The use of QR codes has grown exponentially in the last few years. So much so that the software for reading QR codes now comes as a default in the camera settings on most mobile devices. By just taking a photograph of a QR code the camera automatically brings up an option to open a link to access information.
The problem currently is that there is no way to verify if the link will take you to where it says it will, especially as most of the URL’s shown by QR readers display as short links. Humans can’t read the digital signature, and there’s no way to manually identify what information is contained in a QR code or where it’ll lead. For individuals and businesses this poses a security risk.
Consider how many QR codes exist in public places and how broadly they’re used in marketing. From parking garage tickets to restaurant menus, promotions and competitions in-store. Now consider that QR codes can easily be created by anyone with access to a QR creator app. Which means they can also be misused by anyone. It’s really not hard for someone to create and print a QR code to divert users to an alternate URL and place it over a genuine one on a restaurant menu.
What led to the rise in adoption of QR codes
QR codes were created in the mid 1990’s by a subsidiary of Toyota, Denzo Wave. The purpose of the QR code development was to be able to track car parts through manufacturing and assembly. However, the developers created it as an open code with the intention that it could be freely used by as many people as possible. Marketers saw the opportunity in the convenience it offered and soon it became a popular way to distribute coupons and other promotions.
When the pandemic hit and social distancing became a requirement, QR codes were seen as the ideal solution for many different applications. Instead of having to hand over cash or a credit card, a QR code could be scanned for payment. Instead of handing out menu’s, restaurants started offering access to menus through QR codes. In many ways the pandemic was largely responsible for the acceleration of QR code adoption. QR codes were seen as a “safer” no-contact solution. But in making things easier and more convenient for consumers, it’s created a minefield when it comes to security.
How do QR codes create vulnerabilities compared to email?
Over the years people have learnt not to click on just any link that comes through their email account. There are a few basic checks that can be done. These include independently verifying where the email came from. If the person or company is a known entity, as well as checking the destination URL of the link.
The problem with QR codes is that none of this information is available on looking at it. It’s just a pattern of black and white blocks. Even when bringing up the link, this is usually a short link so it’s not even possible to validate the URL. On email there are number of security options available including firewalls, anti-phishing and anti-virus software that can scan incoming emails and issue alerts. But nothing like this exists for QR codes.
Currently there is no software or system capable of scanning and automatically authenticating a QR code in the same way as an anti-virus would do for email. Without technology available to help with security, reducing vulnerabilities is reliant on education.
Best practices to reduce vulnerabilities:
As most QR codes are scanned with a mobile device, and most employees also access company emails and apps from their phones, there needs to be greater awareness of the risks that exist. Criminals are increasingly targeting mobile phones and individual identities in order to gain access to business systems. If an employee inadvertently clicks on a link from a QR code that is from a malicious source, it could set off a chain reaction. With access to the phone, it may also be possible to gain access to all the apps and systems on that phone – including company data.
From a user perspective, the key thing to know is that gaining access through a QR code requires manual input. The camera on a mobile phone may automatically scan a QR code when it sees it, but it still requires the user to manually click on the URL for anything to happen. That is the best opportunity to stop any vulnerability. Dismiss the link and there’s no risk. The QR code can’t automatically run a script or access the device if the link is ignored.
From a business perspective, if you’re using QR codes and want people to click on them you need to find ways to increase transparency and show where the link is sending them. The best way to do this is to avoid the use of short links. Show the actual URL, provide a way to validate that it’s a genuine promotion or link to your website.
QR code takeaway:
QR codes are in such broad circulation already, they’re not going away. But it’s a personal choice whether or not to use them. There’s nothing more personal in terms of technology than a mobile phone. If people want to improve their identity security there has to be a greater awareness of where the risks lie. Protecting devices, personal information and even access into company systems starts with a more discerning approach to QR codes.
Because the technology doesn’t currently exist to validate or authenticate QR codes, we need to learn how to use them in a safe way. We had to learn (often the hard way) not to insert just any memory card into a computer or open emails without scanning and validating them. Similarly, there needs to be a greater awareness to not scan just any QR code that’s presented.
To hear a more detailed discussion of QR codes and the security risks they pose, watch Episode 25 of IT Trendsetters Interview Series.