Article Per Year (5 Year)
p-Index From 2021 - 2026
0.23
P-Index
This Author published in this journals
All Journal INSTALL: Information System and Technology Journal
Angella Maretmy
Unknown Affiliation
Computer Science & IT Decision Sciences, Operations Research & Management Education

Published : 1 Documents Claim Missing Document
Claim Missing Document
Check
Articles

Found 1 Documents
Search

 1 
QR Code Payment Security Against Phishing Attacks Using HMAC Cryptographic Model and Tokenization Angella Maretmy; maulina, riska; Zapiratun Nisa; Erwenda Tri Hapsari; Hardi Yanti
INSTALL: Information System and Technology Journal Vol 2 No 2 (2025): INSTALL : Information System and Technology Journal
Publisher : LPPM Universitas Sari Mulia

Show Abstract | Download Original | Original Source | Check in Google Scholar | DOI: 10.33859/install.v2i2.997

Abstract

The implementation of the Indonesian Standard Quick Response Code (QRIS) has driven the growth of cashless payment systems in Indonesia through interoperability and expanded financial inclusion. However, the QRIS security mechanism still has limitations, particularly due to the use of CRC16-CCITT as the sole data integrity check. CRC16 is not designed to withstand intentional data manipulation, thus opening up opportunities for QR Code substitution-based phishing attacks and undetected transaction amount manipulation. This study aims to evaluate a hybrid security model that combines Hash-based Message Authentication Code (HMAC) with the SHA-256 algorithm and dynamic tokenization to improve QR Code payment security. The method used is an experimental approach based on software simulation by comparing the existing CRC16-based system with the proposed system based on HMAC-SHA256 and tokenization. Testing was conducted through several attack scenarios, including transaction amount manipulation and replay attacks. The test results show that the CRC16 mechanism has a high detection failure rate, where the manipulated QR Code is still considered valid as long as the checksum is recalculated correctly. In contrast, the HMAC-SHA256 mechanism is able to consistently detect all payload changes due to the use of a secret key. Dynamic tokenization has also proven effective in preventing the reuse of expired QR Codes without disrupting the user experience. In conclusion, the integration of HMAC-SHA256 and dynamic tokenization significantly improves the resilience of the QR Code payment system against phishing attacks and data manipulation, and has the potential to become the basis for strengthening the security of QRIS in the future.
Co-Authors Erwenda Tri Hapsari Hardi Yanti Maulina, Riska Zapiratun Nisa