... or why QR codes are not a good proof-of-location

In an increasingly digitalized world, technologies for location verification are becoming increasingly important. QR codes are a popular method for quickly transmitting information and are used in many areas of daily life. From marketing campaigns to authentication, QR codes seem to be a simple and efficient solution. But despite their versatility and popularity, QR codes also have their weaknesses, particularly when it comes to ensuring proof of location. In this blog post, we'll explore why QR codes are not suitable for location verification. In doing so, we will address security concerns, technical limitations, and alternative technologies that offer a more reliable solution.

QR codes, also known as quick response codes, are two-dimensional barcodes that enable users to retrieve information such as URLs, contact details, or texts with a simple scan. Its ability to store a wide range of types of data and ease of use make it a popular choice in a wide range of applications. With the help of specially trained AI models, QR codes can also be created that do not look like them at first glance.

QR codes and proof-of-location

At first glance, QR codes appear to be an ideal solution for location verification. Users could simply scan a QR code placed at a specific location to prove their presence at that location. This concept sounds tempting because it is easy and inexpensive to implement. However, a closer look reveals that QR codes have significant weak points that make them unsuitable for proof-of-location.

Security risks and vulnerabilities

1. Susceptibility to manipulation: One of the biggest drawbacks of QR codes is their vulnerability to manipulation. Anyone can easily create a QR code and place it anywhere they want. Fraudsters could use fake QR codes to generate false location data. The integrity and authenticity of location information are therefore not guaranteed.
2. Phishing threats: QR codes can unknowingly redirect users to malicious websites. This threat is known as QR phishing. Attackers could place QR codes in public places that lead users to fake sites to steal their personal information or install malware. This represents a significant security risk, particularly when location verification is part of sensitive processes. There have already been such attacks at several crypto conferences, parking meters and in Bubbletea stores. The term QRishing for QR Code Phishing is already established.
3. Lack of real-time verification: QR codes do not provide the ability to verify the location in real time. A user could scan a QR code and then travel to another location. The location information would be out of date and potentially inaccurate. Reliable location verification should be able to capture and verify a user's current location in real time.

Technological limits of QR codes

1. Lack of encryption options: QR codes store data in an easy-to-read format. Without additional encryption, the stored information can be intercepted and manipulated during transmission. For applications that require a high level of security, this is an untenable risk.
2. Limited data capacity: QR codes have limited data capacity. When transmitting complex location data, they quickly reach their limits. Comprehensive location verification often requires extensive data sets that include detailed information about time, location, and users.
3. Publishability: QR codes can be photographed and duplicated and published at will. Willingly and by mistake. The copies are indistinguishable from the original QR code for the application and the associated service. This means that they can also be read by users who are not in the same place as the original QR code.

What does all this have to do with soccer tickets?

At this year's edition of one of the most prestigious events for digital marketing, one of the exhibitors, a major software company for enterprise software, hosted an NFT hunt at their stand. It was possible to collect 9 different NFTs with the scan of 9 hidden QR Codes.

An employee himself published a video of this on LinkedIn. Interestingly enough, one of these QR codes can be seen briefly in the video — I have already indicated in my comment that it is indeed usable 😉

The URL encoded in the QR code in the video ends in... /event/8 - during the event, it was redirected from there to the software company's minting page. By entering an email and, optionally, a public wallet address, the NFT could be minted on this. Now it was very obvious to replace the “8” with other digits at the end — et voila, all 9 NFTs were in my possession even though I wasn't even there at the event.

The NFTs served as access to a draw for several non-cash prizes, and I was actually one of the winners – no wonder, after all I had all 9 "lottery tickets". A voucher for 2 home tickets for a home game of Mainz 05 landed in my mailbox. Thank you very much!

Better alternatives for proof-of-location

Given the security concerns and technological limitations of QR codes, other technologies are better suited to ensuring proof of location:

1. Serialized, validatable markers: If unique markers that cannot be copied are used instead of the QR code, they can neither be misused for QRishing, nor photographed and published.
2. GPS-based systems: GPS technology is widely used and provides accurate location verification. Devices with GPS receivers can record a user's location in real time and transmit it to the verifying system. This method is more secure and reliable than QR codes.
3. Beacons and NFC: Beacons and NFC (Near Field Communication) are technologies that operate at short distances and are able to provide accurate location information. These technologies are harder to manipulate and provide greater security for location verification. However, they can be destroyed contactlessly from a distance and require a higher level of know-how from users, for whom an NFC scan is usually more difficult than an optical scan.
4. Blockchain technology: Blockchain technology provides a decentralized and immutable way to verify location data. Transactions are recorded on a public or private ledger, which can be verified by all participants in the network. This provides a high level of security and transparency for location verification.

Sample technologies

1. Meta Anchor: The holographic fingerprint of Authentic Vision combines alternatives 1 and 2. The location of the label, the position of the smartphone and the time stamp of the validation server are added to the result of the scan result. Optionally, alternative 4 can also be used. In addition, with a specially created smart contract with an “asset bound NFT”, the entire list and in particular the last visitor to a location can be determined decentrally and verifiably. The Meta Anchors offer the particular advantage that they can be validated using a mobile app on any smartphone with camera, light and Internet connection.
2. Dynamic element: Using macro images that take into account the surface structure and a decentralized registration of reference patterns and validations, alternatives 1 and 4 are used in the solutions of Dynamic Element combined. The use of QR codes can be completely dispensed with, or they are upgraded to secure SQR codes. Validation requires powerful macro optics, which are installed in the current generations of the most popular smartphone providers.
3. Tokiphy: The NFC chips and readers from Tokiphy. This makes it possible to design completely Web3 integrated solutions whose users have access to their functions with a chip card without having to deal with the technology. By making a sparate partition readable with ordinary, NFC-enabled smartphones, the chips can also be used for a wide proof-of-location use case.

If you are interested in the technologies, simply send me a message and we will arrange a consultation appointment or I will be happy to establish direct contact with the respective manufacturer.

conclusion

QR codes undoubtedly have their use in various contexts, but they are largely unsuitable for proof-of-location. The security risks, vulnerability to manipulation, and technological limitations make them a less than sub-optimal choice. Companies that need reliable and secure location verification should consider alternative technologies such as validatable markers, GPS, beacons/NFC, or blockchain. By using these advanced technologies, companies can ensure the integrity and authenticity of their location data and protect both their systems from potential threats and their users from QRishing.

Disclaimer

I don't want to denounce the organizers of the competition and therefore do not want to mention their names; I actually really appreciate the team and their developments. The intention of the action at this stage was to become known, disseminate and test the technology to easily integrate and use NFTs in existing systems for marketing purposes. That worked very well - and I think the approach of offering customers without wallets the opportunity to use it is effective for greater and faster acceptance of the technology by the general public. In principle, using the service as broadly as possible is actually beneficial. The team was and is well aware of the weak point in the transferability of QR codes and was accepted approvingly during the campaign.

Of course, I didn't want to redeem the tickets — after all, I wasn't at the event at all and therefore didn't fall into the target group of the organizers. I had them passed on to children in need through the exhibitor, with the kind support of Mainz 05.

‍