Security

QR Code Security: Why They Are the Next Cybersecurity Battlefield

As QR codes stage a comeback, hackers see an opportunity.

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

The use of QR codes has become part of our everyday lives. Invented in 1994 in the manufacturing industry, the QR code sank into obscurity for years, only to make a comeback during the pandemic. Today, touchless payment systems and contactless restaurant ordering are easy with smartphones and these codes.

Consumers value the convenience of being able to conduct activities without getting into close contact with other people. According to research by Scantrust, many also believe that QR codes make brands appear more trustworthy. Gartner sees the trend continuing: By 2024, 80 percent of order, checkout and payment services will be contactless.

Sure enough, cybercriminals have spotted an opportunity. They exploit weaknesses by substituting malicious codes for legitimate ones, directing users to fraudulent websites or embedding malicious software in mobile devices. Because a QR code obscures the underlying URL, users can’t tell whether the code will take them to the correct destination. In fact, a MobileIron survey found that while 69 percent of users believe they can identify a bad URL by looking at it, only 37 percent can spot a malicious QR code based on its pattern.

Click the banner below to receive exclusive security content when you register as an Insider.

What is a QR Code and How Does it Scan?

A QR code is a scannable barcode that contains numbers and characters embedded in a two-dimensional arrangement of squares. When a user scans the code, the app translates the pattern into data.

There are two types of QR codes. Static codes store the actual content: a text message, URL, Wi-Fi password, contact details or map location. Once encoded, the content cannot be changed or updated.

Dynamic QR codes contain information that can be changed after it is created. Usually, a short redirection URL takes the user to a destination URL, where the actual content lives. That content can easily be changed: We see this with restaurant menus where the content changes daily, yet the QR code remains the same. Dynamic QR codes allow scanning and use to be tracked, making them useful for marketing purposes.

DISCOVER WHY: managed detection and response is critical to endpoint security.

How Hackers Exploit QR Codes

There are a number of ways that QR codes can be exploited:

Counterfeit Codes. Hackers can print their own QR codes and paste them on top of printed QR codes that appear on posters and in public locations. The bogus code directs users to a malicious or fraudulent site.

QRishing. A malicious QR code sent via email, text or other method could lead users to a phishing site that looks like the legitimate website of a trusted institution. Users enter sensitive information such as banking credentials or Social Security numbers, unaware that they have been redirected.

Malware. Hackers can embed malware into a QR code or link users to a site that contains a virus, keylogger or other malware. In some cases, merely scanning the code can do damage, extracting valuable information such as banking login credentials.

QR Hijacking. When a QR code is sent via instant messaging, social media, text or other method, the code could initiate an action on a smartphone, such as launching a payment app, following a malicious account on social media, adding a malicious Wi-Fi network or more. Hackers also can use QR codes to write emails or text messages or make phone calls. Because a QR code can store a lot more data than a URL — more than 4,000 alphanumeric characters with spaces — the possibilities are endless.

Because a QR code obscures the underlying URL, users can’t tell whether the code will take them to the correct destination.”

Tanya Candia International Management Expert

How to Stop Malicious QR Codes

IT leaders must protect the QR codes their organizations generate and protect their users from malicious QR codes.

To protect QR codes created and used by the organization, use a QR code service provider that can create secure encrypted QR codes. These will be scanned by an approved validator app or web validation mechanism with the corresponding public key. Methods such as serialized QR encoding can be deployed to produce codes used for product tracking. Do not use static QR codes for user logins or financial transactions; instead, use dynamic codes and require users to regenerate them.

When using QR codes to share confidential documents, regulate exclusive access to content, protect inventory tags and other similar activities, and use a QR code generator with a password feature to help ensure the content can only be accessed by users supplied with the correct password.

To protect the user community from malicious QR codes, make sure managed devices have anti-virus and anti-malware software installed and updated. On-device mobile threat defense can further safeguard against phishing and other attacks that use QR codes to bypass anti-virus software.

22%

The share of QR code users who say they scan the codes at least several times a week

Source: scantrust.com “Do consumers use QR codes in America?” May 5, 2022

Also, train users to minimize the risk of QR code security issues by being wary of codes that seem suspicious. Always verify with the sender, especially if the communication appears to come from a financial institution, package delivery service or the like. Encourage users to disable the “open website automatically” function on smartphones and use a QR validator application that shows the content of the link before it is visited and checks for known malicious links.

QR codes have become mainstream, and their uses are many and varied. As with any technology, the possibilities for cybercriminals to abuse them are also multiple and diverse. A combination of proactive protection and user awareness can go a long way toward reducing the risk connected to malicious QR codes.

Ktsimage/Getty Images