EXECUTIVE SUMMARY:
Quick-response (QR) codes have been around since the mid-1990’s. Developed by Hara Masahiro, an Engineer with Denso Wave, QR codes pack 200 times more information within their configurations than regular barcodes.
Hara says that the inspiration for the technology emerged from his interest in games of strategy. “I used to play Go on my lunch break. One day, while arranging the black and white pieces on the grid, it hit me that it represented a straightforward way of conveying information. It was a eureka moment.”
In the wake of the coronavirus pandemic, quick-response codes have taught a wide group of people that touchless-payments are possible and perhaps even preferable. Paypal and other merchants have reconfigured their services to make QR code payment easier than ever.
QR codes and coronavirus
An international consumer survey found that the pandemic has led to a 57% increase in the usage of QR codes. Of the respondents, 77% stated that they had used QR codes prior to the pandemic, if less frequently than at present. Forty-three percent of respondents opted to use QR codes during at least one commercial interaction within the past seven days.
As the pandemic progressed, restaurants began to implement QR codes as menu or payment options. Doctors’ offices and prescription pickup locations have also tested out code-based check-in and information acquisition methodologies. Within the past three months, over 50% of consumers reported use of QR codes for financial purposes.
Cyber criminals, QR codes
QR codes have represented an attractive cyber criminal target for quite some time. In 2020, hackers running QR code scams collectively stole roughly 90 million Yuan ($18.5 million) from unsuspecting persons.
Hackers commonly create visual clones of authentic QR codes, and use adhesive labels to paste them over legitimate codes. As a result, the hackers can intercept payment information. From parking garages to outdoor dining locations, non-credible codes are cropping up across cities and suburbs.
It’s not just payment information. Hackers who use QR codes may leverage them for phishing purposes and for malware attacks. Motivations range from coopting mobile accounts to compromising corporate apps and associated data.
“QR codes are not inherently secure or trustworthy, and hackers know that a majority of people have little or no security on their phones at all, so we strongly advise everyone to use a mobile security solution to protect their devices and data against phishing, malicious apps and malware,” said a cyber security spokesperson for Check Point Software.
The army’s announcement
The US Army Criminal Investigation Command’s Major Cybercrime Unit recently released an alert informing the public about the prevalence of QR code scams. The alert emphasized that malicious QR codes can:
- Add malicious contacts to contact lists
- Connect mobile devices to malicious networks
- Exploit permissions to send text messages to one or all contacts
- Send payments to destinations from which they “cannot be recovered”
And more.
Codes and security
In the aforementioned survey, 49% of respondents stated that their phones do not contain any form of mobile security software. Seventy-three percent of participants were unaware that QR codes could present security problems at all. Less than half of participants were able to identify a malicious QR code.
“As a result of the pandemic, employees are using their mobile devices more than ever before to access corporate data and services from any location,” says expert Chris Goettl. As QR codes continue to increase in popularity and use, they will undoubtedly be leveraged more and more by cyber attackers to infiltrate devices and steal corporate data.”
Preventing QR code attacks
Increased awareness regarding the prevalence of QR code attacks is key. For example, people should know that hackers commonly tamper with QR codes posted in public locations. Any QR code that appears as though it were hastily pasted or taped onto a surface should be carefully inspected. The Army recommends that individuals:
- Avoid scanning randomly discovered QR codes
- Use caution if a QR code scan asks for login credentials
- Ignore unsolicited email-based QR codes
- Verify the legitimacy of any QR code pasted on top of a previous QR code.
“Awareness on this issue is low,” says Goettl. “QR codes have become so commonplace that people have become very relaxed to scanning them. The greater reliance on QR codes there is, the greater the likelihood that malicious QR codes will succeed as the avenue for installing malicious code, ransomware, or releasing contact or payment information from the mobile device.”
For more on QR code scams, visit ThreatPost.