QR Security - Are You Ready?

Contact-free and convenient, quick response (QR) codes came into their own as the pandemic progressed – for everything from marketing to checking into locations and even submitting COVID-19 test results.

Unfortunately, few consumers realize that cyber-attackers can use this technology to distribute malware. A poll by MobileIron in 2020 reveals that only 61% of respondents know that QR codes can open a URL and 49% that a QR code – essentially being a hidden link into which malware can be easily embedded – can download an application.

Poor Public Awareness

Only a few respondents indicate they understand that QR codes can make payments, phone calls or add a ‘follow’ to social. In addition, 71% can’t tell the difference between a legitimate and a dangerous QR code that could be used for ‘Qshing‘ – whether malware injection or authentication abuses.

A quarter of respondents confirm that a QR code they scanned has taken them to a dubious-looking website or something else unexpected. Malicious QR codes can add a compromised network to a device’s preferred list, including a credential that enables automatic connection for a ‘man in the middle’ attack.

Criminals can easily create and customize their own QR codes using freeware; fake Bitcoin QR generators have already relieved hopeful crypto investors of vast sums.

Yet, just how many commercials or op-eds have you seen that alert or attempt to educate consumers – or businesses, for that matter – on the need for vigilance and threat protection when using these codes?

The upshot of this is that it has now become critical for organizations to develop and apply stringent security strategies across all mobile media use, including marketing campaigns.

Include QR in Education

I have not yet seen educational practices adopted for QR codes, which need to change in the current climate. For example, while red teaming and phishing training concerning emails and text messages are often standard practice in the workplace, I have not yet seen such practices adopted for QR codes. This is something that needs to change in the current climate and become embedded into overall security hygiene methods.

This should include education on using web filters and not trusting emails from unknown senders – to treat QR codes the same as a hyperlink in an email, and – in the ‘real world’ – to check for and remove any different codes that have been pasted on top before scanning. Before scanning any QR code, users should always first ask whether there is any way to verify its legitimacy.

The next key pillar of effective response to QR threat involves the choices around cybersecurity technology.

Traditional endpoint protection solutions can struggle to identify the latest malware injection vectors. QR scanning, of course, is not a new technology – it was invented in 1994 – but its increased popularity means it has now entered the awareness of more criminals working on ways to hijack legitimate online resources for their own nefarious ends.

Multilayering and Management

Investing in effective endpoint protection that can detect and isolate these malware processes will reduce risk and enable the organization to avoid adding so-called technical debt – avoiding the cost of playing catch-up down the track.

Failure to address the risks and concerns around QR, as part of an agile, multilayered security approach, could limit the potential for these easy-to-use, convenient codes to become widely adopted across all walks of life.

As ubiquitous parts of our daily life deployed alongside best-practice security, QR codes could become a true go-to tool for safely sharing, checking and gathering information, facilitating easy interactivity and the engagement that spurs badly-needed growth in multiple markets.

What’s Hot on Infosecurity Magazine?