How COVID-19 Has Accelerated QR Code Adoption in the UK and EU
It’s no secret that COVID-19 has radically altered daily life in every corner of the globe. Outside of China, the UK and parts of the EU were some of the first places to be hit hard by the virus. While measures such as lockdowns and travel restrictions may continually tighten and relax, it seems that other changes may be here to stay. Those changes include contactless transactions such as mobile payments, online ordering, customer support, and more.
To encourage more companies and customers to switch to contactless transactions, the UK and Europe raised the limits on mobile payments back in March 2020. This enabled users to use WHO-recommended methods like holding a card above a payment terminal or a smartphone app to pay for goods and services. At the same time, the use of QR codes in contactless transactions increased significantly as well.
Why QR codes are making a comeback
Although QR codes have been around since the 1990s, they hadn’t been widely adopted because the infrastructure didn’t exist to support them. Until a few years ago, most smartphones required a separate app to read them, so they didn’t provide a great user experience. Today, nearly all iOS and Android smartphones can natively read QR codes without a third-party app. As a result, more apps are now available to support things like mobile payments and check-ins using QR codes. In the age of COVID-19, this digital infrastructure has rapidly expanded and now more organizations can use QR codes to simplify and accelerate countless transactions — all while helping people maintain a safe distance and avoid spreading contamination across surfaces.
For instance, the NHS recently released a contact-tracing app that uses QR codes to track the spread of COVID-19 and help prevent “super-spreader” outbreaks. The app provides a check-in feature that allows users to scan a QR code that records their visit to a public place such as a restaurant. These check-ins are voluntary, and the app does not share detailed data about the user’s movements with the NHS, which has helped to alleviate some privacy concerns.
Mobile payment companies like PayPal have also expanded the use of QR codes to 28 countries across the world, including the UK and much of Europe. Now users in these countries can make mobile payments using QR codes in any store that accepts PayPal. This enables users to checkout quickly without needing to dig out a credit card and use a touchpad to complete the transaction.
What the research says
In our own research conducted in September 2020, MobileIron found that consumers across the UK and Europe are also relying more on QR codes. About 80% of smartphone users said they have scanned a QR code at least once, with about 40% saying they scanned a code in the past week. As of now, most of those users (just under 45%) have scanned a QR code at a restaurant, bar, or cafe. And, since the new rules regarding contactless payments went into effect in the UK and EU, more than half of all respondents said they expect to use QR codes for payments in the near future.
Now for the downside: The security risks of QR codes
As with most rapidly adopted technologies, there are security concerns about QR codes. Our survey found that about 44% of mobile users in the UK and EU have security concerns about QR codes, but still use them anyway. More than half are worried about the privacy of their personal data, while more than one-third are concerned about accidentally downloading malware. The good news is, more than half of all respondents said they have security software on their devices. The question is, can that security protect against all of the potential threats?
For instance, we know that hackers can find ways to embed malicious software into QR codes they create themselves. Once the user scans the code, it can launch an exploit that can, among other things:
- Automatically add a new contact listing on the user’s phone, which could trigger an exploit.
- Cause the phone to call a number and expose the phone number to a malicious actor.
- Draft an email and populate the recipient and subject lines.
- Make a payment and allow hackers to capture personal financial information.
- Send the user’s geolocation info to an app.
- Cause one of the user’s social media accounts to follow a predefined account and expose personal information.
- Introduce a malicious or compromised network on the device’s preferred network list.
How companies can protect themselves and their users
Of course, end-user education is critical. There are many ways users can tell if a QR code is potentially malicious so they avoid scanning one in the first place. However, companies can’t rely exclusively on mobile users. On-device mobile threat protection, such as MobileIron Threat Defense (MTD), is critical for protecting against phishing and other malicious exploits that can leverage QR codes to bypass typical antivirus software. MTD protects against phishing attacks as well as device, app, and network threats — and it’s always on and continually updated even without network connectivity.
The QR code security story doesn’t end there, though. Our next blog will dive into how some of these exploits work (and have actually succeeded). And more importantly, we’ll explain what you can do about it.
Click here more information on how MobileIron Threat Defense can protect devices from attacks waged at the device, network and application level – including contactless QR code phishing attacks.