Reporter Xue Jingjing
Recently, many consumers have reported on the internet that when they take out their mobile phones to scan the restaurant ordering QR code or the route query code on the scenic spot bulletin board, their phones do not redirect to the corresponding service page, but instead enter some malicious websites. The digital entrance that should have been convenient for the people has become a risk trap. What security vulnerabilities exist behind this? How should consumer rights be protected?
Frequent QR code scanning leads to abnormal jumps
Ms. Zhu, a consumer living in Xuanwu District, Nanjing City, Jiangsu Province, recently told reporters about her experience a few months ago, saying that she originally wanted to ride a shared bike, but when she scanned the code, she was redirected to a gambling website page. At that time, when Ms. Zhu was scanning a code on the roadside to unlock a shared bike, her phone page did not directly enter the unlocking interface, but instead jumped to a page with the words "real-time betting" written on it. Ms. Zhu tried to close it, but couldn't find the corresponding button. In the end, she had to forcefully return to the main interface of her phone and close the software.
Ms. Zhang, a consumer in Nanjing, has also experienced a similar situation. In April of this year, Ms. Zhang scanned the QR code for the "Scan Code to See Route" service on a small tourist attraction, but the page could not be opened. It looks like it's malfunctioning, and I didn't think much about it at the time, "Ms. Zhang said.
The reporter learned that the above situation is mostly caused by the lack of maintenance of public QR codes in the future. Recently, similar incidents have occurred in Beijing, Suzhou and other places, where QR codes on scenic area shuttle buses and urban public facilities were not cleared in a timely manner due to service termination and domain expiration, and were illegally registered and resolved to harmful websites. Although the management responded with statements such as' QR codes were stolen after becoming invalid ', some consumers expressed their disbelief and believed that the management should ensure the security and usability of QR codes on public service facilities.
Compared to outdoor public scenes, the accompanying QR codes on product packaging are more confusing and more likely to be overlooked by consumers as a risk. Previously, consumers in many parts of Zhejiang province reported that scanning the QR code on the back cover of their children's elementary school art exercise books directly redirected them to pornographic websites. The printing factory explained it as a 'suspected hacker intrusion', but it cannot conceal the fact that its domain name lifecycle management is lacking.
Unlike the situation where legitimate QR codes are tampered with, there are also some risks that are entirely set up by criminals, who directly attract harmful websites by posting QR codes. Ms. Zhao, a consumer in Nanjing, told reporters that her private car has been labeled with a QR code indicating "high-end men's service". At first glance, this is not normal. I tore it off and threw it away. Who knows if it will open any harmful pages after scanning. "Some consumers online have also expressed that some unfamiliar QR codes may appear unresponsive after scanning, but in fact, they may silently load programs and steal device information in the background.
Domain name expiration and unauthorized registration result in security vulnerabilities
The harm of illegal websites' backdoor traffic is far more than just vulgar content. Chen Fei, who has been engaged in the Internet industry for more than 20 years, told the reporter that the lawbreakers, by forging stickers to cover the original formal QR code, or tampering with invalid domain names into malicious links, induced consumers to enter the pages related to pornography and gambling, or jumped to fraudulent websites such as fake online loans, scalping rebates, and counterfeit payment platforms. Once consumers further browse or operate, they may not only face the risk of fund theft and fraud, but also be suspected of illegal activities if induced to participate in betting.
Why did seemingly ordinary QR codes become a "secret door" to illegal websites? Chen Fei explained that QR codes themselves do not have security protection functions. Their essence is graphical digital encoding, and the process of scanning the code is to translate the dot matrix pattern into character information. If the character is a website address, it will open the webpage corresponding to the domain name. The real problem is not the QR code pattern itself, but the domain name it points to behind it.
Chen Fei said that there is a group specialized in domain name registration in the black and gray industry. They are targeting some previously registered domain names. Once these domain names expire without renewal and are released to the public market, they will immediately register and then resolve the domain names to illegal websites such as pornography, gambling, and fraud. However, the QR code patterns that have been posted or printed offline have not been cleared or changed, and consumers are redirected to illegal pages after scanning the code.
In Chen Fei's view, the frequent security risks of QR codes are rooted in two major management loopholes. Firstly, there is a lack of awareness of full lifecycle management, and there is no follow-up maintenance after construction. When many public service projects and commercial promotion activities go online, they will specifically register domain names and create QR codes. However, after the project ends or the service is terminated, the domain name fees will not be renewed, the registration will not be cancelled, and the offline physical code cards will not be cleared, becoming "ready-made materials" for black and gray production. Secondly, the generation of QR codes has almost zero threshold and lacks a review and traceability mechanism. There are currently a large number of free QR code generation tools available online, allowing anyone to convert any website into a QR code without the need for any qualification review or content verification. Criminals can easily embed Trojan program download addresses and phishing website links into QR codes, which ordinary consumers cannot recognize with their naked eyes.
Operators have the obligation to ensure safety and security
As an entry point for providing services, the security of QR codes should not be paid for by consumers through trial and error, "said Xia Lei, a lawyer at Jiangsu Zhibang (Nanjing Free Trade Zone) Law Firm, in an interview with reporters. According to Article 18 of the Consumer Rights Protection Law, operators should ensure that the goods or services they provide meet the requirements for safeguarding personal and property safety. Although many service QR codes are provided for free, since they are open to consumers as part of the service, operators have a security obligation. If the operator neglects maintenance, resulting in malicious tampering or theft of the QR code, and consumers suffer property damage or mental damage after scanning the code, the operator shall bear corresponding compensation liability if at fault.
"Some units feel that the domain name is not used and they don't need to take care of it, which is a big legal mistake." Xia Lei said that the use of the QR code carrying the domain name website needs to comply with the Internet Domain Name Management Measures and other relevant provisions. If the domain name is no longer used, it should go through the cancellation and filing procedures to prevent the domain name from being used by others for illegal activities, otherwise the original user may face administrative punishment and be easily involved in disputes. Although it may not necessarily bear the main responsibility in the end, the process of responding to the lawsuit itself will consume a lot of time and energy, and will also have a negative impact on the reputation of the unit. Especially for some public QR codes, which carry the trust of the public, as managers of public places, they also need to assume legal security obligations in accordance with the Civil Code. Once problems arise, it not only damages the rights and interests of consumers, but also the credibility of public services.
Xia Lei said that the act of tampering with or replacing the QR code by criminals may violate different laws according to the seriousness of the case. If it is only replaced by advertising links, it may violate the Advertising Law, the Internet Information Service Management Measures and other provisions, and face administrative punishment; If used for attracting fraud, spreading obscene materials and other criminal activities, it may constitute the crimes of fraud, spreading obscene materials for profit, assisting in information network criminal activities, etc., and will be held criminally responsible according to law.
(