QRiosity Gets the Best of Us
In recent weeks, I’ve personally noticed an uptick in the prevalence of QR codes, those little square barcode-y type things that have been around forever, but haven’t really had their moment in the sun. Well, thanks to Covid-19 and a shift to a mostly touchless world, we are rapidly approaching that moment. Suddenly, as we are faced with a world where we want to minimize touching surfaces, QR codes are everywhere!
Last month I took my family on a hike in the California Redwoods (just before the fires devastated Big Basin), and was stunned to find the only way to get a map was to scan a QR code with my phone! Right at the beginning of the trailhead there was a trail marker, with a sign taped onto it asking me to scan for the map (not sketchy at all, right?). Now, as someone who works in cybersecurity, this raised all sorts of red flags for me – I don’t scan random QR codes (especially when they look exceptionally shady), I know better! But, in the end, I didn’t have an alternative to navigating the trails, so I scanned. (Thankfully, I knew my device would be protected with MobileIron Threat Defense on my phone, but that’s another story.)
The point is: I scanned the code. I didn’t have an alternative, so even though I knew it could be bad news, I did it anyway. And I know I am not alone. In this new touchless world that we’re all navigating, where there’s often no realistic alternative, most of us are going to choose to scan away. Whether it’s how we get our menu in a restaurant, pay at a retailer, or check in for our next appointment at the doctor’s office, it’s clear that QR codes are increasingly becoming a part of our reality and something we need to start thinking about, especially with respect to device and data security.
Are People Really Using QR Codes?
Given the increasing prevalence of QR codes, we at MobileIron wanted more data to validate my anecdotal experiences. So we commissioned a study1 to understand consumers’ sentiments surrounding QR codes. The resulting data was interesting, though not really surprising.
Two-thirds (67%) of respondents had scanned a QR code in the past month, and nearly half of them (47%) have noticed an increase in QR codes since the global pandemic began in February 2020. Unsurprisingly, as the prevalence of QR codes increases, so does the percentage of consumers who are scanning them. The problem is that they are doing so without considering the potential consequences.
Digging through the data, another point that jumped out at me (apropos of my own experience) is that more than half (51%) of respondents have concerns about using QR codes, but choose to use them anyway. That was me at the trailhead. I knew that the QR code could take me to a malicious website or download an app, but I chose to scan it anyway. Compound this with the reality that a third (34%) of respondents have no concerns whatsoever about QR codes and you’re looking at a huge number of people that are out there scanning codes. When we look at this in the broader context of what a QR code can do, it’s easy to see why this isn’t just a consumer problem — this is an enterprise issue. Suppose an employee scans a code that takes them to a malicious website that steals their login credentials? A malicious actor has conceivably just gained access to the organizations’ data.
When consumers are out there scanning codes, often on their own unsecured devices, they can unwittingly introduce risk to their organization. Hackers know this and can capitalize on it. While two-thirds (67%) of respondents can spot a sketchy URL to help defend against phishing or malware, 71% of respondents say they can’t distinguish a legitimate QR code from a malicious one. Without any way to hover over the code, or to see a preview before clicking, there is no way for an end user to know what is going to happen before they scan that link.
I’ll be covering the QR code data in a series of blogs that you can find here on our QR code landing page. In my next blog, I’ll dive into more of the unexpected ways that QR codes can be used — and why that increases the risk of scanning them!
Click here more information on how MobileIron Threat Defense can protect devices from attacks waged at the device, network and application level — including contactless QR code phishing attacks.
1 MobileIron surveyed over 2100 consumers in the US and UK between September 1-3, 2020.