Skip to main content
  1. Home
  2. Computing
  3. Features

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

This tech can end QR code scams, if only Google and Apple pitch in

By
Scanning a QR code using a phone.
Unsplash

The most successful digital scam is one that is tied to convenience. QR codes, which are used for everything from sharing contacts to making payments, are an ideal vector. In India, which runs the world’s largest digital payment system, QR code scams have become a regular nuisance.

I regularly hear from retail shop owners and cab drivers about how they were duped using a fake QR code or app, and similar is the tale of online shoppers. Parking lot QR scams are also rampant in the US and UK, but stealing a few dollars is not the only risk.

Recommended Videos

It’s the theft of sensitive data, including financial details, that has even put banking giants on alert. “If you scanned the QR code and entered your credentials, like your username and password, into a website, change your password right away,” the US Federal Trade Commission said in an alert note barely a couple of weeks ago.

The Swiss national security agency has also issued a warning about bad actors sending physical QR codes via mail to the doorsteps to steal passwords, a heist that is commonly known as quishing, short for QR phishing. Of course, we can’t nuke the QR tech stack over such risks, except for raising awareness, but we finally might have a solution from the experts at the University of Rochester.

What is the solution?

Sample of an SDMQR code appearing on an iPhone screen.
Instead of blocky dots, SDMQR codes use ellipses. Nadeem Sarwar / Digital Trends

The technology in question is a self-authenticating dual-modulated QR (SDMQR) code. It stops the potential for scams before users are even taken to a fake website or fraudulent web repository, by flagging the risk as soon as the code is scanned. But before we get into the technical details, let me break down the biggest advantages of this secure path to QR code technology:

  1. It is self-authenticating, which means the QR code already has the verified digital signature of the entity behind it, which is verified every time you scan it on your phone.
  2. Aside from taking users to websites, they can also be used for payments and encoding secure information, among other related scenarios.
  3. The QR code verification happens on-device. You don’t need an internet connection to check if it’s legitimate or fraudulent.
  4. It does not require any specialized app or software update for existing QR code scanning apps.
  5. The system does not create any unwanted operational delay or latency.
  6. These secure QR codes can be customized to fit the design requirements, without hampering their safeguards.
  7. It doesn’t need a high-resolution smartphone camera to work. The one in your pocket will do just fine at scanning SDMQR codes.
  8. These QR codes can also have colors, so brands can get them customized for better identity recognition.
  9. Existing machines that read QR codes can also read SDMQR codes, with a warning system in tow.

The best part about this approach is that an average user won’t have to go through any technical hoops to protect their interest. For companies that rely on QR codes and want to protect their business, they simply have to register their official website’s URL and embed their signature in the code.

SDQMR codes look different than traditional QR codes. Instead of the mainstream pixel-style block imprint, they make use of ellipses. The team behind the tech stack has filed a patent and has already secured a National Science Foundation I-Corps grant to explore the replacement of traditional bar codes with SDMQR codes.

Going a step further, the team is also exploring whether using colors can make these codes more versatile. With versatility, they mean using the same QR code to guide users in up to three different directions, or web destinations.

What’s the technology pipeline?

The process of creating an SDMQR code.
University of Rochester / IEEE Security & Privacy

“SDMQR codes offer proactive front-end protection against quishing before the link is even accessed,” says the research paper published in the IEEE Security & Privacy Journal. As mentioned above, we are simply talking about a retrofit, and not a framework that would turn the whole QR ecosystem upside down.

The whole process relies on two components. A primary message (such as the URL of a business) and a corresponding cryptographic signature of that message. This cryptographic signature is generated and owned by a business in possession of a digital private key. A DMQR encoder embeds the primary and secondary messages into the SDMQR code.

If you look at the code, you will notice elliptical patterns in black and white. As per the researchers, the variation patterns hide the primary message, while the orientation data carries the secondary message.

Authenticating an SDMQR code.
Flagging a risky QR code destination. University of Rochester / IEEE Security & Privacy

Once the code is scanned on a phone, a DMQR decoder breaks down the primary and secondary messages for verification. At this stage, the public key of the business (which created the code) performs algorithmic verification to check whether the cryptographic secondary message matches the contents of the unencrypted primary message.

Think of it as a two-stage secret handshake between spy agents.

The biggest challenge is not the tech stack, but creating a centralized system where all businesses can come together and perform the necessary registration to create unique SDMQR codes. The idea is to create a public key for these legitimate entities, which is also the only thing an SDMQR code reader requires.

This is where makers of smartphone operating systems — aka Google and Apple — can help create a safer future. Their participation as central signatories would mean a smartphone or tablet would only require their two public keys for quickly authenticating SDMQR codes.

Verifying an SDMQR code.
Approving a legitimate URL after an SDMQR code scan. University of Rochester / IEEE Security & Privacy

Since they offer built-in QR code scanning frameworks for iOS and Android, using them as central signatories is the best way forward. On a technical level, their participation would dramatically ease the verification process as SDMQR code readers would only need to store just two public keys and get the job done.

There’s definitely some precedent for that. Google lets businesses sign up to get a verified badge and icon in Gmail, so that users don’t fall for spoof emails trying to pass off as a legitimate message.

Why does this approach matter?

A healthy few technical proposals have appeared in the past few years to fix the problem of QR code scams, but they all arrived with their fair share of limitations. The SDMQR system solves a few key fundamental hurdles to ease the adoption without any technical hassles.

It takes a transparent approach to self-authentication and doesn’t require any software update to the QR code reader apps installed on a person’s phone. They will work just fine with regular QR and the more secure SDMQR codes.

Otherwise, tasking developers or OS-makers to deploy an ecosystem-wide synchronized update would not only be a massive challenge, but also take its own sweet time. Further enhancing the convenience for adopters is the single central signatory system, which requires only one key for verification. And the best part is that smartphone users won’t even require an internet connection for the verification protocols to jump into action.

A beautified SDMQR code on a phone.
SDMQR codes will work just fine with a dash of stylistic personalization. Nadeem Sarwar / Digital Trends

Previous efforts to build secure QR code systems put their faith in cryptographic keys for QR code generators in order to authenticate the identity. A few other ideas involved individual public-private key pairs, which means a user’s mobile device was expected to carry (or have locally saved) the public keys for all the parties that signed up for creating secure codes for authentication and identity verification.

“Using our proposed protocol, mobile devices can determine whether the information is deemed authentic by the signatory, immediately on the mobile device itself,” says the team in the research paper.

Another advantage is that the inherent dual-modulating tech can also be applied to bar codes, which means even codes that are used for airline boarding passes and courier pcackage can take advantage of the framework.

The biggest beneficiary of SDMQR codes would be banking institutions. Researchers argue that their deployment in parking payment systems can reliably protect users from being targeted by QR-based phishing attacks as well as financial losses.

The latter aspect also applies to all scenarios where people often run into QR codes plastered in public places. That includes Wi-Fi access, opening a restaurant’s menu, and relaying a business location, among others. Wi-Fi jacking is a well-known threat that quickly spirals into utter chaos for an average user, so any solution to plug that vulnerability should find mass adoption.

The ball is now in Google and Apple’s backyard. They already provide the OS-level software sauce for decoding QR and bar codes. All they need to do is vet and implement support for the new SDMQR framework, and guard the interests of smartphone users across the world.

Editors’ Recommendations

Topics
Nadeem Sarwar
Nadeem Sarwar
Contributor
Nadeem is a tech and science journalist who started reading about cool smartphone tech out of curiosity and soon started…
Amazon enlists AI to help shoppers overwhelmed by too many choices
Interests AI on Amazon app.

Amazon is making things easier for shoppers to find products based on their interests with the help of an AI called... Interests.

The online retail company wrote in a blog post on Tuesday that Interests will check new inventory across the site and help you narrow down the products you need when you create personalized prompts related to your interests using everyday language. For example, if you need new pickleball gear, you type in "The latest pickleball gear and accessories" and it will scan the site for the newest pickleball paddles, balls, nets, and other accessories from trusted sports brands. If you're a photographer in need of new cameras and tripods, you might say "The latest cameras and tripods for photographers" and the AI will quickly search for the newest photography gear in stock to recommend.

Read more
The Lenovo Legion 5i gaming laptop with RTX 4070, 32GB of RAM is $200 off
The Lenovo Legion 5i gaming laptop with Halo Infinite on the screen.

Amazon's Big Spring Sale 2025 is online, and that means today is a great day for an upgrade through the event's gaming laptop deals. There are lots of offers to choose from, but we recommend going for the Lenovo Legion 5i. This configuration featuring the Nvidia GeForce RTX 4070 graphics card usually sells for $1,600, but you can get it with a 13% discount that lowers its price to $1,400. That's $200 in savings that you can spend on more video games and accessories, but you need to complete your purchase immediately because stocks may run out before the sale ends on March 31.

Why you should buy the Lenovo Legion 5i gaming laptop
Lenovo claimed its spot among the best gaming laptop brands because its devices always punch above their weight class in performance, and that holds true for the Lenovo Legion 5i. Combining the Nvidia GeForce RTX 4070 graphics card with the 14th-generation Intel Core i9 processor and 32GB of RAM gives you power that can match the best gaming laptops, as the device will be able to run the best PC games at their most demanding settings. You'll also be prepared to play the upcoming PC games of at least the next few years, so you won't need to purchase an upgrade any time soon.

Read more
This Gigabyte Aorus gaming laptop with RTX 4060 has a 20% discount
The Gigabyte Aorus 7 gaming laptop on a white background.

Gamers who want to buy a new gaming laptop for less than $1,000 have a lot of options in Amazon's Big Spring Sale 2025. The Gigabyte Aorus 7 is one of them, with a 20% discount bringing its price down to just $899 from $1,127 originally. That's equivalent to savings of $228, which you can spend on more video games and accessories such as gaming headset deals.  The event runs until March 31, but we don't recommend waiting until the final minutes before you proceed with your purchase of this gaming laptop because stocks may no longer be available by then.

Why you should buy the Gigabyte Aorus 7 gaming laptop
The Gigabyte Aorus 7 isn't gunning for the level of performance of the best gaming laptops with its 12th-generation Intel Core i5 processor. However, it will be enough to play the best PC games as it also comes with the Nvidia GeForce RTX 4060 graphics card and 16GB of RAM, which our guide on how much RAM do you need says is the best place to start for gaming. You're going to have to choose low to medium settings for the more demanding titles, but that's an acceptable trade-off considering the relatively affordable price of the Gigabyte Aorus 7.

Read more