Risks of Using QR Codes and How To Mitigate it – Not As Safe as You Think
Share this on:
QR codes have long since been present around us, commonly used to store information of various kinds. These codes are a popular means of information storage and exchange, and you can find them almost everywhere. People and companies have used them to store and distribute information from restaurants, hospitals, and packaging ever since their advent in the 90s. They are smart, efficient, and easy to use.
Moreover, since they allow a virtual exchange of information, the rise of the coronavirus pandemic has somewhat increased their use. However, within the convenience they offer, the risks and dangers of using QR codes are often overlooked and forgotten.
There are several incidents regarding the exploitation and misuse of QR codes. Various hackers and threat actors have used QR codes as an attack vector, including the American hacker Jester. They converted their Twitter profile into a QR code, coding it to search the scanner’s phone for activity over various extremist platforms. If there was any extremist activity detected on the person’s phone, the code programmatically raised user privilege and stole information from their phone.
The threat actor used a combination of social engineering and QR tech for a malicious purpose. Apart from that, there are several instances where threat actors abuse QR codes in various aspects as an attack vector.
As the use of QR codes surged with the pandemic, threat actors have used that opportunity to further use this convenient technology for a sinister purpose. Research from September 2020 reveals the significant security risks QR codes pose to enterprises and individuals alike. The most common ways threat actors use to exploit QR codes are:
Embed QR codes with malicious URLs
Replace legitimate QR codes with compromised ones merely by pasting their QR codes on pre-existing ones.
With that, cybercriminals manage to launch various attacks on people. The most common security risks with QR codes are as follows:
Cybercriminals might embed malicious URLs in publicly present QR codes so that anyone who scans them gets infected by malware. At times merely visiting the website might trigger the downloading of malware silently in the background. Apart from that, they might also send phishing emails containing QR codes that again infect the user’s device with malware when scanned.
The malware can then harm users in several different ways. It might open backdoors for more malware infections or silently steal the target’s information and send it to the cybercriminals. At times, these malware infections might even be ransomware attacks that would hold your information hostage for ransom.
Moreover, hacks might also use these malware infections to access the target device’s location, contact list of data. Spyware or a tracker might monitor the targets’ every move or open their webcams to carry out live feeds unbeknownst to them.
QR codes are also used to serve in phishing attacks, a problem known as QPhishing. A cybercriminal might replace a legitimate QR code with the one embedded with a phishing website URL. The phishing website then prompts users to reveal the personal information that criminals sell over the dark web. Apart from that, they might also coerce you into paying for materials causing them financial gain.
These phishing websites have slight differences from legitimate websites, which makes them seem authentic to the victim. They are primarily exact replicas of the original with minor differences, such as the “.com” in the domain name can be replaced by something else such as “ai” or “in.”
Bugs in QR codes
At times it may also not be a threat actor working to exploit users. A mere bug within a QR code reader application. Hackers might use the bug to exploit cameras or sensors within phones or other devices. Threat actors might also exploit a bug or an issue within the legitimate URLs that the QR code links with.
This incident happened with Heinz back in September 2015 when their QR code directed users towards inappropriate websites. The QR code was a part of their promotion campaign that allowed users to create custom Ketchup bottles labels once they reached the site. However, the QR code directed users to a completely different and inappropriate website.
The issue was that Heinz had not renewed their registration of the domain name. When the domain name became available, a third party started using it.
QR codes have long since been an efficient manner of carrying out transactions and paying bills. Their use has grown exponentially during the covid-19 pandemic to promote “no-contact” communication and information exchange methods. QR codes are present at restaurants and even fuel stations for customers to pay. Within such public places, any threat actor can swap a legitimate QR code with a fake one so that the transactions go into their bank account.
Are QR Code Generators Safe?
QR Code generators are safe if the platform provides the right features and has a good reputation among brands. To choose a safe QR Code generator, look for certain security features and factors.
Here’s what to pay attention to:
A QR Code Generator with a custom domain or URL slug can help customers identify the campaign and refrain from taking action when directed to a website.
Look for generators with an option to log in with SSO. With Single Sign-On companies can restrict unauthorized logins with permissions to trusted employees.
A QR Code generator with password protection increases security for sensitive information.
Safe QR code generators allow you to set up an age limit for when users scan the custom codes. When they scan it, your site will ask them for their date of birth so that only those over the specified ages can view content on the page.
Cyber security issues are on a constant rise, especially with the spread of coronavirus. Within the world’s haphazard shift towards digitization, many criminals have come up with innovative attack vectors to exploit people and organizations alike. QR code risks and threats are other examples of this exploitation. Therefore, amidst all these issues, it is best to try and ensure security and privacy by remaining vigilant.