QR Code Security Concerns
December 10, 2021 by Gary Soucy
QR codes are becoming more and more prevalent, but what are they? Essentially, they are two-dimensional bar codes. QR stands for “quick response,” and they were originally designed to track car parts within factories for a Japanese parts manufacturer. The use of QR codes has since expanded dramatically, commonly used to hold data such as URLs, links to apps, Wi-Fi authentication, payments, email addresses, phone numbers, simple text, and more. They are seen nearly everywhere: on retail goods, store windows, restaurants, and the list goes on. Most smartphones now natively translate these with a standard camera app, where the camera is hovered over the QR code, and the information stored within then displays on the screen. With the burgeoning presence of QR codes, so too rises the risk of cybercriminal opportunity and activity.
QR codes can be launched by cybercriminals via social media, email, text, IM, and many other avenues. Once a hacker launches the code and it gets scanned by an innocent bystander, they can initiate actions such as adding a contact to their phone or launching a payment app and making a payment. They can divulge personal or private information by revealing a victim’s location or even add a compromised Wi-Fi network to their phone.
What are the risks of QR codes?
As with most cybercrime, the criminals are out to commit fraud. They want to:
- Install malware on your device to then perform any number of malicious deeds
- Steal credentials by sending the user to a fraudulent website where they are asked to enter their credentials and other personal information
- Replace legitimate QR Codes with fraudulent codes. These are easily manufactured and produce stickers to overlay the originals
The good news is that the defense against these passive attacks are the same defenses that Tyler Cybersecurity has advocated for years.
- If you receive a QR code, verify the source through separate channels. For example, call the person who sent it to make sure it came from them. Never trust a code from an untrusted source.
- If you scan a QR code and the result is a shortened URL such as bit.ly, be wary as these can hide malicious links.
- Ensure your organization employs mobile defense solutions that will block phishing attempts, unauthorized downloads, and other exploits.
- Use multi-factor authentication (MFA) wherever possible for an added layer of protection to applications and cloud resources (Elgan, 2021).
- Check the QR codes being scanned for stickers placed over original codes.
- Only use QR readers with bult-in security features.
- Report malicious QR codes to the owners of the businesses where they are found (Stamps, 2021).
Cybercriminals play upon consumer comfort levels, exploiting common, everyday activity. The best defense is situational awareness. Do not trust a link from an unknown source and verify a source if it is unexpected. Always keep your eyes open and personal information closed.