QR Codes – Consumer Convenience or Fraudulent Contrivance?
During the halftime show of this year’s Super Bowl, a floating QR code took a star turn in a prominently placed advertisement. That ad, which was run by cryptocurrency exchange platform Coinbase, consisted of nothing more than a multi-colored QR code slowly bouncing across the television screen for almost a minute without any other identifying information or attribution. At the ad’s end, Coinbase’s name and a link to its website briefly appeared. Viewers could use their cellphone cameras to see where the QR code led or patiently wait and hope that the ad would explain what was going on.
So many people reportedly followed the link from the QR code that the resulting traffic overwhelmed and crashed the Coinbase website landing page. The convenience of the code clearly worked for ad viewers and Coinbase. It appears that while QR codes may be a welcome convenience, they may also be a potential tool for the commission of fraud. It is increasingly important, therefore, that the public be sufficiently educated regarding the risks presented by these codes.
What is a QR code?
Quick Response codes, or QR codes, were developed in 1994 and have become increasingly prevalent in everyday use, particularly throughout the global pandemic, to access a wide range and variety of information, such as restaurant menus, or to join Wi-Fi networks or log into programs. A QR code is, in sum, a type of scannable barcode that can store various types of information including links to the Internet. That information is stored within the code in such a way that the information cannot be read without a device capable of decoding the information. The code can be read using an image processing device like the cameras commonly found in cellphones. If the device is internet-connected, then the scanned information within that source QR code can direct the user to a specific website destination if the user chooses to “click through” to it.
How Can a QR Code Be Dangerous?
Examples of QR code scams include instances where the malicious actors printed and overlaid fake QR codes that then prompted users to “pay” for the use of a bike sharing system; or where the actors installed fake QR codes at parking meters; or by simply replacing the intended link with a bogus login page in order to steal credentials.
Warnings about these exploits have been recently highlighted by the Federal Bureau of Investigation concerning threat actors tampering with QR codes.
QR Code Safe Handling Practices
While the risks discussed above might cause some to think twice the next time they see that black and white QR square, users can follow these best practices to mitigate the risks associated with QR codes:
- Assess the situation: Is this a place you would expect QR codes to be used? Are there alternative methods to access this information? Where possible, it may be safer to use the information you can read in clear text and bypass the QR codes altogether to access the desired site or information.
- Preview before clicking: When scanning QR codes with the built-in camera app, most modern mobile devices provide a preview of the destination link in the QR code. Carefully review these to ensure that the link looks genuine and that the displayed link is one that is expected.
- Install security updates: Ensure that recent operating system or security updates have been applied to any device used to access a QR code.
- Only exchange information or money with trusted destinations: Use QR codes to make payments only when you are transacting directly with trusted merchants or service providers and the receiving site has been independently verified by the sender.
- Implement and attend training: Add training on the dangers posed by QR codes to cybersecurity training.
For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.