QR codes need security revamp, says creator

By Danny Bradbury

Museums use them to bring their paintings to life. Restaurants put them on tables to help customers pay their bills quickly. Tesco even deployed them in subway stations to help create virtual stores. QR codes have been around since 1994, but their creator is worried. They need a security update, he says.

Engineer Masahiro Hara dreamed up the matrix-style barcode design for use in Japanese automobile manufacturing, but, as many technologies do, it took off as people began using it in ways he hadn’t imagined. His employer, Denso, made the design available for free. Now, people plaster QR codes on everything from posters to login confirmation screens.

If you thought QR codes were just a passing marketing gimmick, think again. They’re hugely popular in China, where people used them to make over $1.65 trillion in payments in 2016 alone, and Hong Kong too has just launched a QR code-based faster payments system.

The codes generated enough interest that Apple even began supporting them natively in iOS 11’s camera app, removing the need for third-party QR scanning apps.

Hara is a little spooked by all these new uses for a design that originally just helped with production control in manufacturing plants. In a Tokyo interview in early August, he reportedly said:

Now that it’s used for payments, I feel a sense of responsibility to make it more secure.

He’s right to be concerned. Attackers could compromise people in various ways using QR codes.

One example is QRLjacking. Listed as an attack vector by the Open Web Application Security Project (OWASP), this attack is possible when someone uses a QR code as a one-time password, displaying it on a screen. The organization warns that an attacker could clone the QR code from a legitimate site to a phishing site and then send it to the victim.

Read more at https://nakedsecurity.sophos.com/2019/09/04/qr-codes-need-security-revamp-says-creator/

YouTube reportedly to be fined up to $200m over COPPA investigation

By Lisa Vaas

Google has reportedly agreed to pay between $150 million and $200 million to resolve the FTC’s investigation into YouTube and its allegedly illegal tracking and targeting of kids who use the video streaming service.

In June, people familiar with the matter told news outlets that the Federal Trade Commission (FTC) was nearing the end of an investigation into YouTube’s alleged failure to protect the kids who use the Google-owned service.

That was followed by letters sent to the FTC about the matter from children’s privacy law co-author Senator Edward Markey and two consumer privacy groups. They urged the FTC to do whatever it takes to figure out if YouTube has violated the law protecting children and, if so, to make it shape up and stop it.

That “stop it” recommendation included Markey’s request that the FTC force Google to establish “a $100 million fund to be used to support the production of noncommercial, high-quality and diverse content for children.”

In July, the Washington Post was the first to report on the finalization of the settlement. Sources familiar with the issue told the newspaper that the FTC’s investigation concluded that Google hasn’t properly protected kids who use YouTube and has suctioned up their data, in violation of the Children’s Online Privacy Protection Act (COPPA), which outlaws tracking and targeting kids younger than 13.

Now, sources have put forward a number: they told Politico that Google has indeed agreed to pay between $150 million and $200 million to resolve the FTC’s investigation into YouTube.

Read more at https://nakedsecurity.sophos.com/2019/09/04/youtube-reportedly-to-be-fined-up-to-200m-over-coppa-investigation/

EFF and Mozilla scold Venmo over app’s privacy failings

By John E Dunn

The increasingly tense stand-off between privacy campaigners and the popular mobile payment app Venmo has taken another turn for the worse.

The latest salvo is an open letter by the Electronic Frontier Foundation (EFF) and Firefox makers The Mozilla Foundation to Dan Schulman and Bill Ready, respectively the CEO and COO of Venmo owner, PayPal.

Their complaint has three strands to it, the first of which is the long-running gripe that transactions made using Venmo are still not private by default.

The second worry is that anyone using the app can see who someone is connected to through their friends’ list.

Together these create the third problem – it’s likely that many Venmo users don’t realise the privacy effect of these settings, which means they might be giving away data about their personal habits they’d rather not. As the EFF/Mozilla letter puts it:

It appears that your users may assume that, like their other financial transactions, their activity on Venmo is both private and secure.

How we got here

Founded a decade ago, people use Venmo’s digital app wallet to send money to other users, for example conveniently splitting restaurant bills or bar tabs. It can also be used to buy things from participating merchants.

In practice, Venmo is also used to pay for everything from rent and personal debts to illegal drugs and prostitutes.

Read more at https://nakedsecurity.sophos.com/2019/09/04/eff-and-mozilla-scold-venmo-over-apps-privacy-failings/