Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

January 03 2012

The Transportation Security Administration's QR code flub

I recently read about a cyberpunk author focusing on fictional graffiti artists who use code stencils to overwrite existing QR codes. The author, Tim Maughan, didn't know about my hack showing that there's actually a generalizable method for making QR code stencils work. In Maughan's book, street artists do things like replace a Coca-Cola QR code advertisement with subversive virtual art. It's a cool concept, and the author deserves props for nailing the edge of current and future cyber-reality so well. But "replacing" QR codes in public places is a notion that myself and others have been toying with in the non-fiction world.

"Toying" and "doing" are different things, of course. For example, I've toyed with the idea of covering some of the Transportation Security Administration's (TSA) QR codes with my own because it wouldn't be hard to do. You could create stickers for your TSA QR Code prank, and while waiting in line at the airport, you'd — theoretically — put your stickers over the QR codes on the TSA's posters. The TSA QR codes link to boring and bland websites about how much safer we all are because we have to buy $5 bottled water on the other side of the X-ray scanner. These aren't the most popular links, so it's unlikely anyone at the TSA would quickly notice that the QR codes have been replaced. This is a prank that could hang around for a very long time.

So, why haven't I started doing this? I have a strong aversion to jail time. I have seriously considered using Post-It notes or something that would clearly not count as defacement. Permanent stickers might technically be defacing federal property, and they could easily figure out who added the stickers through video recordings. So, while it might be hilarious and completely awesome, I am not going to try it. For the record, neither should you for all of the same reasons.

In any case, now you can understand why I scan the QR codes at the TSA lines. There's always the chance someone with more courage/foolishness than me had the same idea.

And then one day while traveling in Orlando, I scanned the following sign:

TSA poster with QR code
TSA poster with QR code. Click to enlarge.

I'm surprised that what happened next didn't result in a full pat-down for me. The QR code I scanned didn't go to a site, so I started flipping out. I told my traveling companion that I would meet them on the other side of the scanners, and I just stood there in front of this sign trying to figure out if someone else had beat me to my own "hack."

The QR code linked directly to the site I rubbed the poster to see if I could detect a sticker. No sticker. The QR code was in the poster. Had someone replicated the whole poster and just changed the QR code? What a far more elaborate hack! How had they replaced the whole poster without anyone noticing? I took several minutes trying to get a decent photo, and the picture you see above is the best I got. You can still scan the QR code from the photo if you're patient, but trust me, it goes to

It took me a while to figure out what happened. Justin Watt, the owner of, had discovered QR codes relatively early, in 2007. He wrote about how his QR code blog post eventually earned the No. 2 spot in the Google image search for "QR code." The first spot belonged to the BBC, but they had put "BBC" in the center of the code, making his image the first "normal" one. You can see his code here.

Justin's QR code is identical to the code in the TSA poster. So, this wasn't a hack. What happened is that the designer of this poster put a "stock" QR code photo, pulled from Google's image search, into the poster as a placeholder. All of the placeholders in all of the posters were later replaced with Google short links to web pages. Except for this one. Apparently, no one bothered to check that the QR code links work. As far as I know, this poster is still sitting in the Orlando airport and pointing to the wrong website. (Note: I'm assuming that an image swap is what happened. It's really the only assumption that makes any sense. Plus, it's happened before.)

Could this flub get any better? Turns out, it can.

Like many people, Justin thinks the TSA is pretty silly. A quick site-search from Google reveals that Justin has very little patience for all of the mind-numbing things that the TSA regularly does. He even links to this article about Bruce Schneier that is every bit as juicy as the one that I was fantasizing about "hacking" into the TSA's posters.

So, the TSA accidentally linked its poster to a TSA critic. Awesome.

Why would anyone like me take the risk of making the TSA look ridiculous when they've done such a careful job themselves? They could not have done a better job here if they linked to the best way to support the Electronic Frontier Foundation. In fact, because he completely controls the domain, Justin can re-route the QR code to whatever he likes. I wonder what he'll do with his super power.

I will leave it to the readers to discuss the social implications of all of the English language QR code content working, while the Spanish language QR code poster was not checked before it went out. Suffice to say, I think there are some implications there.

I also wonder how long it will take for this poster to be pulled from the TSA screening lines. So, let's do this: Post your sightings of the flubbed QR code poster on Twitter using the hashtag #tsaflub. I will try to create a collection of the "sightings" so we can see how quickly the TSA takes these down.


January 20 2011

ePayments Week: Starbucks mainstreams mobile payment

Here are a few stories in payment news that caught my eye this week.

Starbucks' mobile payment plan

Starbucks mobile payment screenStarbucks continues to find things for us to do on our phones so we can avoid uncomfortable eye contact with others buying coffee. Back in 2007, it worked with Apple to create an integrated system that made it easier for iPhone and iPod Touch owners to buy and download whatever Dido or Brubeck song was playing in the store at that moment. Last year it began encouraging Foursquare check-ins by offering coupons for drinks — even if they were only dollar-off discounts for mammoth frozen treats available to a single visitor, the mayor of each location.

This week's innovation feels a little more serious: Starbucks expanded to 7,500 stores a pilot program for paying for your latte and scones with an iPhone or Blackberry. Here's how the mobile payment plan works: buy a Starbucks debit card and enter the card numbers into the app, then when it's time to pay, you tap the "Touch to Pay" button and the app generates a QR code that displays on your phone screen. Hold it up to the scanner near the cash register (they won't accept this at the drive-thru), and it debits your virtual card's balance. You can reload the card on the Starbucks site (after a lengthy and somewhat unnecessarily intrusive registration process) using PayPal or a credit card.

The difficult thing about this is that it's a proprietary solution for only one retailer. If Best Buy, Target, and KFC all followed with their own payment systems, checking out would become ridiculously unwieldy, dooming the digital wallet. On the upside, I have to hand it to Starbucks for forging ahead with a workable program, rather than waiting for the perfect solution from someone else. If it's a little clunky in requiring prepayment, at least it's an interesting experiment and an opportunity for customers in the U.S. to finally do what those in Japan and South Korea have been able to do for some time: pay for a common, physical purchase with their mobile device. It will be interesting to see how many consumers give it a try — and how many stick with it.

Amazon's app store plans

Amazon's plans to open an Android app store later this year are receiving a lot of attention as developers and bloggers try to weigh the pros and cons of a second, curated marketplace for the rapidly growing Android app market.

The pros seem to include that Amazon will do some pre-screening of the apps, unlike Google which lets developers post apps and only reviews them if complaints come in. TechCrunch's Jason Kincaid believes that Amazon's screening will be less stringent (and mysterious) than Apple's, but obviously more rigorous than Google's. Jason Ankeny at Fierce Developer points out that a major strength of the Amazon app store will be the deployment of its famously successful recommendation engine, which will suggest apps based not only on a customer's app choices, but also other purchases. Buy a cookbook and it will recommend a cooking app. This could be a huge boon to the Android market, since it will introduce apps to a wide audience of users who never thought to look for them.

If there are cons, they center around whether another marketplace is necessary given Google's app store presence on all Android phones and whether Google will enforce a rule against apps that are mini-markets, which could prevent Amazon from getting manufacturers to place a similar app on phones.

Overall, I find it tough to argue with the intelligence of this move. Amazon has spotted an opportunity to add a layer of value on top of the Android app marketplace, one that opens it up to 118 million Amazon users. I would bet that's almost certainly worth the $99 annual developer fee that Amazon plans to charge after the first year.

Are you a developer with apps at the Android store? If so, I'd like to hear what you think of Amazon's plans. Drop me a note.

Will iPhone 5 have NFC, 3D ... and Boku talent behind it?

Even as Steve Jobs' leave of absence from Apple had everyone wondering about the long-term fortunes of a Steve-less Apple, rumors continued to build about the feature set expected in the iPhone 5, which is due out this summer. There appears to be a growing consensus, based on patent filings and personnel hirings over the past year, that the iPhone 5 will have near-field communications (NFC) technology that will enable easy, wireless tap-and-buy transactions. Fierce Mobile Content agrees with this bet and has an even more interesting prediction: the same NFC technology could let the iPhone 5 personalize any compatible Mac by wirelessly loading the user's apps, preferences, and data from the phone onto that machine.

Meanwhile, speculated that Apple might try to compete with Nintendo's 3DS plans by offering 3D technology on its iPod Touch or iPhones later this year. And TechCrunch reported that Apple and Google were both talking to Boku, a well-funded leader in mobile payments of digital goods that facilitates payments via your phone number instead of a credit card or PayPal. TechCrunch also wondered whether Apple was more interested in Boku's technology, its talent, or just keeping the whole package out of Google's reach.

Do you know something I don't?

Almost certainly, I would bet. News tips and suggestions are always welcome, so please send them along.

If you're interested in learning more about the payment development space, check out PayPal X DevZone, a collaboration between O'Reilly and PayPal.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!