A QR code (Quick Response code) is a type of a two-dimensional barcode invented in 1994 by the Japanese automotive company Denso Wave. A barcode is a machine-readable optical label that contains information about the item to which it is attached. Most of the times, QR codes contain data for a locator, identifier, or tracker that points to a website or application.
It seems that QR codes have popped up everywhere these days. Ever since they were first used by the Japanese auto industry to streamline manufacturing processes, companies everywhere have used QRs to their benefit. They are cheap and easy to deploy almost everywhere which is why every industry from retail to healthcare is now using them as a quick and easy way to link people to websites, promotional campaigns, store discounts, patient medical records, mobile payments and more.
QRs are also essential, especially during a pandemic where contactless transactions have become the norm. At least 81% of Americans now own a smartphone, and nearly all of those devices can natively read QR codes with no third-party app required. So, QR codes are clearly having their moment.
A company, MobileIron, wanted to better understand current QR code trends, so in September 2020 they conducted a survey of more than 2.100 consumers across the U.S. and the U.K. This survey confirmed that QR codes are indeed more widely used today.
However, the results also highlighted some alarming trends. Mobile users do not really understand the potential risks of QR codes, and nearly 71% of users cannot tell the difference between a legitimate and a malicious QR code. At the same time, 51% of surveyed users do not know if they have mobile security on their devices.
Like so many things that feel like they cannot live without them, we do not give QR codes too much thought. Mobile devices have conditioned us to take quick actions like swipe, tap, click, pay, all while we are distracted from other things like working, shopping, eating and driving!
This is exactly the kind of implicit trust and thoughtless action an attacker may use. If mobile employees are using their personal devices to access business apps and scan potentially risky QR codes, enterprise IT should start taking a much closer look at their mobile security approach.
If one can consider what you can do with a QR nowadays, then using it to damage instead of speeding up can be a major case.
QRs today are used to:
- Navigate you to a website, therefore a malicious QR code can direct the user to a fake website.
- Add a contact: An attacker can add a new contact on the user’s phone and use it to launch a spear phishing or other personalized attack.
- Initiate a phone call: By triggering a call to the scammer, this type of exploit can expose the phone number to a bad actor.
- Text someone: In addition to sending a text message to a malicious recipient, a user’s contacts could also receive a malicious text from a scammer.
- Write an email: Similar to a malicious text, an attacker can draft an email and populate the recipient and subject lines. This could target the user’s work email.
- Make a payment: If the QR code is malicious, it could allow an attacker to automatically send a payment and perhaps capture the user’s personal financial data.
- Reveal the user’s location: Malicious software can silently track the user’s geolocation and send this data to an app or website.
- Follow social-media accounts: The user’s social media accounts can be directed to follow a malicious account.
- Add a preferred Wi-Fi network: A compromised network can be added to the device’s preferred network list and include a credential that automatically connects the device to that network.
Easy Things We Can All Do to Minimize the Risks
As scary as these exploits are, they aren’t inevitable. Educating users about the risks of QR codes is a good first step, but companies also need to step up their mobile security game to protect against threats like spear phishing and device takeovers.
What Users Can Do
Take a good look first: Make sure the QR code is legit, especially printed codes, which can be pasted over with a different (and potentially malicious) code.
Only scan codes from trusted entities: Mobile users should stick to scanning codes that only come from trusted senders. Pay attention to red flags like a web address that differs from the company URL — there is a good chance it links to a malicious site.
Watch out for short url links: Check the URL of a bit.ly link or other url shortening service that appears after scanning the QR code. These links are often used to disguise malicious URLs.
What Companies Can Do
Hopefully your company is using an on-device mobile threat defense solution that can protect against phishing attacks, device takeovers, man-in-the-middle exploits and malicious app downloads. You need to ensure it is deployed on every device that accesses business apps and data, because enterprise security is only as good as the weakest link in your company.