0

I need to make a ticketing system for a local promoter. I have most of the work done for the barcode but this is pretty old. I want to upgrade to use QR code. The security issue i have is when scanning the QR code.

The scanning of the QR code seems to be working but what if someone creates his own QR code with URL destination of different URL that the system uses to validate the code, and outputs the same info as a successfully scanned QR Code as the one i use to validate the QR code.

This chances of this happening is small. But the client has very big events and if this would to happen it can be trouble.

Is the a way that all qr codes i scan will be redirected to my page and i only derive the token in the url to compare with the token in my DB?

Hope it is understandable what i'm trying to explain and any help is appreciated.

Regards,

P

Philip Elhage
  • 1
  • 1
  • Don't use a URL. Use an ID - something large and random, like `250e689d-b337-466a-8ad5-d75f7cbad1cd`. Then look up that large, random code in your database via an API under your control using the scanner app. – ceejayoz Jul 24 '16 at 21:26

2 Answers2

2

First: There is no inherent security to any kind of bar code, whether QR or otherwise. They're just a fancy way of making some data machine-readable.

Second: QR codes do not have to contain URLs. They can contain URLs, and they're often used that way in advertising, but there's nothing which forces them to be used that way.

Third: Even if you scan a QR code and it contains a URL, there is no reason you need to visit that URL in a web browser. In fact, if you're using the QR codes in a fixed-purpose application (like you're doing here), you probably shouldn't. Look at the text of the URL, check if it fits the right pattern, and extract the user's ID from there.

0

If you compare linear barcodes to QR Codes then obviously you should better go with QR Code because:

  • QR Code supports error correction i.e. if it was partially damaged (up to 25% depending on the configuration) then it will be decoded;
  • It is widely supported by hardware and software (including mobile phone applications);
  • Higher information density per inch comparing to linear barcodes;

As I understand you worry about possible fake servers + fake tickets with fake QR Codes containing URL to a fake server.

In this case I would consider implementing a digital sign or encryption for repsponses from server so the scanning app could verify if they are coming from the authentic server:

  • The simpliest (but less secure) way to encrypt string in barcode with a password that is known to the scanning app so the response can be decrypted by the scanning app.
  • Implement digital sign to sign responses from server and verify these responses if they are coming from an authentic server.
  • Use SSL so the data exchange between server and your app is encrypted

Also as I know there were cases when tickets were photocopied and an original owner was not able to use the original ticket because fake ticket with fake barcode was used before. So it is usually advised not to publish photo of tickets in social media in general.

Community
  • 1
  • 1
Eugene
  • 2,820
  • 19
  • 24