QR codes vs NFC in Bitcoin Wallets

[dkbit98]

Recent trend is that more and more devices, smartphones and hardware wallets are starting to adopt NFC technology for various purposes.
NFC is rival to QR codes, and both of them are wireless that can be used is Bitcoin wallets for sending transactions but in a totally different way.

QR Codes stand for Quick Response Code and they provide one way communication between devices.
Code is generated by app or a wallet and you need a camera and decoder to read hidden message with transaction or wallet address.
Cost for QR codes is minimal, but there is no universal standard and it can be encrypted with closed source like in Safepal wallet, so you can't verify anything.

NFC stands for Near-Field Communication Chip and they provide two way communication between devices.
Inside NFC chip is hidden small antenna with range around 10 cm or less, operating on specific radio frequency.
NFC technology is mostly used in smartphones, identity documents and payment cards.
Cost for NFC is higher than for QR codes, and they need power for functioning.
NFC works with simple tap, they are faster and there is universal NFC standard, but there is no way you can verify what's happening inside chip.
Metal materials can block NFC communication and some people managed to hack and modify it.
You can't use NFC on desktop computer unless you buy special NFC readers.

What do you think it's better technology to be used in Bitcoin wallets?
Maybe there is something better than both QR and NFC.

[1714497004]

1714497004

[1714497004]

1714497004

[1714497004]

1714497004

[o_e_l_e_o]

There are a number of additional risks you expose yourself to when using NFC over QR. It is possible to eavesdrop on NFC transmissions, which can result in loss of privacy. It is also possible intercept and alter NFC transmissions, effectively committing a man-in-the-middle attack. Yes, the range is very small, but a thief could plant a malicious device on a merchant's terminal or other device you would be placing your phone or hardware wallet near anyway in order to use NFC in the first place. The likelihood of losing coins via such a method is admittedly small, but it is non-zero.

And obviously, if you want your wallet device to be properly airgapped, then using NFC means that is no longer the case. There's no knowing what future bugs or vulnerabilities might be found and exploited to allow attackers to upload malware or false transactions to your device.

In short, I'd maybe use it in a hot mobile wallet with a small amount of funds, but I'd never use it for a hardware wallet. The additional speed over displaying and scanning a QR code is negligible.

[ABCbits]

Cost for QR codes is minimal, but there is no universal standard and it can be encrypted with closed source like in Safepal wallet, so you can't verify anything.

To be fair, NFC doesn't have universal standard either. Wikipedia (https://en.wikipedia.org/wiki/Near-field_communication#Standards) mention there are at least 4 different standard for NFC.

What do you think it's better technology to be used in Bitcoin wallets?

If your main concern is security and you know how to setup cold/airgapped wallet, QR code is better option.

[bitmover]

What do you think it's better technology to be used in Bitcoin wallets?
Maybe there is something better than both QR and NFC.

On the user point of view, I don't see any benefit of using NFC over QR codes.

Bitcoin transactions are far more complex than a Visa transactions.

We need to choose our UTXO and customize fees.

Even if you do not care about which UTXO you are expending, you need to choose the fee (or at least approve it).

When using QR Codes, it is basically the same. You will scan the code and review the fees.

I don't see much gains. The only benefit would be if you could use a card machine.

[NeuroticFish]

What do you think it's better technology to be used in Bitcoin wallets?

Normally QR would be the best, since nobody could interfere with a powerful enough antenna.
But QR also can be a problem if one doesn't look around carefully, since nowadays more and more cameras are surveilling the public spaces.

On the other hand, a properly made hardware wallet and a properly made companion software wallet should display all the information you need to properly check whether you indeed sign the transaction you expect. And then maybe convenience will win (although it may be more convenient for some to use NFC and for others the QR).

QR is more widely compatible and I'd prefer it (does your laptop have NFC?)

[dkbit98]

There are a number of additional risks you expose yourself to when using NFC over QR. It is possible to eavesdrop on NFC transmissions, which can result in loss of privacy.

I know about this and that is why I am trying to understand why so many people are forcing the use of NFC technology everywhere, including bitcoin related devices.
If you think about it, 10cm is a lot of space if someone just comes near you they can connect with your chip and catch the signal you are sending all the time.

And obviously, if you want your wallet device to be properly airgapped, then using NFC means that is no longer the case. There's no knowing what future bugs or vulnerabilities might be found and exploited to allow attackers to upload malware or false transactions to your device.

Problem is that people are making their own twisted definition for airgapped devices, they fit them to their own needs or products they make.
For example Coldcard is planning to release new device with NFC chip and they still call it airgapped and open source, even if it's not.

To be fair, NFC doesn't have universal standard either. Wikipedia (https://en.wikipedia.org/wiki/Near-field_communication#Standards) mention there are at least 4 different standard for NFC.

I saw that on wikipedia but those standards are used for different purposes, and you have to consider the year of creation for each of them.

QR is more widely compatible and I'd prefer it (does your laptop have NFC?)

I think that QR codes are more popular than NFC, but everyday news comes out about tap feature payment etc.
Here is apple today announcing how they are empowering businesses to accept contactless payments through Tap to Pay on iPhone, using NFC technology:
https://www.apple.com/newsroom/2022/02/apple-unveils-contactless-payments-via-tap-to-pay-on-iphone/

QR Codes are also not perfect, and scammers may use them, here is one report from three letter agency saying how Cybercriminals are Tampering with QR Codes to Steal Victim Funds.
I guess many people are falling for this, or they wouldn't post warning like this:
https://www.ic3.gov/Media/Y2022/PSA220118

[SFR10]

What do you think it's better technology to be used in Bitcoin wallets?

Both of them have their own flaws, but I'd prefer to use a wallet with Qr codes over something ^[NFC] that doesn't always work.

Maybe there is something better than both QR and NFC.

While I was searching on Google, I stumbled upon an interesting technology: LiFi <sup>[video of LiFi-enabled phone cases communicating with each other]
- I'm still not entirely sure it's going to be better than those two [I'll read more in the morning], but it seems promising.</sup>

• More secure: light does not pass through walls like radio waves do, and this prevents intruders from intercepting LiFi communications through a wireless network.
  
  More reliable: LiFi transmits its signal without interruptions, making communication more stable than with wifi.
  
  No interference: electronic light does not interfere with radio communications, interact with other systems or compromise transmissions from aircraft, ships, etc.

  
  

• How it works exactly
  Data is captured in modulated light frequencies of a solid-sate LED light source and is then transmitted and received by LiFi-enabled devices. A photosensitive detector demodulates the light frequency signal and converts it back into an electronic data stream and – in so doing – allows for faster-than-ever, more secure, bi-directional wireless communication.

[pooya87]

Bitcoin transactions are far more complex than a Visa transactions.
We need to choose our UTXO and customize fees.

Wallets have done a very good job at simplifying everything to the point that all the complications are basically "advanced features" that you can use but you don't have to. In other words all the UTXO selection and fees are set based on simple pre defined preferences by the user. For example you choose privacy in your initial setup and your wallet only prioritizes UTXOs that are already linked.

[dkbit98]

Both of them have their own flaws, but I'd prefer to use a wallet with Qr codes over something ^[NFC] that doesn't always work.

I would give advantage to QR codes but I am not sure if they can be found in all Bitcoin wallets.
Electrum and Wasabi wallet does support QR codes even in desktop versions, but I didn't research all other wallets and I can't find much information about this.
As far as I know NFC technology is not supported in any desktop wallets so that is big disadvantage for NFC, but it's a different story with mobile devices.
I am trying to make some list of supported wallets with comparison but it's not going great for now :/ any help would be appreciated.

While I was searching on Google, I stumbled upon an interesting technology: LiFi ^{[video of LiFi-enabled phone cases communicating with each other]}

First time I hear about LiFi but I will check it out later.

[DaveF]

QR codes are not 100% safe either.
Although it has not happed to them yet (that we know of) there was an interesting hack shown a while ago on camera firmware where if it saw "X" it actually passed data for "Y"
Was showing how facial recognition could be faked at the hardware level.
Also, as mentioned with QR codes and some places make them 'cute and annoying' that do not scan well.
And too many places and people do not include the BTC address in the QR image. So now you have to dig to make sure.

So.... they both have their issues....which is less bad.

-Dave

[dkbit98]

QR codes are not 100% safe either.

I know they are not, nothing is 100% safe.
It should be mandatory to double check each QR code image to verify if it matches the bitcoin address or not, but they can be encoded.
QR codes MUST be transparent and some hardware wallets like Keystone have open source software called KeystoneQRVerifier, and with that you can verify if signed data is correct:
https://github.com/KeystoneHQ/KeystoneQRVerifier

Keystone explained this process in more details on their blog page:
https://blog.keyst.one/ever-wondered-what-your-hardware-wallet-inputs-and-outputs-9b33b4cedafd

I am not sure how other wallets are handling this but I know that Safepal is worst, so I consider it a black box and I don't recommend it to anyone.
Next time you see QR code it would be a good idea to try reading and decoding it manually.

[hugeblack]

At the moment, QR codes are the most popular because most phones can read them more than NFC tags.
The short range of NFC, which is currently 1.5 inches, may not give it an added advantage in Bitcoin transactions, but it is better in terms of sharing data and bank card addresses.

Perhaps the only downside to QR is privacy but most of the time they are addresses for making payments, these addresses are not private.

anyway i think we should compare NFC with Bluetooth Low Energy

[SFR10]

As far as I know NFC technology is not supported in any desktop wallets so that is big disadvantage for NFC, but it's a different story with mobile devices.

That's indeed a big disadvantage ^{[despite knowing a way around that issue (NFC reader and an android emulator), it still comes with a lot of risks (not worth the trouble)]}.

I am trying to make some list of supported wallets with comparison but it's not going great for now :/ any help would be appreciated.

If you're not in a rush, I can help from Saturday onwards

[NotATether]

Nit-picking here:

It is also possible intercept and alter NFC transmissions, effectively committing a man-in-the-middle attack. Yes, the range is very small, but a thief could plant a malicious device on a merchant's terminal or other device you would be placing your phone or hardware wallet near anyway in order to use NFC in the first place. The likelihood of losing coins via such a method is admittedly small, but it is non-zero.

Encrypting the message with TLS and doing a Diffie-Hellman handshake beforehand prevents this kind of problem while only taking up a few extra bytes. For example if AES256 is the encryption cypher used then the payload size increase is up to 255 bytes (AFAIK)

In short, I'd maybe use it in a hot mobile wallet with a small amount of funds, but I'd never use it for a hardware wallet. The additional speed over displaying and scanning a QR code is negligible.

Of course, top security precautions for wallets with bank-sized money. But I believe for small wallets with a few hundred dollars in them, NFC technology will actually result in less user mistakes. For one, the address cannot be "damaged" like it could be on a QR paper (assuming that's the only thing the NFCs are used to send).

As far as I know NFC technology is not supported in any desktop wallets so that is big disadvantage for NFC, but it's a different story with mobile devices.

That's indeed a big disadvantage ^{[despite knowing a way around that issue (NFC reader and an android emulator), it still comes with a lot of risks (not worth the trouble)]}.

It is not a big deal. Only a kernel module (Linux, specifically) needs to be made that can parse the byte-level input sent by NFC device drivers when they receive a communication. Then you can basically send whatever format you want.

Same gist with Windows, just create a dummy device driver that doesn't actually talk to anything, only in this case you'd probably be getting the device input via a USB cable since I don't think Windows 11 supports NFCs out of the box.

[dkbit98]

Of course, top security precautions for wallets with bank-sized money. But I believe for small wallets with a few hundred dollars in them, NFC technology will actually result in less user mistakes. For one, the address cannot be "damaged" like it could be on a QR paper (assuming that's the only thing the NFCs are used to send).

NFC address maybe can't be damaged, but NFC chip and antennas can certainly be damaged easy, and there is no way you can verify what is happening behind mysterious ''tap'' feature.
You need to trust the chip manufacturer that it is going to do what it suppose to be doing.

It is not a big deal. Only a kernel module (Linux, specifically) needs to be made that can parse the byte-level input sent by NFC device drivers when they receive a communication. Then you can basically send whatever format you want.

There are some reading devices you can buy online now, and I saw some of them are even used with function of writing codes on other devices.
This can be used for nfc keychains that can be used for opening doors instead of typing codes or something similar.

[Pmalek]

Call me old-fashioned, but I prefer the good old cable connection. If not, I would pick QR codes over NFC chips. If we are guided by the assumption that we cannot trust closed-source secure elements and chips that are used in hardware wallets, I don't see the point in trusting closed-source NFC chips. If the reddit post I found the other day is true, and you can boost the NFC signal up to a few meters using an antenna, a wire loop, and a tuning capacitor, that just gives more reasons not to use an NFC-enabled device.   

[pooya87]

Call me old-fashioned, but I prefer the good old cable connection.

Imagine wanting to make a payment in a shop and pulling out your cable to connect your phone to their computer, waiting for the system to recognize your phone and then letting them access your whole device to give you the payment information you need to sign
This is not just inconvenient but also risky. You cold infect your phone, even at home wit your own PC you should try not directly connecting devices as much as you can.

[Pmalek]

Imagine wanting to make a payment in a shop and pulling out your cable to connect your phone to their computer, waiting for the system to recognize your phone and then letting them access your whole device to give you the payment information you need to sign
This is not just inconvenient but also risky.

I was thinking and focusing more on hardware wallets when I wrote the previous post. My hardware wallet will not leave the safety of my home. I have never carried it with me and don't plan to do it unless I am forced to in some way. If I need some pocket money or want to spend Bitcoin for shopping, the needed amounts will be transferred from my hardware wallet to my phone. I don't need any cables from that point on. 

[o_e_l_e_o]

But QR also can be a problem if one doesn't look around carefully, since nowadays more and more cameras are surveilling the public spaces.

Someone monitoring you using QR codes in public can at most spy on your transaction, but cannot change the codes or the transaction data without replacing the merchant's terminal or similar. Whereas someone could intercept unencrypted NFC data and alter the transaction data. It would be fairly easy for an attacker to attach their own NFC transmitting chip or device to a merchant's terminal without anyone realizing, whereas such a thing is impossible with QR codes. Obviously everyone should be checking the address with the merchant after the transaction has been loaded on to your device, but we all know that very few people actually do this.

Encrypting the message with TLS and doing a Diffie-Hellman handshake beforehand prevents this kind of problem while only taking up a few extra bytes.

But also requires the software you and the merchant are using to implement this and to implement it properly, and is far beyond the scope of most users to verify.

[dkbit98]

Call me old-fashioned, but I prefer the good old cable connection. If not, I would pick QR codes over NFC chips.

I also prefer cables much more than wireless connections for several reasons, but for hardware wallets best thing to be air-gapped and still functional would be QR codes for now.

This is not just inconvenient but also risky. You cold infect your phone, even at home wit your own PC you should try not directly connecting devices as much as you can.

It's not less risky going in some shop and connecting on their network on their wi-fi network with your device, and yet most people are doing this all the time.

Someone monitoring you using QR codes in public can at most spy on your transaction, but cannot change the codes or the transaction data without replacing the merchant's terminal or similar.

That is true, but they could copy/scan it than alter QR code and replace it with their own that look almost identical.
I think something like this was happening recently with scammers creating similar QR codes with different links directing to some malware website.
Knowing how people can often act like zombies without using their brains, it's not hard to imagine they could also be scammed like this, but I do agree it's easier to get scammed with altered NFC.

[n0nce]

I'm late to the party! Anyone still here?!
My 2 satoshis: QR code over NFC any day of the week.
1] usability: I have multiple laptops and computers & since the days of video calls also webcams that I can plug in if needed.
2] security: An NFC chip is always on. It can transmit without me noticing, which isn't possible with QR codes (someone scanning my screen without me noticing ). It can also be eavesdropped and wormholed. Here's a pretty long, but well explained video about NFC and this type of attack.
3] verifiability: Since you can read out a QR code with a normal phone's camera application, you can verify what is transmitted. It is much harder to audit this on NFC-based wallets, since you need a special reader. Maybe it's also possible with an app? Not sure.. It's definitely simple enough, especially if you're very paranoid, to periodically check the QR codes the wallet is spitting out. We spoke already about hardware wallet attack vectors and one argument against air-gap was that even an airgapped wallet could leak e.g. the seed through modified QR codes / PSBTs (after being infected e.g. through a software update). It's much easier to make sure this isn't happening when you use QR, rather than NFC.

[pooya87]

It's not less risky going in some shop and connecting on their network on their wi-fi network with your device, and yet most people are doing this all the time.

Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.

[o_e_l_e_o]

That is true, but they could copy/scan it than alter QR code and replace it with their own that look almost identical.

I'm not sure how they could pull off such an attack though? Sure, they could create a malicious QR code, but they can't exactly upload that to the merchant's terminal or print it out and stick it over the screen of the terminal. And if the merchant has a single QR code printed and stuck on the wall which the attacker replaces, then at most they can scam a single customer before the merchant goes "Hey, your payment didn't arrive, let's figure out why."

I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.

You don't even need to connect to a malicious device or network to fall victim. Chips containing malware can be hidden inside USB cables, charging terminals, etc. I wouldn't physically connect any of my devices to anything public, ever.

[NeuroticFish]

Someone monitoring you using QR codes in public can at most spy on your transaction, but cannot change the codes or the transaction data without replacing the merchant's terminal or similar. Whereas someone could intercept unencrypted NFC data and alter the transaction data. It would be fairly easy for an attacker to attach their own NFC transmitting chip or device to a merchant's terminal without anyone realizing, whereas such a thing is impossible with QR codes. Obviously everyone should be checking the address with the merchant after the transaction has been loaded on to your device, but we all know that very few people actually do this.

Indeed, QR issues may be more related to privacy (if you are sure the wallet/system generating them is not corrupted).
Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).

I'm late to the party! Anyone still here?!

You are not late and I can say that you've done a pretty good sum up.

My conclusion is that although QR is safer than NFC, if the HW and companion software wallet used are good enough, everything can be properly double checked before signed.
And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be). _{My current smartphone doesn't have NFC at all.}

[o_e_l_e_o]

Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).

Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?

And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be).

I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.

[NeuroticFish]

Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?

I've already got the camera lens broken/blurry at one phone and one tablet, maybe that's why I may be overthinking this a little

I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.

I agree 100% that it's an unnecessary risk. Just in my head it doesn't look like so much likely (nor big).
I mean that I expect that you will have to do more than for a CC, i.e. take a look and sign/allow the transaction, which hopefully won't be skipped.

[unicornmangle]

with ocr being so advanced why are qr codes needed over just human readable strings? i cant translate a qr code by looking at it. even if the string was long between NFT capabilities and human readable addresses a better compromise could be made.

i love your input on nfc and its disadvantages.

[o_e_l_e_o]

with ocr being so advanced why are qr codes needed over just human readable strings?

QR codes have a number of advantages, including being able to scan the whole thing instantly and not having to pan back and forth or display multiple screen of text as you might have to do with a string of characters, and built in error correction.

i cant translate a qr code by looking at it.

Most people can't make sense of the kind of data you would want to scan to use bitcoin either. A raw address maybe, but the vast majority of people can't translate a raw unsigned or signed transaction and understand if there is a problem with it.

[dkbit98]

I'm late to the party! Anyone still here?!

We are here, don't worry
I was thinking how to test all wallets to see how exactly they are using QR codes and NFC chips in their devices.
Some wallets use encrypted QR codes but they all lack in documentation explaining what they are using and how exactly.
I found that most NFC chips are coming from one or two companies, so it's closed source monopoly black box.

I have multiple laptops and computers & since the days of video calls also webcams that I can plug in if needed.

Same goes for smartphones, even old phones have cameras that can read QR codes.

An NFC chip is always on. It can transmit without me noticing, which isn't possible with QR codes

Maybe you can turn off NFC function on smartphones but can you really prove you really turned it off, or it's just on stand by?
I know some phones can spy their users and perform some functions even if they are turned off, so best way would be to put phone or device in faraday cage bag.

Since you can read out a QR code with a normal phone's camera application, you can verify what is transmitted.

Not for all wallets if they are encrypted.
It's a bit more complicated than I was first thinking... doing some more research about that now.

Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.

This is not true.
Wi-fi has multiple times higher risk, especially if you are using public spot network.

[n0nce]

Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).

Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?

Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.

And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be).

I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.

That's correct. When using QR codes, you know that data can only be exchanged when the phone is physically out of your pocket and pointed at a QR code, while NFC can work through clothes and inside bags without user notice. If I walk around with my phone in my hand and someone tries to hold a QR code in front of it, I'd obviously notice, while that can't be said about a powerful 'evil' NFC transceiver in someone's backpack probing for vulnerable devices.

with ocr being so advanced why are qr codes needed over just human readable strings? i cant translate a qr code by looking at it. even if the string was long between NFT capabilities and human readable addresses a better compromise could be made.

This is a terrible idea. Aside the fact that you can't verify a PSBT by just looking at it anyway, QR codes are much faster and reliable to scan through the pattern, alignment squares and built-in checksum / error correction. OCR often messes up things like l and I (lowercase L and uppercase I) or sometimes mistakes those even for a pipe |. It's even hard to distinguish for humans.

I was thinking how to test all wallets to see how exactly they are using QR codes and NFC chips in their devices.

Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.

An NFC chip is always on. It can transmit without me noticing, which isn't possible with QR codes

Maybe you can turn off NFC function on smartphones but can you really prove you really turned it off, or it's just on stand by?
I know some phones can spy their users and perform some functions even if they are turned off, so best way would be to put phone or device in faraday cage bag.

This is kind of off-topic, but I'm following Framework's developments and recently they mentioned starting development for a new 'product category'. I really hope it will be a Linux smartphone with hardware toggles for sensors and antennas, just like on their laptop. I don't have it, but would buy it if I needed a laptop, from what I've seen about it so far.

Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.

This is not true.
Wi-fi has multiple times higher risk, especially if you are using public spot network.

Well, if you know all the websites you visit and all the applications / programs you use, are restricted to HTTPS and deny connections to outdated SSL / TLS standards, it should be safe to use. In practice, it's not so simple to ensure this, so any data transmitted without encryption to an open WiFi router, can be intercepted and read by anyone. One mitigation would be using a VPN, since that 'packages' up everything, no matter if HTTPS or HTTP traffic, however VPNs pose a risk themselves, too. Soo 'I don't think there is any way to inject anything into your device through WiFi' is honestly wrong.

[LoyceV]

Maybe there is something better than both QR and NFC.

I have a "Digipass" from ING bank. It scans a "QR" code, but instead of black it uses red, green and blue dots. And it doesn't have the "3 squares" to identify the orientation of the QR-code. The most impressive part is the speed: it scans almost instantly, while my phone needs about a second to read a QR-code.
By using multiple colors, the QR-code can be smaller.

I am trying to understand why so many people are forcing the use of NFC technology everywhere

I had a bank account that started requiring it. I closed the account. I refuse to use their software to give them access to a chip in my passport.

Coldcard is planning to release new device with NFC chip and they still call it airgapped

Lol. By that definition my Wifi is airgapped too

Call me old-fashioned, but I prefer the good old cable connection. If not, I would pick QR codes over NFC chips.

I love the user interface a cable provides It's very clear what's happening. I usually use a (very old) USB stick to transfer data to and from an offline system, QR-codes require a working camera (with drivers).
Or I just enter the data on the keyboard.

with ocr being so advanced why are qr codes needed over just human readable strings?

The main difference is error correction. A QR-code still works even if a part of it can't be read.
For the same reason shops use barcodes.

[o_e_l_e_o]

Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.

If you are transmitting data between two devices which are permanently in your control, such as a phone and a hardware wallet, when you can ensure they have not been tampered with and you can be sure there are no other devices in the vicinity which could intercept the data then maybe there is an argument for using NFC over QR codes. But when scanning a merchant's terminal, I see no benefit to using NFC.

This is kind of off-topic, but I'm following Framework's developments and recently they mentioned starting development for a new 'product category'. I really hope it will be a Linux smartphone with hardware toggles for sensors and antennas, just like on their laptop. I don't have it, but would buy it if I needed a laptop, from what I've seen about it so far.

Just FYI in case you are interested, but there are a number of phones already on the market with built in hardware kill switches for various pieces of hardware, such as the PinePhone and Librem phone.

[dkbit98]

Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.

If you can please test how Passport is dealing with QR codes (encrypted or not) and post it in this topic, I will later see if I will add information in first post or created new topic for that.
Thank you in advance.

I have a "Digipass" from ING bank. It scans a "QR" code, but instead of black it uses red, green and blue dots. And it doesn't have the "3 squares" to identify the orientation of the QR-code. The most impressive part is the speed: it scans almost instantly, while my phone needs about a second to read a QR-code.
By using multiple colors, the QR-code can be smaller.

I found few free opensource programs that can be used for reading QR codes on regular computers, so we don't have to trust any phones or other devices.

For Linux it's program called CoBang that can work in most Linux OS and there is even Flatpak version... developer even mentioned other Linux alternative called Decoder in his github page:
https://github.com/hongquan/CoBang

For Windows it's open source portable program called QRworkshop, that can be used for generating and reading any QR codes from images.
https://www.fluxbytes.com/software-releases/qr-workshop/

I had a bank account that started requiring it. I closed the account. I refuse to use their software to give them access to a chip in my passport.

I think they are going to push even harder for NFC now that apple iphones are promoting it heavily for payments with easy tap. 

[NeuroticFish]

For Windows it's open source portable program called QRworkshop, that can be used for generating and reading any QR codes from images.
https://www.fluxbytes.com/software-releases/qr-workshop/

On Windows 10, if you want to read QR codes, all you have to do is enable the experimental features on the "stock" camera application. No need to install other stuff.
Should I mention that Electrum already creates and reads the QR codes it needs? That way one doesn't have to rely on 3rd party software which has happened to generate the wrong QR code in case of Bitcoin addresses (of course, it was websites doing this, not open source programs).

[dkbit98]

On Windows 10, if you want to read QR codes, all you have to do is enable the experimental features on the "stock" camera application. No need to install other stuff.
Should I mention that Electrum already creates and reads the QR codes it needs? That way one doesn't have to rely on 3rd party software which has happened to generate the wrong QR code in case of Bitcoin addresses (of course, it was websites doing this, not open source programs).

I didn't know about this experimental feature, but I am not interested in using any of their closed source windows junkware that nobody can verify, and QR workshop is portable open source software so there is no need for any installation.
Electrum can be used only for generating bitcoin addresses, and QR workshop can be used for generating QR codes with anything, including website links, addresses, etc.
Even better option is switching to Linux OS and using CoBang.

I've used CoBang for some time and it works quite well compared with other QR scanner for linux. You also can drag and drop QR code image which is quite convenient if you were to make a payment and the website only show QR code.

CoBang is probably the best option we have for Linux os right now.
I know there are some online websites doing similar thing but this can't be verified or checked, and there is always a danger of getting phishing attack with altered results.

[n0nce]

Coldcard is planning to release new device with NFC chip and they still call it airgapped

Lol. By that definition my Wifi is airgapped too

That's a pretty good way to put it, honestly. Most people still believe NFC is some magical thing transferring data by touching two devices, as if the bytes were flowing through the devices' plastic casings or something.
It's 13.56 MHz radio waves, while WiFi is 2.4GHz.. WiFi also has different modulation scheme etc., but that's beside the point.

Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.

If you are transmitting data between two devices which are permanently in your control, such as a phone and a hardware wallet, when you can ensure they have not been tampered with and you can be sure there are no other devices in the vicinity which could intercept the data then maybe there is an argument for using NFC over QR codes. But when scanning a merchant's terminal, I see no benefit to using NFC.

If you have this level of confidence in your devices' integrity, then you might just as well use a cable though.

Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.

If you can please test how Passport is dealing with QR codes (encrypted or not) and post it in this topic, I will later see if I will add information in first post or created new topic for that.
Thank you in advance.

I'm 99% sure it's a raw PSBT in cleartext, but I will verify and DM or @ you.

For Linux it's program called CoBang that can work in most Linux OS and there is even Flatpak version... developer even mentioned other Linux alternative called Decoder in his github page:
https://github.com/hongquan/CoBang

For Windows it's open source portable program called QRworkshop, that can be used for generating and reading any QR codes from images.
https://www.fluxbytes.com/software-releases/qr-workshop/

Please stay vigilant about the 'open source = secure' fallacy. Especially that QRworkshop which has been abandoned almost a decade ago; I wouldn't trust that over what's built into Electrum without thoroughly reading all the code myself (which I have little to no time for).

[dkbit98]

Please stay vigilant about the 'open source = secure' fallacy. Especially that QRworkshop which has been abandoned almost a decade ago; I wouldn't trust that over what's built into Electrum without thoroughly reading all the code myself (which I have little to no time for).

I am not trusting QRworkshop or any other software that has open source label and I know it wasn't updated for a long time, I just posted it as only option I know for windows os.
Don't trust me and my words but go and check last github releasel of this program from 2014, or find something better for windows.
Electrum wallet is fine but we all remember phishing attacks they had with update notifications, so scammers could make something similar with QR codes again.

I found one article talking about history of NFC technology that was first created back in 2003 by Philips and Sony, and promoted by both of them and Nokia in 2004 (something I didn't know).
Today we have several manufacturers who are making NFC chips, and we know some of them are also making secure elements used in hardware wallets, or in mobile devices:

- NXP Semiconductors
- STMicroelectronics
- Infineon Technologies
- Samsung
- Texas Instruments
- Marvell Technology
- Broadcom
- Qualcomm
- MediaTek
- Intel
- Sony
- Ams
- Renesas
- MStar Semi

[RickDeckard]

I think it's fair to say that QR code has exploded in the past couple of years due to the COVID virus. Nowadays whenever I go to a restaurant I'm given a little piece of paper (or most of the time it's printed to the table) with a QR code that allows me to see the menu in the restaurant website (thus avoiding sharing menus with other clients). While it's a good idea to reduce "attack vectors" (the menu themselves), I often wonder that it would be very easy for a malicious agent to get a hold of a couple of tables and just stick his/her malicious QR code on top of those stickers and most probably people will never notice the switch. In fact, the FBI had already warned about such issue about one month ago[1]:

The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes. Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.

This warning is mentioned again in this[2] article from AXIOS where the picture is even more terrifying - they estimate that the number of Americans that will scan a QR code will be around 100 million by 2025 :



Most people end up "lowering" their already low security practices if they're given usability which is something that happens with QR codes but even more with NFC (they can just swipe their watch/smartphone and make payments) - they just don't care how the technology works or what is the risk of blatantly scanning every QR code that they find (or leaving their smartphone with the NFC functionaly always ON).

Please stay vigilant about the 'open source = secure' fallacy. Especially that QRworkshop which has been abandoned almost a decade ago; I wouldn't trust that over what's built into Electrum without thoroughly reading all the code myself (which I have little to no time for).

What about Zinct*[3]? It's also free, open sourced and has been updated fairly often according to their activity on the SourceForge page[4]. A quick definition for it can be found on GitHub page[5]:

Zint is a suite of programs to allow easy encoding of data in any of the wide range of public domain barcode standards and to allow integration of this capability into your own programs.

*Thank you dkbit98!
[1]https://www.ic3.gov/Media/Y2022/PSA220118
[2]https://www.axios.com/qr-code-safety-coinbase-4b7f97d0-940c-45f4-9366-bf5d7f2f3c8f.html
[3]https://www.zint.org.uk/
[4]https://sourceforge.net/projects/zint/
[5]https://github.com/zint/zint

[n0nce]

the risk of blatantly scanning every QR code that they find

This is an interesting topic that I recently thought about a lot, when experiencing a small 'outrage' on Twitter lately, after a Coinbase ad which was shown during Superbowl that just contains a QR code. Infosec Twitter went crazy about how huge of an attack vector this is (people just scanning random QR codes), while on the other hand voices came up in the community, suggesting people should be able to scan random QR codes without being hacked.

It's an interesting discussion and I have no definitive opinion on this; it's clear that opposed to URLs which you can read out before visiting, QR codes do hide it, on the other hand that's what they're meant to do. The parser & OS should be secured against attacks on the QR parser as well as protected against any type of 0-click attack that is triggered by simply visiting a website.

I do believe the worst thing happening when opening a random QR code should be landing on a phishing site (something the OS can't / shouldn't control); against everything else, there should be mechanisms in place. If they don't work, the whole field of web security as well as cookie protections and OS sandboxing has kinda failed, to be honest.

What about Zint[3]? It's also free, open sourced and has been updated fairly often according to their activity on the SourceForge page[4].

From pure stats / numbers this looks a lot better to me! Thanks for digging up another open source alternative.

[o_e_l_e_o]

There are two things you can do on your phone when scanning QR codes (other than just not scanning them at all) to protect yourself from these kinds of attack. The first is set it up so when you a scan a QR code, rather than it immediately visiting a website or whatever, it decodes the QR code and shows you the plain text decoding. You can then examine the URL manually to see if it is pointing to where you think it should be pointing or if it looks malicious. Secondly, if you do visit the website then open it a completely separate browser to your usual browser(s), preferably one which is sandboxed so to prevent any malware from escaping in to your device.

[n0nce]

There are two things you can do on your phone when scanning QR codes (other than just not scanning them at all) to protect yourself from these kinds of attack. The first is set it up so when you a scan a QR code, rather than it immediately visiting a website or whatever, it decodes the QR code and shows you the plain text decoding. You can then examine the URL manually to see if it is pointing to where you think it should be pointing or if it looks malicious. Secondly, if you do visit the website then open it a completely separate browser to your usual browser(s), preferably one which is sandboxed so to prevent any malware from escaping in to your device.

That's honestly great advice; also a thought on sandboxing: maybe QR codes are less risky than assumed, taking in consideration that you usually don't scan those with an (unsandboxed) desktop OS. Since probably all mobile OSes today are reasonably sandboxed, the risk of system takeover through visiting a webpage should be minimized compared to visiting an unknown webpage on a laptop / desktop PC.

I agree with the 'separate browser' idea, since malicious websites can for example steal your other website's cookies and stuff like this.

[RickDeckard]

I do believe the worst thing happening when opening a random QR code should be landing on a phishing site (something the OS can't / shouldn't control); against everything else, there should be mechanisms in place.

You're definitely right just look at this scenario were malicious agents just replaced the QR codes on parking meters so they could phish any user that decided to pay by scanning the QR code[1].

There are two things you can do on your phone when scanning QR codes (other than just not scanning them at all) to protect yourself from these kinds of attack. The first is set it up so when you a scan a QR code, rather than it immediately visiting a website or whatever, it decodes the QR code and shows you the plain text decoding. You can then examine the URL manually to see if it is pointing to where you think it should be pointing or if it looks malicious.

I support this idea. In fact there's actually some free and open sourced applications that do allow you to preview whatever information/url is embedded in a QR code and let you inspect it before opening it:

• Android: SecScanQR[2], Barcode to PC[3][4], QR & Barcode Scanner[5] or ZBar[6];
• iOS: Barcode to PC[3][4], ZBar[6]

[1]https://www.theverge.com/2022/1/12/22879728/phishing-scam-parking-meter-qr-code-austin-san-antonio
[2]https://github.com/Fr4gorSoftware/SecScanQR
[3]https://barcodetopc.com/
[4]https://github.com/fttx/barcode-to-pc-app
[5]https://github.com/wewewe718/QrAndBarcodeScanner
[6]http://zbar.sourceforge.net/

[o_e_l_e_o]

I agree with the 'separate browser' idea, since malicious websites can for example steal your other website's cookies and stuff like this.

You can either use an entire separate browser app to your main one (having Firefox, Firefox Beta, +/- Firefox Nightly is great for this sort of thing), or you can use a different instance of your usual browser. There are apps such as Island (https://island.oasisfeng.com/) which allow you to run apps more than once, with the cloned version having no access to any of your personal data or files. I'm not sure if the sandbox offered by such apps would do anything additional to protect against malware, though.

In fact there's actually some free and open sourced applications that do allow you to preview whatever information/url is embedded in a QR code and let you inspect it before opening it

Ideally, this should be a native feature of your device, so simply opening the camera and scanning a QR code would display the information encoded in plain text.

[n0nce]

I agree with the 'separate browser' idea, since malicious websites can for example steal your other website's cookies and stuff like this.

You can either use an entire separate browser app to your main one (having Firefox, Firefox Beta, +/- Firefox Nightly is great for this sort of thing), or you can use a different instance of your usual browser. There are apps such as Island (https://island.oasisfeng.com/) which allow you to run apps more than once, with the cloned version having no access to any of your personal data or files. I'm not sure if the sandbox offered by such apps would do anything additional to protect against malware, though.

I do like using something called 'Multi-Account Containers'; it's within Firefox and it allows you to have different 'containers' with separate sets of cookies, but nothing regarding malware, that I know of. Island sandbox might be better, but I doubt it, because it's above the OS, right. Real sandboxing has to be at least one layer 'below' the software running in the different boxes, intuitively.

In fact there's actually some free and open sourced applications that do allow you to preview whatever information/url is embedded in a QR code and let you inspect it before opening it

Ideally, this should be a native feature of your device, so simply opening the camera and scanning a QR code would display the information encoded in plain text.

Unfortunately, it seems the default QR code scanner in iOS, while allowing to 'copy URL' by long-pressing on iOS 14, since iOS 15 only allows to visit the site directly! Yikes.

[RickDeckard]

Ideally, this should be a native feature of your device, so simply opening the camera and scanning a QR code would display the information encoded in plain text.

I don't know about iOS devices, but I do know that at least Pixel devices have this option in their Google Camera app[1] - you just point at a QR code and a little popup appears telling you what information/url is contained and if you want you just click it and the browser opens. However the popup that appears is a bit small and most of the time you are unable to see the full url that you're about to visit...

I think that the biggest challenge is how we can guarantee that the website that we are being led to is, in fact, 100 % legit and was not replaced by another agent. If people nowadays still fall for this type of scam while they are in their desktop computers I can easly imagine that they'll fall more quickly in the same kind of "trap" in their handled devices...
[1]https://android.gadgethacks.com/how-to/scan-qr-codes-your-pixels-camera-app-0192157/

[dkbit98]

What about Zinc[3]? It's also free, open sourced and has been updated fairly often according to their activity on the SourceForge page[4]. A quick definition for it can be found on GitHub page[5]:

Is it Zint or Zinc typo?
I think that Zinc is important mineral that has nothing related with QR codes  
Anyway I just download this software now and I will test how it works in next few days.

My opinion is that QR codes can be dangerous and scammers can use them to share malicious links, that is why I like to read their content before scanning that automatically opens a web page.
Most people are not using their brain most of the time so it's a very good attack to be executed on mobile devices.

[RickDeckard]

Is it Zint or Zinc typo?
I think that Zinc is important mineral that has nothing related with QR codes  

You're absolutely right @dkbit98! While I'm sure that it would be interesting to see how we could implement Zinc as a way to improve the overall QR code concept, it's not what I wanted to write indeed! I'll correct my wording on the previous post.

Anyway I just download this software now and I will test how it works in next few days.

Please do and if possible keep us posted, I'm really interesting to see if it really does work in the way that they claim! If it does, and considering that it's actively being development, this could be a serious option to consider if needed in the future.

[dkbit98]

Please do and if possible keep us posted, I'm really interesting to see if it really does work in the way that they claim! If it does, and considering that it's actively being development, this could be a serious option to consider if needed in the future.

I did basic testing and I can see this program can generate many other barcodes along with QR code with IDO 18004 and HIBC, there is also UPNQR, Micro QR code, rMQR, that look very similar.
Difference compared with QR workshop is that Zint Barcode Studio can't read and decode QR codes from images.

[dkbit98]

Blockstream Jade made interesting update in their latest firmware version 0.1.38 with support of CompactSeedQR codes.
This contains 7x7 square table grid, and this codes can easily be drawn on a piece of paper and it reminds me on game I played on my school paper.
I am not a fan of Jade hardware wallet, but I like this new CompactSeedQR codes and I wonder if someone saw them in other Bitcoin wallets?


https://www.nobsbitcoin.com/blockstream-jade-v-0-1-38/

[unicornmangle]

Blockstream Jade made interesting update in their latest firmware version 0.1.38 with support of CompactSeedQR codes.

Had my eye on that for awhile looks like a neat device but after buying so many hardware wallets ive come to the conclusion at some point you are trusting developers so hardware and software will always have the same amount of risk involved. I see no benefit to a hardware wallet at this point or in the future.

Reasons:
1. Users cant read code written in 50+(and counting) programming languages
2. Users cant investigate all these datacenter in a box chips
3. Users cant use dedicated bitcoin to bitcoin hardware and networking without internet
4. Java

Trustless is a lie, with that said trust LESS i agree with.

edit:
5. ZERO accountability on any level from any software/hardware company for "BUGS"

[LoyceV]

you are trusting developers so hardware and software will always have the same amount of risk involved.

By that logic, it doesn't matter what you do: you're always using software. It's an oversimplification: there are different levels of risk, and generally speaking a hardware wallet is safer than a software wallet.

I see no benefit to a hardware wallet at this point or in the future.

Reasons:
1. Users cant read code written in 50+(and counting) programming languages

That's no doubt true for most users, but it doesn't mean they don't benefit from using a hardware wallet.

2. Users cant investigate all these datacenter in a box chips

Again: true in most cases, but again: it doesn't mean a hardware wallet doesn't help secure their funds.

3. Users cant use dedicated bitcoin to bitcoin hardware and networking without internet

The Bitcoin blockchain is public knowledge. That's okay.
What matters, is keeping your private keys offline, and even though that's 100% possible using only software wallets, it's a lot easier when using dedicated hardware.

5. ZERO accountability on any level from any software/hardware company for "BUGS"

That's not limited to Bitcoin, that's the entire software industry. If software companies would have been held accountable for their bugs, they would have gone out of business decades ago and we'd still be using type writers.

[pooya87]

hardware and software will always have the same amount of risk involved.

They are two entirely different categories.

I see no benefit to a hardware wallet at this point or in the future.

The benefits of using a hardware wallet is as always to gain a high level of security very easily and without needing any knowledge (ie. newbie friendly way).

1. Users cant read code written in 50+(and counting) programming languages

Projects are almost always written in one language only not 50+. For example bitcoin core is write in in C++ and has some C code which a C++ developer can also read (the rest of the languages like python are for tests not the code itself).
You also don't need to read the code, if the project is popular and is used by many people for a long time that means others have read it. For example Electrum source code is already reviewed by many users (I've personally checked many parts of it involving wallets, keys, signing, transactions, cryptography, etc).

[o_e_l_e_o]

ive come to the conclusion at some point you are trusting developers so hardware and software will always have the same amount of risk involved.

Putting the trust of developers to one side for a moment, hardware and software wallets have hugely different risk profiles. Even if you assume a perfect software wallet and a perfect hardware wallet, both without any bugs or vulnerabilities, then the hardware wallet with its private keys stored on a dedicated device and protected from the internet and general malware is exponentially more secure than a software wallet on a daily use computer.

You arguments regarding open source versus closed source have been discussed by the posters above. Just because you cannot personally read the code does not mean you do not gain additional benefit from the code being open source and having the eyes of the community on it.

Still, if you don't like all this, then use Bitcoin Core on an airgapped computer. If you cannot read the code yourself, then there is no way to use bitcoin with less trust than this.

[dkbit98]

Reasons

With that kind of thinking you should not use anything written in code, because you can't read it, so it's best for you to move in and start to live in some cave.
Don't use phones, computers, wallets, and any electronic device, maybe join Amish community or Bushmen in Africa.
I don't see what your post has to do with topic subject, that is QR codes vs NFC in Bitcoin Wallets.

SeedSigner also use same format under name SeedQR and CompactSeedQR[2].

I know they are supporting it, but Seedsigner is not supporting static qr codes which means it can't work properly with Electrum wallet. 

[dkbit98]

I always liked QR codes more than NFC for bitcoin wallets, but we should also be aware of hidden dangers behind QR codes.
There is a good article that explains in details all potential dangers and attacks that could be performed using QR codes.
In past we saw cases of malware being distributed using QR codes, and they can also contain bugs in different applications.
QRLJacking or Quick Response Code Login Jacking is one of the attack examples:


https://hackernoon.com/the-hidden-danger-of-qr-codes

[n0nce]

I always liked QR codes more than NFC for bitcoin wallets, but we should also be aware of hidden dangers behind QR codes.
There is a good article that explains in details all potential dangers and attacks that could be performed using QR codes.
In past we saw cases of malware being distributed using QR codes, and they can also contain bugs in different applications.
QRLJacking or Quick Response Code Login Jacking is one of the attack examples:


https://hackernoon.com/the-hidden-danger-of-qr-codes

This doesn't apply to hardware wallets though, right.
The flow graph in the picture assumes someone randomly scanning that vulnerable QR code from a malicious website. You wouldn't normally scan QR codes from websites using a hardware wallet; only from your wallet application.
The hardware wallet should also simply reject anything that doesn't decode to a valid PSBT, instead of parsing it and maybe even navigating to the destination, if it's a URL - like phones do.

When attempting to attack hardware wallets through QR codes, you would be looking for exploitable bugs in the QR code parser itself. I'm not saying that it's not an interesting subject (would probably recommend fuzzing a virtualized instance of the target), but be aware that the attack surface is tiny compared to a phone scanning QR codes; where bugs could lie and be exploited before, within and after the image parser.

[dkbit98]

This doesn't apply to hardware wallets though, right.
The flow graph in the picture assumes someone randomly scanning that vulnerable QR code from a malicious website. You wouldn't normally scan QR codes from websites using a hardware wallet; only from your wallet application.

I was talking about all software wallets, this is not directly related with hardware wallets that are not famous for QR code support, at least most of them.
Anything can be secretly hidden if you can't verify QR codes, and that is especially relevant for closed source protocols for QR codes, like in case with Safepal wallet and their app.
Besides, I don't know anyone who is actually checking QR codes before they scan them with smartphones.

[n0nce]

This doesn't apply to hardware wallets though, right.
The flow graph in the picture assumes someone randomly scanning that vulnerable QR code from a malicious website. You wouldn't normally scan QR codes from websites using a hardware wallet; only from your wallet application.

I was talking about all software wallets, this is not directly related with hardware wallets that are not famous for QR code support, at least most of them.

My bad! So this refers to mobile wallets and scanning in Bitcoin addresses through QR codes, then?
But what about NFC? (Re: QR codes vs NFC in Bitcoin Wallets) NFC is only used in hardware wallets from what I can tell.

[dkbit98]

But what about NFC? (Re: QR codes vs NFC in Bitcoin Wallets) NFC is only used in hardware wallets from what I can tell.

I personally don't like NFC and I never used any Bitcoin wallet that uses NFC but most new models of smartphones support this technology so it would be trivial to add support for software wallets.
If you can use NFC to pay something with fiat currencies using your smartphone, I don't see why this should be different for bitcoin wallets.
All you need to have in other end is receiving payment terminal with NFC or other smartphone to accept payment.
NFC is fairly new but there is already list of supported wallets, I just don't know how accurate it is:
https://cryptonfc.org/list-all
https://cryptonfc.org/compatible

[n0nce]

But what about NFC? (Re: QR codes vs NFC in Bitcoin Wallets) NFC is only used in hardware wallets from what I can tell.

I personally don't like NFC and I never used any Bitcoin wallet that uses NFC but most new models of smartphones support this technology so it would be trivial to add support for software wallets.
If you can use NFC to pay something with fiat currencies using your smartphone, I don't see why this should be different for bitcoin wallets.
All you need to have in other end is receiving payment terminal with NFC or other smartphone to accept payment.
NFC is fairly new but there is already list of supported wallets, I just don't know how accurate it is:
https://cryptonfc.org/list-all
https://cryptonfc.org/compatible

These are hardware wallets, though. I was confused by your comment regarding what type of wallets this topic is about, since I assumed hardware wallets.
Talking about QR codes outside 'hardware wallets' makes sense, since software wallets can use QR codes to scan addresses from websites or print. But I don't know of any software wallets scanning in receiving addresses (e.g. from a terminal) through NFC.

[tjtonmoy]

QR code is the safest way to do it, I guess. NFC has some flaws, and it's being new, I think in the future this will be improved. But for now until that happens, i think using QR codes will be the best option.
All you need is a camera which will scan the code. But for NFC it needs something extra and those devices which doesn't support NFC will no longer be able to work. So until people come up with something new, QR codes will be used mostly.