Business
QR codes: Best approaches to using the technology safely and securely
Published
4 years agoon
By
GFiuui45fgQR codes have a variety of uses, from storing bank information for payments to ordering at restaurants or joining a WiFi network.
But the easy-to-use codes don’t come without security risks – a concern highlighted by numerous incidents in 2020.
The Daily Swig takes a closer look at the potential security issues surrounding QR codes and the best approaches to using the technology safely.
What are QR codes?
Quick Response (QR) codes are two-dimensional barcodes used to enable users to access data or web-based resources (URLs).
The technology, created in 1994 by Masahiro Hara from the Japanese company Denso Wave, was originally designed to track motor vehicle components through the manufacturing process.
You’ll likely be familiar with their design: a series of black lines and squares on a white background.
Although QR codes were invented almost three decades ago, it’s only in the past five years or so that they have been adopted by the western world at scale.
This is partly due to Apple’s iOS 11 update back in 2017, which started allowing users to quickly and conveniently scan a QR code using the camera app. Soon after, Android followed suit.
QR code adoption around the world
QR codes have enjoyed a huge upsurge in adoption across China, where they are scanned to collect wedding gifts at a gift registry, to identify pets, reply to job adverts, and much more.
The tech is also used to both sign in and post in the WeChat messaging app and Alipay systems, meaning millions of citizens use QR codes every day.
While the technology may have initially been overlooked by the West, QR codes become more widely used in 2020 due to the Covid-19 outbreak.
Businesses, governments, and other organizations turned to the technology as a way of tracking social movements.
Governments in Europe, Asia, and the US also used QR codes as part of their coronavirus track-and-trace systems.
QR code security concerns
A study from September 2020 revealed that almost half of respondents (47%) have noticed an increase in QR codes during their everyday life.
Yet while the technology offers an almost endless number of applications, it is not without its security concerns.
The research from MobileIron states that while the majority of people (67%) know that a QR code opens a URL, 71% could not distinguish between a legitimate and malicious QR code.
“QR codes are often used for phishing attacks,” Nazarii Uniiat, an IT security engineer for Clario, told The Daily Swig.
“How? The simplest algorithm involves a phishing website that looks like the real one with a similar-looking official sign-in form.
“QR codes are images and can’t be hacked. That’s because they’re static. However, they can be easily replaced. Again, in transport [locations] – the official QR codes are printed on branded paper.
“But this won’t stop criminals from gluing the sticker with the fake QR of the same size on top of the official one.”
How are QR codes abused in phishing attacks?
Hank Schless, senior manager of security solutions at cybersecurity firm Lookout, described how he was able to pull off a simple phishing attack by planting a fake QR code at the RSA conference.
“Our method was simple: a fake phishing attack using a QR code at our booth advertising a chance to win an iPhone,” he wrote in a blog post.
“The code actually pointed to a URL that Lookout manually classified as malicious for the purpose of the demo, meaning that it would be immediately blocked if the user had Lookout phishing protection on their mobile device.”
He added: “Luckily for them, our webpage was harmless and had a message educating them about mobile phishing. Had it been a real phishing scam, they could have put themselves and their corporate data at risk.”
How do cybercriminals abuse QR codes in social engineering? attacks?
QR codes facilitate social engineering attacks due to the fact users have to be willing to place a degree of blind faith that they will perform as advertised.
“Perhaps the biggest risk from QR codes is that you don’t know what the code will resolve to until you have scanned it,” Vic Harkness, a security consultant at F-Secure, told The Daily Swig.
“You are implicitly placing some trust in the security of the code when you scan it, that it will not induce your device to take some malicious action.
“QR codes are also often featured in social engineering attacks. QR codes can now be used to pay for a variety of goods and services, where the user simply scans a QR code with their banking app.
“An attacker could create a QR code which would transfer £100 to their account when scanned, and place it over a QR code for a £1 item.
“They could leave this in place and hope that a user didn’t pay attention to the numbers when scanning it.
“Or, they could attempt to persuade a user to scan this code and make the payment in exchange for real-world cash. This type of scam has been seen in the Netherlands, where attackers convinced their victims to assist them in paying for parking tickets.”
Are QR codes a reliable mechanism for contact tracing?
It’s not just financial risks that come into play. As the world adopts the technology to enable coronavirus tracking, false or malicious codes could reduce the effectiveness of contact-tracing mechanisms.
If a person who later tested Covid-positive had checked in using the fake restaurant code, explains Harkness, another person also present at the same time who had checked in using a legitimate code may not be traced.
“There is no 100% effective way to perform contact tracing,” she added.
“A careful balance needs to be struck between user privacy, and the effectiveness of tracking. Whilst the abuse of QR codes has the potential to reduce he effectiveness of contact tracing, their usage in this context does not present a significant security risk.
“In my opinion, the use of QR codes in financial applications is much more worrying.”
What alternatives are there to QR codes?
While QR codes have boomed in popularity, other less well known technologies can provide much the same services – and sometimes more.
Near Field Communication (NFC) tags, for example, arguably have more to offer than QR codes when it comes to the easy transfer of data.
NFC is a radio-frequency technology that allows data to be transferred between an NFC tag and an NFC-enabled device.
The reason why QR codes are more popular is pretty clear, however: QR codes are free to generate via websites or apps, while NFC tags need to contain an encoded chip for them to be read by a device.
However, choosing QR over NFC does come at a security cost. NFC uses encryption as standard, which is particularly helpful when it comes to payment transactions. It also only works at limited range, meaning hackers cannot easily intercept NFC-enabled data transfers.
And while QR codes can be encrypted, there is no way of telling whether one is or not, meaning it’s up to users to assess whether a particular code is likely to be safe.
How do you mitigate the dangers of malicious QR codes?
Protecting against malicious QR codes at all costs is fairly simple – simply don’t scan them. This advice, however, can often be impractical in today’s society.
Instead, users should inspect the QR code for any tampering and, if in doubt, try to verify its legitimacy before scanning.
“If a QR code is obviously a sticker, question its legitimacy; if you are in a restaurant, ask the staff to clarify. If the code is on an advertisement, simply search for the subject online instead,” Harkness advised.
“Ideally, the user should view what the QR code resolves to before it is acted upon. Some phones automatically do this; the default iPhone camera app creates a notification which displays the link text, inviting the user to click on it.
“Although manually inspecting the link can help to detect less sophisticated attacks, it would not be difficult for an attacker to create a correct-looking QR code.
“Generally, good security practice should be followed. Ensure that you install updates to your device as soon as they become available.
“Although this cannot protect you against clickjacking or social engineering scams entirely, it can help to protect your phone from being readily exploited through such attacks.”