<![CDATA[The implementation of the Indonesian Standard Quick Response Code (QRIS) has driven the growth of cashless payment systems in Indonesia through interoperability and expanded financial inclusion. However, the QRIS security mechanism still has limitations, particularly due to the use of CRC16-CCITT as the sole data integrity check. CRC16 is not designed to withstand intentional data manipulation, thus opening up opportunities for QR Code substitution-based phishing attacks and undetected transaction amount manipulation. This study aims to evaluate a hybrid security model that combines Hash-based Message Authentication Code (HMAC) with the SHA-256 algorithm and dynamic tokenization to improve QR Code payment security. The method used is an experimental approach based on software simulation by comparing the existing CRC16-based system with the proposed system based on HMAC-SHA256 and tokenization. Testing was conducted through several attack scenarios, including transaction amount manipulation and replay attacks. The test results show that the CRC16 mechanism has a high detection failure rate, where the manipulated QR Code is still considered valid as long as the checksum is recalculated correctly. In contrast, the HMAC-SHA256 mechanism is able to consistently detect all payload changes due to the use of a secret key. Dynamic tokenization has also proven effective in preventing the reuse of expired QR Codes without disrupting the user experience. In conclusion, the integration of HMAC-SHA256 and dynamic tokenization significantly improves the resilience of the QR Code payment system against phishing attacks and data manipulation, and has the potential to become the basis for strengthening the security of QRIS in the future.]]>
Copyrights © 2025
