QR Codes are a Security Blindspot

By Mary Blackowiak

By Mary Blackowiak, Director of Product Management and Development, AT&T Business

Whether at the grocery store, eating dinner at a restaurant, locating a gate at the airport, gaining entry to an event, or even watching TV—QR codes are popping up everywhere. They have established themselves as a quick and practical substitute for paper, allowing people to conveniently access information via smartphones.

During the COVID-19 pandemic, the use of QR codes accelerated as organizations sought to create contactless methods of doing business, and they don’t appear to be going away anytime soon. This is why it’s important to be aware that while these black-and-white checkerboards may seem harmless, and most often are, it is possible that they can be used for more sinister purposes.

A quick look at the QR code’s history

QR stands for “quick response” and is a complex sort of bar code that uses a square pattern containing numbers, letters, or even non-Latin scripts to be scanned into a computer system.

While it may appear that we have only recently begun to interact with QR codes, they were invented in Japan in 1994, almost 30 years ago, by Denso Wave, a Toyota Motor Corporation subsidiary. They developed the technology to track automotive parts during the assembly process.

QR codes today

Since 1994, the use of QR codes has evolved significantly to serve various industries. However, the attack surface has also grown. The healthcare industry, for instance, has been using QR codes to deliver personalized, relevant, and more immediate healthcare. Patients may be asked to provide personal information after scanning a code to check in for appointments, obtain information about a diagnosis, or gain access to educational material.

In manufacturing, QR codes are frequently used for inventory management, asset tracking, and equipment maintenance. They can also be used on package materials to refer customers to web-hosted user manuals rather than printed ones.

The dangers that lurk

Over the past few years, the public has grown quite accustomed to pulling out their phones to scan QR codes to perform any number of functions, often doing so without a second thought. Malicious actors tend to adapt to trends and are therefore taking advantage of the wide use and seemingly blind acceptance of QR codes to steal money, identity, or other data through various means. Attacks leveraging QR codes are known as “quishing,” and are a type of social engineering attack.

One of the most common quishing attacks takes shape by navigating you to a spoofed website that may look legitimate, such as a bank or e-commerce site, where you are requested to login for additional information, but this is far from the only way that QR codes may be exploited. So, before you get out your phone and activate your camera, keep in mind that QR codes might also be utilized to do the following:

  • Automatically download content onto your devices – including photos, documents, or even malware, ransomware, and spyware.
  • Connect to a rogue wireless network – QR codes may contain a Wi-Fi network name (SSID), encryption (or none), and password. Once scanned, hackers can intercept data.
  • Make a phone call – claiming to be a legitimate business, cybercriminals may ask for personal or financial information and/or add you to a list to be spammed later.
  • Compose an email or text message – your email address or phone number may be added to a spam list or targeted for phishing attacks.
  • Trigger a digital payment – QR codes may be used to process payments through PayPal, Venmo, or other means.

Minimizing the QR code security blindspot

As QR codes continue to be an integral part of our digital landscape, awareness, and proactive cybersecurity measures remain essential to ensuring their convenience doesn’t compromise safety. So, what steps can be taken to lower your vulnerability to falling prey to a quishing attack?

  • Consider the QR code’s source credibility – Codes on food packaging or official signs are likely safer than those from unknown sources. Verify legitimacy when receiving QR codes via email or text.
  • Determine if there is an alternate way of obtaining the information you seek, such as navigating to the business’ public website or requesting a paper menu.
  • Never enter login credentials or any sensitive personal or financial information, such as credit card numbers or social security numbers, on a webpage obtained by scanning a QR code.
  • Don’t jailbreak your device – this removes manufacturer safeguards
  • Ensure you have a mobile threat defense solution installed on your tablets and smartphones to block phishing attempts, malicious websites, and risky network connections.

QR codes have become a permanent fixture in everyday life. The convenience and simplicity of QR codes have made them more accessible to businesses and consumers. Ultimately, safe usage comes down to good cybersecurity hygiene.

About the author: Mary Blackowiak is the Director of Product Management and Development for the endpoint and mobile security portfolio with AT&T Cybersecurity. She has more than fifteen years of B2B marketing and product management experience in the high-tech space, including positions with Forcepoint, NSS Labs, and Best Buy for Business.


No posts to display