QR Codes – Is the Convenience of Using Them Worth the Risk?

We’ve all seen QR codes – those two-dimensional barcodes that are readable by a smartphone with a camera, or other mobile device with visual scanning technology.  They allow the user to access special coupons, visit company websites, receive special offers or learn more about goods and services.  QR codes are not going away.  The quest for convenience makes their use attractive, and it can save consumers the trouble of writing down a web address or other information.  Unfortunately, while QR codes are still very popular, their abuse is a growing cyber threat. 

The cybersecurity risk is not in the QR Code itself, but in the content that is generated and displayed. 

A QR code can contain several risks, such as the following examples: 

  • Contact Details: A QR code could be compared to a virtual business card that includes contact details such as a phone number, email address and mailing address.  This information is automatically stored in the device’s contact list.  If that data is malicious, it could place a rogue entry in your phone for your favorite airline or credit card.
  • Phone: Scanning a QR code can start a phone call to a predefined number.  This provides another method for a threat actor to access your phone and your identity.  Essentially you are calling someone you do not know and handing over your caller ID information.  Your phone can be infected with malware.  It only takes an unsuspecting consumer to scan a QR code which leads to an infected website.
  • SMS: Scanning a QR code can initiate a text message to a predetermined contact.  The only thing the user needs to do is hit send, and you could potentially reveal yourself to a threat actor for spam attacks or a possible SIM-jacking attack. 
  • Email: Scanning a QR code containing a complete email message including the subject line and the recipient could be the beginning of a phishing attack.  The threat actor knows your email address because you validated it by hitting send to an unknown destination.  These sites can be very hard to detect.  But visiting the wrong site can lead to the theft of your credentials, and allow a threat actor to gain access to your private information on your mobile device. 
  • Location coordinates: Scanning a QR code can automatically send your location coordinates to a threat actor.  Location privacy is key to your safety and should be everyone’s concern.
  • App Store: Scanning links to an app store can make the application simple to download.  The listing could be malicious, especially on Android devices.  An unsuspecting user could be tricked into loading a malicious application through the threat actor’s use of an embedded URL.  The better practice is to navigate to the application yourself and not rely on a hotlink.
  • Public QR Codes: We’ve all seen those signs in public places that suggest you scan the code for further information.  However, a malicious QR code can easily be pasted over a real one, and the user has no way to know if they are being directed to safe or malicious content. 

So how can we protect ourselves from these hazards, if we find the need to scan a QR code?

  • Never scan a code from an untrusted or unknown source.
  • If you’re looking at a publicly posted code, feel the QR code to see if a sticker has been applied over the legitimate code.
  • Only use a QR reader application with built-in security features. Some QR readers are more secure than others.  Look for one that has a feature to show the content of the link before it is visited and check the link against a database of known malicious links.
  • If you do find a malicious QR code, report it to the owner of the business where you discovered it.

Categorized in: