It seems like QR codes are everywhere now. Thanks to the COVID pandemic, QR codes catapulted from a semi-niche concept to a virtual requirement. Restaurants and bars adopted QR codes to provide menus without passing germs, and businesses of all types embraced QR codes as a method for paying for goods and services. Unfortunately, any technology that makes life easier or more convenient, also makes it easier for cybercriminals and exposes you to increased risk.
When used as intended, the QR code is pretty cool. Just point the camera of your smartphone at a QR code and it will magically pop up a link you can tap to visit the designated website. The problem, however, is that you don’t actually know what the designated website is. You have no idea where the QR code will take you, and no way to know if it is a legitimate website or a malicious destination.
I feel like everyone knows what a QR code is at this point, but just in case let’s start with a brief explanation. A QR code is a square symbol with a unique pattern—a sort of fancier barcode.
“Short for quick response codes, QR codes are a type of two-dimensional barcode that contain data, often for a locator, identifier or tracker,” explains Len Noe, Technical Evangelist with CyberArk, in a recent blog post. “They can be easily read by a smartphone or other camera-equipped device and converted into useful information for the end-user, such as a URL for a website or an application. QR codes were first invented in 1994 by an automotive company to track car components, but their ease of use and greater storage capacity — up to 2,500 characters compared to a barcode’s 43 — soon made them popular in other industries.”
Do You Know Where that QR Code Goes?
I had an opportunity to chat with Noe about QR codes and some of the research behind his blog post. We started off talking about the Coinbase Super Bowl ad. It was literally just a QR code that bounced aimlessly around the screen for one minute. There was no text. There was no dialogue. Just some sort of electronic music playing while the QR code bounced about and changed colors. Noe said that QR code received 20 million hits in that first minute even though nobody had any idea where it would take them.
Fundamentally, that is the problem. You scan the QR code and there is some inherent trust that it points to where you think it should point, or at least that it is not malicious. But Noe’s research illustrates just how easy it is to exploit that trust.
Noe walks through a few scenarios in his blog post. The one that I think is relevant to most people and really demonstrates the problem revolves around QR codes in a restaurant or bar situation. As noted above, most restaurants and bars have implemented a QR code system for sharing their menus—and those QR codes are generally just a sticker the establishment stuck on tables and bar counters. The question you should ask yourself is, “What’s stopping a threat actor from just putting a malicious QR code sticker on top of this one?”
In his blog post, Noe asks, “When you sit down at a restaurant and see a QR code on the table, chances are you’ll scan it without a second thought, expecting it to take you to the menu. But what if that same QR code was embedded in an email coming from someone you don’t know? Would you be as quick to scan it — or would it give you pause?”
Think Twice Before You Scan
Noe and I agreed that QR codes aren’t going anywhere anytime soon. They do offer a simple and convenient way to share or collect information.
It’s not that businesses or consumers should completely shun QR codes, per se. But they need to stop inherently trusting QR codes. People should be cautious and have the same level of skepticism and vigilance that they would with an unknown link or file attachment in an email.
Noe offers 7 tips to protect yourself when it comes to QR codes:
1. Don’t scan it
2. Slow down
3. Inspect QR code URLs closely
4. Look for signs of physical tampering
5. Never download apps from QR codes
6. Don’t make electronic payments via QR codes
7. Turn on multi-factor authentication (MFA)
You can get more details on each of the 7 steps, and learn more about the other scenarios that Noe investigated by checking out his blog post. You should avoid scanning QR codes if you can, but if you have to scan, at least keep these 7 tips in mind and think twice before you scan that QR code.