BankID and QR codes attacked by man-in-the-middle?
There is a general national login ID system used in the Nordics called BankID. Very often a user will go to a website that employs the BankID login and click "login with QR". Having done so a QR code is displayed on the screen, at which point the user takes out their phone and opens the BankID app, taking a picture of the screen and then signing with a pin or biometric print in the app. Once validated, the webpage will directly login the user.
It strikes me that since the mobile device and the QR code are separate this is a situation where a man-in-the-middle attack, initiated by such as a thing as a phishing email link, might be quite dangerous:
- Fraudster sets up a server and sends phishing email with fake links to victims.
- Victim clicks the link in email and is directed to a fake replica of, say, a bank website.
- Fraudster as man-in-middle uses information on the victim's connection to initiate a real login request on the real bank's webpage, possibly spoofing the frauster's server's own location.
- Fraudster copies and forwards the QR image to the victim's fake replica website.
- Victim signs the Mobile bank ID app having used the forwarded QR image and has in fact logged in the Fraudster to the real bank website.
On the BankID website the following comment is made:
How do QR codes increase the security of BankID? Since your Mobile BankID must be in the same location as the computer displaying the QR code, the risk is lower that a scammer can trick you into verifying your identity for something you don't see or know about from another location
Is there more to this that I don't understand. It seems inherently unsafe to use QR. Although this seems no less dangerous than the process being employed to capture username and passwords, that are then used to login.