What’s the Harm in QR Codes? More Than You Might Think
QR codes seem to have been around forever. The Japanese auto industry first started using them in the ’90s to boost efficiency across the manufacturing process. Since then, companies in every industry have embraced them in marketing campaigns, app authentication, mobile payments, and also use them to scan arrivals at international ports of entry. Now, with the skyrocketing demand for contactless transactions, QR codes are more popular than ever — and hackers are getting in on the game.
Today, it’s incredibly easy to access QR codes on a smartphone because nearly all Android and iOS phones can natively read a QR code with a built-in scanner. It’s just tap, point, and scan. But the question is, have mobile users become too trusting of QR codes? How are they being used and how often? And what should enterprise security professionals know about the risks?
To better understand current QR code trends, MobileIron conducted a survey of over 3,800 consumers across the U.S., U.K., Germany, Netherlands and France in September 2020. We learned that not only are QR codes becoming more widely used, we also discovered an alarming lack of security on mobile devices that access QR codes. This, combined with a general lack of awareness of the potential threats, is definitely cause for concern, especially since so many remote workers are using their personal (and often unsecured) devices to access business apps and data.
Mobile users have adopted the kind of behavior — quick, habitual, and often distracted — that makes a hacker’s job so much easier. In the case of QR codes, consider the context of where they are most often used. Our survey found that in the last six months, mobile users most often scanned a QR code at a restaurant (40%), retailer (32%), or on a consumer product (27%). In other words, they were scanned in the process of doing multiple other tasks, such as sharing a meal or drink with friends, shopping, trying on clothes, etc. This kind of distracted behavior, combined with the fact that nearly three-fourths (64%) of respondents can’t tell the difference between a legitimate and malicious QR code, means they are especially vulnerable to a phishing or other attack launched through a simple scan.
Hacking an actual QR code is highly impractical because it would require the hacker to change around the pixelated dots in the code’s matrix. However, hackers can embed malicious software into QR codes they generate themselves, which is pretty easy since free QR code generators are widely available on the Internet. This malicious code could send users to a fake website that captures personal data such as login credentials or even tracks their geolocation on their phone. This is why mobile users should stick to scanning codes that only come from a trusted sender.
According to our survey, most respondents (61%) are aware that QR codes can open a URL, but they are less aware of other actions that can be initiated by QR codes, such as:
- Add a contact listing: Automatically add a new contact listing on the user’s phone, which can be used to launch a spear phishing or other attack.
- Initiate a phone call: Trigger the phone to call a scammer’s phone number, which then exposes the phone number to a bad actor.
- Text someone: Send a text message to a predetermined and likely malicious recipient.
- Write an email: Draft an email and populate the recipient and subject lines. This is especially worrisome if the user’s corporate email is on the device.
- Make a payment: Send a payment within seconds. If the QR code is malicious, it could allow hackers to capture personal financial information.
- Reveal the user’s location: Send the user’s geolocation info to an app or website.
- Follow social media accounts: Cause the user’s social media accounts to follow a malicious account, which can then expose the user’s personal information and contacts.
- Add a preferred Wi-Fi network: Introduce a compromised network on the device’s preferred network list and include a credential that enables the device to automatically connect to that network.
Although these exploits seem quite easy to execute, there are ways to minimize the risks. Of course, educating users is essential, but they can’t be the first or only line of defense. Mobile security is needed to fill the gaps human errors create.
Check first, scan second: Users should always check to make sure a QR code is original and that it hasn’t been pasted over with a different (and potentially malicious) code.
Don’t (always) follow your curiosity: It seems obvious, but if the source of the QR code is unknown, don’t scan! And, as with phishing URLs that come through email, if the web address differs from the company URL, don’t scan the code because it has a good chance of being malicious.
Double check bit.ly links: If a bit.ly link appears after scanning a QR code, check the URL closely. As a free URL shortening service, bit.ly is often used to disguise malicious URLs. However, users can safely preview a bit.ly link by adding a plus symbol ("+") at the end of the URL. This will open a page that displays the link’s information, making it easier to tell if it’s legitimate or not.
Mobile employees often have no idea if their devices are safe against mobile threats. If your company is using an on-device mobile threat defense solution, now is the time to ensure it’s deployed on every device that accesses business apps and data. Also make sure your employees know what kind of threat protection exists on their mobile devices. If you don’t currently deploy any kind of mobile security, it’s time to research which mobile security solutions can protect against phishing attacks and other threats. And one of the best ways to prevent hackers from stealing credentials is to eliminate passwords by moving to passwordless multi-factor authentication for all of your business apps and cloud services.