standard.

Dudheria R. [16] explores weaknesses of Android scanners by using android applications. Some of them redirects directly to URLs, without checking are they secured or not, while only two apps from Kaspersky Lab and GData QR confirms validation on URLs transferred through the QRs. They also found that only 8 apps out of 14 checked saves QRs from malware fake codes and phishing (QRishing).

Sijia Liu et. al. [17] introduced a two-level QR code scheme, which uses polynomial algorithms to make data flow with secret sharing algorithm through the open channels. This approach based on replacing module of QR code with 3x3 submodule. Analysis shown that probability of attacks has been decreased while using two-level QR code. Additionally, these QRs are available to decode with simple QR scanners, which makes it easier to use.

Rogel et. al. [18] explored verification of QR codes based on modified SHA-1 algorithm. This approach organized with modifying QR code with SHA-1 algorithm, and then creating certificate to it. So then, while any QR reader starting to scan QR, only generated hash value sends to web server. If hash exists, certificate and ID is retrieved to SHA-1 algorithm, which compares this hash with QR hash. Difference of these hashes means that scanned QR was modified in comparison with original one. The only think to mention against this approach is that smartphone camera for scanning should focus and capture this QR very clearly, otherwise it could not check correctly.

Zhang Y. [19] proposed his tool named CANTINA. It is a program made to detect phishing websites. This approach identifies is a website secured or not by looking at the URL and domain name. CANTINA is unique approach, because it uses inverse document frequency algorithm, which evaluates the frequency of connection to information on the website. Then, it make signatures for five websites, which were the best ones in IDF weights. This signature is transferred to Google search as an input to verify that this website is secured. The results show that CANTINA tool is very effective, saving from 97% of possible phishing URL’s. On the other hand, this tool is not understandable for society, as same as QR codes, so it need simple in usage GUI or, at least, simple usage guide.

Bui et. al. [20] introduced a method for QR codes, with hiding in code a secret message using Reed-Solomon code. Reed-Solomon code is normally used for correction errors in QR codes. The purpose of this secret message is to avoid modification attacks through the vulnerabilities, created from automated attacks or SQL injections. This method saves original QR code, because secret message is invisible to attackers and secure against modifications.

Yao et. al. [21] proposed an idea to design software which provides user friendly interface about QR codes before surfing through it. They analyzed the most frequently scanned QR code for Android. The results show that most users are not able to recognize or detect phishing attacks, while they are just scanning QR and pass through the code to website without any notification about security. However, application could demonstrate the website’s information before go to the web page, including URL security information, SQL queries information and other.

Chow et. al. [22] were presented an (n, n) QR code secret message encoding technique. This message is partially spread in random places of QR code’s matrix, so while phishing tools change an array, QR code stops working as an transformer to URL and nothing happens. The advantage of this technique is that no encryption keys are required. The other advantage is that it is hard to change bits of an array without damage secret message, which is spread out in  array.

Dhamija and Tygar [23] proposed to add an image from the user as a background to a trusted window. This background is combined with code by using visual hash, generated by the server. So, when user does not see clear image – it means that QR code is malicious. However, as the approach notes, this approach may improve security, but is still vulnerable to some kinds of malwares, which can generate visual hash that will visually demonstrate same and clear image as it should be.

Suppat R. et. al. [24] proposes QR Code embedded technique for invisible watermarking by using Discrete-Cosine-transform compare with DiscreteFourier-Transform (DFT). Their result shows comparison between mid-band coefficients and low-band coefficients. But as same as in previous techniques, third party extension is needed to check URLs of QR code before surfing.

Sheng et. al. [25] created a game  in order to give first instructions about security of web URLs. In the game, Phil fish is eating worms. To stay alive, it should eat only “healthy” worms, which are named as secured URLs, otherwise it dies. While playing, lots of useful information comes as stories, so then users can differ secured URLs from unsecured ones. The advantage is that if QR code scanner shows URL before surf through it – user can recognize and differ secured from unsecured one. The disadvantage is that nowadays QR code scanners never show URL before passing through it, so this approach is not useful until QR scanners do not show to users URLs.

After evaluation of existing techniques, it is expected that these approaches have own advantages and could be useful in security of QR codes. On the other hand, there is no any approach with user-friendly application and simple graphical user interface. SaveQR extension can resolve this issue, especially after upgrading it by useful functionalities from existing approaches.

IV. SYSTEM MODEL

Proposed Save QR extension’s system module consists of servers and QR code’s data recognizer. Servers store user’s QR codes to compare them with the ones which other users are scanning. Servers are local to make protection from attacks better than in cloud servers. For user, who wants to create their own QR, feature to register and authenticate is provided. This feature makes protection and safety more simple while comparing QRs, because the initial QR code is saved in local server of the extension.

In the Figure 1 we demonstrate the architecture of our approach. While scanning, the data transfer made through Secured Shell (SSH) protocol, which makes data transfer secured although transfer is made with unsecured network. To compare data came from scanner, extension sends it to database, which is located in local server, through secured File Transfer Protocol (FTP).

 

Figure 1. Architecture of system module

 

The data is stored via quad hashing, as it is shown in the Figure 2. Quad hashing helps to save time while saving data in the database. The other advantage is that this approach avoids collisions in data indexes or memory cells.

 

Figure 2. Passing data to the server

 

Data saved in the server is used to save and then get QR codes to check them for security. Extension provides this data to the database, which is held on the server.

V. PROPOSED SAVE QUICKLY RESPONSE CODE EXTENSION PROCESS

In this section, we propose our Save Quickly Response code extension which provides secure QR codes usage scanned through this third party extension. This solution created to ensure that QR codes have no spaces in security and are safe in usage. Our third party extension is focused exactly on security verification, so we implement our approach to use QR codes without any doubts that it may have some space in security while scanning it.

Our proposed process consists of:

• Verifying QR codes;
• Quad hash function;
• RSA password encryption method;
• Login encryption via Diffie-Hellman approach.

A. Verifying QR codes

Save Quickly Response code extension consists of two algorithms, which together provide security for user while surfing through the URLs encoded by QR codes.

The Figure 3 illustrates capabilities of extension while using it. After downloading our extension, the user may authenticate or just instantly start to use it, if it is needed. Unauthorized users may scan and check results if QR secured or not, while authorized ones can also surf through the history of QR codes, which they have checked before. Existing functions to use extension request data from the database.

 

Figure 3. Save QR extension’s activity diagram

 

First of them stands for creating data streams. This algorithm is used to make extension multithreaded. Each thread is created for one user, so then many users could surf and use this extension at the same time, without any deadlocks, queues or delays. As Quickly Response codes are widely used to save time and transfer information faster, multithread approach is used. It helps to process QRs synchronously, so many users could use extension at the same time.

The second one responses for checking each thread, with embedded inside it QR code, if it is secured or not. Of course, each QR is checked individually and in parallel, because the first algorithm has already provided this feature. If QR code is secured, extension gives permission to use QR code’s data, otherwise it notifies user about possible space in security. Data is checked with the original one, that is why any edition in data is counted as space in security, while successfully checked and passed code is said to be secured one.

Algorithm 1 demonstrates the creation process of the list of data streams. In step-1, initialization process of given variables is demonstrated. Steps 2 and 3 show initial input and resulting output for data streams. Steps 4, 5 and 6 illustrate the declaration and increment process while new request is coming. Step-7 demonstrates the process of adding new QR check request to the thread. Steps 8 to 10 explain the process of adding the thread with QR check request to the list of threads, so then multithread list is available and each user can use app without any delay.

Theorem 1. Users prefer multi-threaded applications than single-threaded.

Proof. QR codes are commonly used to save user’s time while sending some information though it [1]. The online test and questionnaires are confirmed that more than 75% of users are avoid to use single-threaded applications. The 28 out of 36 students are decline to download extensions which are not serve them simultaneously. Thus, single-threaded applications deny users to use application at the same time. It means that the other users are waiting until the first one finishes to use single-threaded application, and the main purpose to use QR codes is reset to zero.

Corollary 1. According to the proves made with online tests, students and the other users prefer to use multi-threaded applications to not waste their own time. From point of their view, time is the most valuable resource.

In algorithm 2, the security checking process of the each of QR code is demonstrated. In step-1, initialization process of given variables is explained. In steps 2 and 3, the coming input data and output are shown. In steps 4-8, the thread with QR code is under check process. These steps demonstrate verification of security of the QR codes.

B. Quad hash function

In the proposed Save QR extension QR codes are stored in local server with the help of quadratic hashing. Insertion of QR data to the storage, or Data’s index (Di) could be realized with the usage of the following formula:

Di = K2 + H                                                                                                       (1)

Where,

Di: data index, where data from the QR code is saved; K: key of the function to allocate QR data; H: hash function.

The key (K) can be found as follows:

K =  H + 1                                                                                                           (2)

It needs to be noticed that if collision of Data’s index occurs and location in memory is already filled and not empty, the function with the formula to find key is recalled.

Evaluation of memory needed to save data from QR code in database can be obtained as:

M =  ΣT / |T|                                                                                                       (3)

Where,

M: amount of memory needed to store single QR code data; T: thread with QR code.

Now it is clear how much memory is needed for each QR code within the thread.

The queue for scanner to read and compare data from QR codes can be expressed as:

Q = [Q1, Q2, Q3, …, Qn]                                                                                    (4)

Where,

Q: queue with the threads, which contain QR codes; Qn: position in queue of n thread.

Each thread is saved and used with the help of “first in first out” method:

Tq = [T1, T2, T3, …, Tn]                                                                                     (5)

Where,

Tq: queue of the threads; Tn = each thread’s position in queue.

When queue is set up, scanner can easily start to process comparison of QR codes.

C. RSA password encryption method

RSA authentication method is used to protect users personal and private information via open channels. Generally, RSA method is used to send encrypted messages between receiver and sender. In our case, the sender is the user and the receiver is the database, where encrypted password is stored.

First of all, the half of the public key (N) can be found as follows:

N = P x Q                                                                                                            (6)

Where,

N = half of the public key, which is encrypted by the receiver or database; P = any prime number; Q = second any prime number.

The second half (E) of the public key can be calculated as:

E = R ∈ P                                                                                                            (7)

Where,

E: the second half of public key; R: real numbers.

The second half of the public key (E) should be relatively prime to Euler’s Function (F), which can be found with the according formula:

F = (P – 1) x (Q – 1)                                                                                            (8)

Where,

F: Euler’s function.

Then, the receiver or database calculates the modular inverse (D) of Euler’s function, with the help of the following formula:

D ≡ 1 x (mod F(N))                                                                                             (9)

Where,

D: modular inverse of Euler’s function - private key.

From database’s spot, two halves of the public key is sent to the sender – in our case it is a function, which converts user’s password to encrypted message. The private key is kept without sharing it.

When the user types his password, it is encrypted to numbers with the help of ASCII alphabet:

M = ASCII(INT) + 64                                                                               (10)

Where,

M: ASCII code of user’s password; An: position of the letter in the alphabet; ASCII(INT): numerical value of ASCII code for each letter.

The cipher text (C) can be found, after ASCII code of our password has been calculated. It can be expressed as:

C = M E (mod N)                                                                                       (11)

Where,

C: cipher text.

To complete conversion of cipher text to an original password, the ASCII number (MD) can be found with the following expression:

MD = M (mod N)                                                                                      (12)

Now, receiving function can easily translate ASCII code to the plain text, which was the password of some user.

D. Login encryption via Diffie-Hellman approach.

To encrypt user’s login, Diffie-Hellman’s encryption algorithm is used. For the user login, system randomly picks one number, and the for the database the second one:

A =Ga (mod P)                                                                                          (13)

Where,

a: random number for user’s login; A: public key; G: any natural number, in this approach it’s length of user’s login; P: any natural number, in this approach it’s ASCII code’s number of the first letter in the login.

Same thing is done from database’s side:

B =Gb (mod P)                                                                                          (14)

Where,

b: random number for user’s login; B: public key.

To keep the key more protected, natural number (P) can be made more complex as follows:

P = (P – 1) / 2                                                                                            (15)

To find out private key, the following formulas are used to get two halves of private key:

Ba mod P = Gba (mod P)                                                                           (16)

Ab mod P = Gba (mod P)                                                                           (17)

Now, the private key can be found:

K = Gba (mod P)                                                                                       (18)

Where,

K: private key.

Do decrypt private key from database’s side or from client’s side, we can use following formulas:

K = Ba mod P                                                                                            (19)

K = Ab mod P                                                                                           (20)

So, the key decrypted is the same one from the both sides, because:

Ba mod P = (Gb mod P)a mod P = Gab mod P = (Ga mod P)b mod P = Ab mod P                                            (21)

Now it can be confirmed that login is also protected and encrypted before assigning it to database.

Theorem 2. Males uses QR codes more often, as they are greater risk takers than the second gender type.

Proof. Every QR code is still not safe one. It makes 2-D array vulnerable, which means that currently there is some risk to steal private information. The results from Okazaki Sh. et. al. [26] test, where 700 online participants participated, had shown that males are more likely to use QR codes, even if QR codes are not safe ones. The loyalty for males (3.62) was greater than for females (3.28).

Corollary 2. Nowadays men are closer to use QR codes than women.

Hypothesis 1. The scanner device which is not verifying security of QR code is the cause of increase amount of malicious QR codes.

Data phishers who do cybercrimes are always finding and living with vulnerabilities and spaces in the programs. The only reason why phishing is still happening is that programmers cannot fully test and release their approaches without bugs and spaces in security. The online test results had shown that the user never tried to change QR code if the protocol was secured from the rest. On the other hand, non-secured protocols were the cause of phishing and email spoofing with fake QRs.

Hypothesis 2. The users who have QR scanner device prefers QR code approach than the ones who had never faced with QR codes.

Anyways, the users know about spaces in security and still use QR codes. Because, if we compare, for example, time spent while paying through QR and other method – it makes the difference. The other thing to mention is that the users, who had never used QRs, are worried about spaces in security. In online questionnaires, the internet surfers who had never used QR codes answered that they are not even trying to use it, until vulnerabilities in security are existing.

Hypothesis 3. Huge brands prefers to use QR codes on billboards and other advertising banners.

With the growing of QR population, huge brands started to use them and QR codes started to be mainstream for advertising. Low cost to develop and use, including major factor that physical size of QR is very small and it makes usage of these 2-D arrays simple.

VI. EXPERIMENTAL RESULTS AND IMPLEMENTATION

To completely verify the performance, the model of our approach is programmed using PHP coding language and FirePHP Devtools Extension. To develop database on local server, xampp web server is used. Experiments are made on a laptop PC with 2.59 GHz intel core i7 generation CPU, 8 GB of RAM and 1 TB of ROM. Handheld computer is equipped with 64-bit version of Windows 10 operating system and nVidia GeForce 940mx graphic card. VirtualBox and AndroidStudio applications are installed to use virtual scanners from smartphones.

We have made identical scenario to a real-time environment. Five different unsecured QR codes has been taken. These 2-D arrays are scanned with Android’s, iOS’s and SaveQR extension’s scanners. Firstly, the notification mode for potential vulnerabilities is tested. The rest of scenario is related with potential spaces in security and how they can be detected while scanning QR code.

Scenario consists of two main parts:

• Vulnerabilities notifier;
• Check for spaces in security.

A. Vulnerabilities notifier

To evaluate safety of the proposed model, at the rest we compare QR safety notifications. The scanners of iOS and Android operating systems notified about possible vulnerabilities in the security only once out of 4 attempts for each. It is shown on the graph, which is demonstrated on the Fig. 4.

 

Figure 4. Comparison of the scanners’ notifications

 

The most popular scanner was taken to demonstrate verification of the QR codes while using them. So, as we can see from the Fig. 4, currently existing scanners in most cases are not notifying about possible vulnerabilities in security. It makes users worry about the security of QR codes, but still they cannot do anything, if they want to make some transaction. Then users just scan the QR code. The consequences of possible negative result lie on nobody. That is why every scanner device should notify user about possible vulnerabilities in the security of QR codes, as same as SaveQR extension.

 

Figure 5. Frequency of QR usage

 

B. Check for spaces in security

After notifications check, we examine existing approaches for potential spaces in security. According to results on the bar chart shown on the Fig. 5, we can view amount of the spaces in security while scanning QR codes.

 

Figure 6. Amount of spaces in security

 

Windows phone permit to surf through 5 out of 5 unsafe QR codes. Android and iOS’s scanners are still giving a chance to malefactors to gain access to private information, while SaveQR extension denies any of this attempts to surf through URL for the user.

 

Figure 7. QR percentage of usage between males and females

 

VII. DISCUSSION OF RESULTS

Evaluation of results verified improvement of data protection while using our extension. The comparison with the other scanners are verified secure connection and usage of SaveQR scanner.

Proposed SaveQR extension’s results are demonstrated with comparing it with the others approaches. Based on results we get,  SaveQR extension uses the original QR code and there is no any difference with the currently scanned QR code. Even when SaveQR has detected some difference, it simultaneously notifies user about some changes in QR code. The other approaches do not notify user and surfs through the QR code’s URL.

Based on experiment results, the SaveQR extension is secured approach to scan and use QR codes than the other ones. For experiments we did, same devices were used, so there is no any impact from difference of devices.

On the other hand, our approach can be used only with browsers. It is not an application. So, if your scanner does not provide opportunity to use browsers – unfortunately, our SaveQR extension cannot be used.

The other thing to mention is that our application can use large amount of random access memory, because it is embedded in the browser. Some scripts, while interacting with browser, could be the reason of overload of random access memory.

VIII. CONCLUSION

This paper introduces a Save Quickly Response code extension, which is proposed for secure process and usage of QR code’s data. The proposed architecture consists of SSH authentication method and secured FTP protocol. The SSH authentication protects user’s private data from scanner to extension without any possible changes. The protocol uses open channel to send private data. The secured FTP protocol is used to send the scanned and processed data from extension to local server. While transferring data from the extension, the FTP protocol checks it for possible vulnerabilities in security before saving data in the database. Proposed SaveQR extension reduces possible attacks through the QR codes with notifications the user about possible vulnerabilities in security. Our approach notified the user about potential vulnerability The experiments are demonstrated increase of security with the usage Save Quickly Response Code. The results showed that the proposed extension protects the user from spaces in security while using QR codes. SaveQR extension analyses from 40% to 99% malicious code detection in comparison with the others approaches. In the future we are interested in expand SaveQR extension with upgrading it not only for browsers, but also for other existing operating systems. Future research is planned for reducing amount of random access memory usage while working with our approach.

 

References:

1. Krassie Petrova , Adriana Romanello , B. Dawn Medlin and Sandra A. Vannoy - QR Codes Advantages and Dangers (p.112, 2014)
2. Hyeon Cho, Dongyi Kim, Junho Park, Kyungshik Roh, Wonjun Hwang – 2D barcode detection using images for drone-assisted inventory management (26th of June, 2018)
3. Erik Gregersen - QR Code (25th of January, 2012)
4. Tan Jin Soon – QR Code (2008)
5. Kevin Peng, Harry Sanabria, Derek Wu, Charlotte Zhu - Security Overview of QR Codes (p. 4, 14th of May, 2014)
6. Zhengxin Fu, Yuqiao Cheng, Sijia Liu, Bin Yu - A new two-level information protection scheme based on visual cryptography and QR code with multiple decryptions (2019)
7. Y.-J. Chen, Qin, J. Chen, Feng, Wu, Li - Comparison of Face-Touching Behaviors Before and During the Coronavirus Disease 2019 Pandemic (29th of July, 2020)
8. Nakamoto I, Wang S, Guo Y, Zhuang W - A QR Code–Based Contact Tracing Framework for Sustainable Containment of COVID-19: Evaluation of an Approach to Assist the Return to Normal Activity (September, 2020)
9. Kelvin S. C. Yong, Kang Leng Chiew, Choon Lin Tan – A survey of the QR code phishing: the current attacks and countermeasures (28th of June, 2019)
10. Peter K., Schrittwieser S., Leithner M., Mayank S. - Malicious Pixels Using QR Codes as Attack Vector (January 2012)
11. Timothy Vidas, Emmanuel Owusu, Shuai Wang, Cheng Zeng, Lorrie Faith Cranor, Nicolas Christin - QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks (2013)
12. Surbhi Gupta and Abhishek Singhal - Dynamic classification mining techniques for predicting phishing URL (1st of January, 2018)
13. Peter K. , Edgar W., Mulazzani M, Lindsay M. - QR code security (November 2010)
14. Overview of international experience using QR Codes in the Financial Sector – Central Bank of the Russian Federation (January, 2018).
15. Focardi, R., Luccio, F., and Wahsheh, H. A. M. (2018a). Security Threats and Solutions for Two Dimensional Barcodes: A Comparative Study. In K., D., editor, Computer and Network Security Essentials, pages 207–219. Springer.
16. Dudheria R. Evaluating Features and Effectiveness of Secure QR Code Scanners.  In Proceedings of theInternational Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC),Nanjing, China, 12–14 October 2017; pp. 40–49.
17. Sijia Liu, Zhengxin Fu, Bin Yu, A two-level QR code scheme based on polynomial secret sharing (16th of March, 2019)
18. Rogel L Q.., Ariel M. S., Ruji P. M. - QR Code Integrity Verification Based on Modified SHA-1 Algorithm (December 2018)
19. Y. Zhang “CANTINA: Tool to detect phishing web sites. In Proceedings of the 16th international conference on World Wide Web, WWW” (2007): 639–648.
20. Bui, T.V.; Vu, N.K.; Nguyen, T.T.; Echizen, I.; Nguyen, T.D. Robust Message Hiding for QR Code. In Proceedings of the 2014 IEEE Tenth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), Kitakyushu, Japan, 27–29 August 2014; pp. 520–523.
21. H. Yao and D. Shin. Towards preventing qr code based attacks on android phone using security warnings. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 341–346. ACM, 2013.
22. Chow, Y.; Susilo, W.; Yang, G.; Phillips, J.G.; Pranata, I.; Barmawi, A.M. Exploiting the Error Correction Mechanism in QR Codes for Secret Sharing. In Part I, Lecture Notes in Computer Science, Proceedings of the 21st Australasian Conference Information Security and Privacy (ACISP), Melbourne, Australia, 4–6 July 2016; Liu, J.K., Steinfeld, R., Eds.; Springer: Berlin, Germany, 2016; Volume 9722, pp. 409–425.
23. R. Dhamija, J.D.Tygar. The battle against phishing:dynamic security skins. In Symposium on Usable Privacy and Security (SOUPS) (2005), pp. 77–88.
24. Suppat Rungraungsilp, Mahasak Ketcham, Virutt Kosolvijak, and Sartid Vongpradhip, data hiding method for QR code based on watermark by compare DCT with DFT domain, International Conference on Computer and Communication Technologies (ICCCT'2012), May 26-27, 2012.
25. S. Sheng, B. Magnien, P. Kumaraguru,A. Acquisti, L. F. Cranor, J. Hong, E. Nunge. Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In Symposium On Usable Privacy and Security, SOUPS 07 (2007), pp. 88–99.
26. Shintaro Okazaki, Angeles Navarro & Carolina López-Nicolas:  Assessing gender differences in QR code loyalty promotion acceptance.