Cyber Security.
16.12.21
If you are like most people, you scanned a Quick Response (QR) code not long ago. Human beings tend to be curious by nature and often can't resist the temptation to check out what’s on the other side of the black and white grid. And since the pandemic hit in 2020, QR codes have become our daily keys to freedom.
Ten years ago, about 62% of Australians didn’t know what QR Codes were or how to use them. In 2021, the term QR Code was searched 60,000 times in Australia, with QR Codes being leveraged in almost every industry. The use cases for QR codes are increasing, we can now use them to view menus at a restaurant, to buy a take-away coffee, browse a retail store, or see our doctor. Most recently they’ve been instrumental to reducing the spread of COVID-19 by collecting customer contact details required by State and Territory governments for contact tracing - providIing a contactless alternative to pen and paper.
Looking overseas, a September 2020 study by MobileIron found that 86% of respondents scanned a QR code over the previous year. And another survey by Ivanti of 4,157 consumers across China, France, Germany, Japan, the U.K. and the U.S, found that a further 57% of respondents have increased their QR code usage since mid-March 2020.
QR codes have been around since the mid-1990s and are convenient tools to quickly jump on a website, read a pdf, or watch a video. They allow consumers to book events, listen to a podcast, or claim a free product within seconds. They can also add a subscriber's details to your contact list, dial a specific number, or send a text message to a specific recipient. It was an Engineer, called Hara Masahiro, who first introduced them and realised that QR Codes can pack 200 times more information within their configurations than regular barcodes.
Unfortunately, the convenience of using QR codes also carries risks. If you scan a QR code that directs you to a non-government website requesting your name, phone number and email address, for example, you could give away personal contact information to be used for marketing or criminal purposes.
Scanning a QR code is a matter of seconds, however, most QR code users do not consider or are simply not aware of the fact that each scan might direct them to a suspicious website or trigger unexpected actions either on their personal devices or on their company-owned mobiles or tablets.
Truth is that QR codes have become a favourite playground for hackers. As easy as they are to create by signing up to a free QR code generator, as easy they are to crack. Hackers create adhesive labels with malicious QR codes and paste these over legitimate ones, for example, allowing them to capture payment information from the transaction or even initiate a payment without the user's knowledge or interaction.
But it’s not just about payment information. Malicious QR codes can also trigger malware or phishing attacks. Motivations range from co-opting mobile accounts to compromising corporate apps including all their data. In 2020 alone, hackers running QR code scams collectively stole roughly $18.5 million from unsuspecting victims.
In saying that, using an app developed by a State or Territory government, such as Service NSW, is considered a lower risk.
Here are some general guidelines from a user perspective on what to remember when using QR codes.
The Australian Cyber Security Center additionally suggests:
Lastly, the best protection is to have security software installed on your mobile device that will help detect and remediate malicious codes and threats.
For enterprises, education is key. All employees should be aware of possible QR code threats and have access to information about how to prevent them. It is also advisable to explain the personal and business implications of not adhering to the company guidelines and regulations. At The Missing Link, we recommend adopting a Zero Trust approach to security, which means restricting devices that can be used to access the organisation’s network and data.
For further information on Zero Trust, listen to our podcast series or contact us.
If you liked this article, you may also like:
Cyber Security Operations: it's not not about the tools alone
Author
The Missing Link