The QR (Quick Response) codes have become as commonplace in our lives as Apple Pay, Venmo, PayPal and a host of other applications developed with speed and ease of use for the consumer in mind. The developers who had the best intentions in mind, it must be assumed, never contemplated malicious intent in the use of these tools. If the largest companies in the world are willing to associate their businesses with these, what could be the harm in using them?
The simple fact that the QR code encourages you to use your cell phone's camera to access a website or application to perform a task seamlessly and without verification should be alarming. In recent times, Multifactor Authentication (MFA) has become commonplace to verify you and/or your device are being used in a manner that you control and approve. The QR code in an overwhelming majority of cases bypasses the authentication process. You scan, you are taken to a website, and you perform some action or the action is performed for you, without any verification you approve of or verify who you are in the process.
QR codes are increasingly being used to infiltrate devices to gain access to personal information stored on cell phones, the most common access device for QR codes. QR codes are also the easiest way to manipulate a user into thinking they are going to a “safe place”. Information such as credit card data, usernames, and passwords along with manipulating users to enter login credentials to access accounts is incredibly common. The hackers can safely assume that 90% of the world use the same credentials across multiple accounts. Once they have access to the device, they can easily see the applications installed and have a greater chance of successfully disrupting your life.
Beyond personal accounts, hackers are now using more sophisticated methods to obtain work account information, as most of the world use their “personal” devices to access work email and applications. As mentioned earlier, the lack of MFA to access all corporate applications and email is the gating opportunity for hackers.
Additionally, as you scan a QR code, you are presented an abbreviated URL. We assume it is a safe place to visit. However, a new trend for bad actors is to print a QR code onto a sticker that is placed over the original, safe QR code. When you scan what appears to be ‘More Information’ on that rented scooter, it takes you to a blank page, but also drops a payload on your device.
What we know and have to accept is that QR codes, and other means of easier access and simplifying transactions, is here to stay. What is critical is awareness and diligence, establishing protective policy, enforcing adherence to policy, and implementing technologies to proactively monitor and manage any device that is connected to your information system and sources.
5Q can provide policy guidance and proactive solutions to combat the changing and increasingly complicated Cyber Security landscape. To learn more, visit 5qcyber.com or reach out to us directly at firstname.lastname@example.org.