It seemed like such a good idea at the time, but Masahiro Hara has regrets. He’s the engineer responsible for the quick response (QR) code – that square block of pixels that now adorns everything from restaurant tables to subway posters. The problem? They’re just not secure enough.
“Now that it’s used for payments, I feel a sense of responsibility to make it more secure,” said Hara last year.
Like many technologies, the QR code expanded beyond its original scope. Hara invented it in 1994 as a tool to identify parts in automobile manufacturing, not as a consumer craze. Nearly 15 years later, Apple changed everything by launching the iPhone and ushering in a new era of mobile computing. Now, in the age of COVID-19, QR codes are rising in popularity and use because they make life easier in a touchless world. They are also critical in helping to ensure everyone’s health and safety during the pandemic.
Merchants have embraced QR codes as a simple, low-cost alternative to traditional contact-based payments with customers. Consumers scan them out of necessity, using them to access menus, take advantage of promotions, authenticate for online services, and even to pay restaurant bills. And with the NHS Track and Trace application making it a requirement for people in the UK to sign into venues this way, it’s vital we know more about the risks they pose.
Unintended consequences
This tiny code’s evolution into a consumer tool has created real security problems. When you scan one to open a website, how do you know that it’s taking you to the legitimate one?
If this question perplexes you, you’re not alone. A recent MobileIron survey of 2,100 consumers across the US and the UK revealed that while almost seven in ten (67%) people feel comfortable identifying a malicious URL, a similar portion (71%) of consumers do not know how to spot a malicious QR code.
They aren’t at fault. QR codes don’t tell you what they carry in advance. When you scan one, you can’t tell what you’re getting. That’s fine if you’re a robot in a Japanese auto factory where you can trust everything on the conveyor belt, but it’s potentially disastrous for consumers.
The QR code that you scanned to easily access your account could be a fake, taking you to a phishing site that dupes you into entering sensitive personal information. It could download an infected file or send you to a website that infects your mobile device.
Many of these devices are unprotected. MobileIron’s study found that more than half (51%) of respondents had either no security software on their mobile devices or were unsure if it had been installed.
Malicious websites are just the tip of the iceberg. QR codes can do far more than simply direct your mobile browser somewhere online. A single QR code scan can spark a range of activities on your mobile device. These include:
- Revealing your location to an application, potentially putting you at physical risk
- Adding a preferred Wi-Fi network, logging you onto a malicious hotspot that could intercept your communications, snoop your account access details, and inject malicious code into your browsing sessions
- Sending payment or account information to an attacker
- Adding an event to your calendar, which could either trigger a vulnerability in the application or embed a malicious URL
- Adding a new contact, which could exploit vulnerabilities in your address book software
Most people aren’t aware of these things. Only one person in four (24%) realizes that scanning a QR code could cause your phone to draft a text message with any content the attacker chooses. Just one in five (19%) knows that scanning a QR code can cause your phone to draft an email or even make a call.
Evaluating the business risk
This should alarm businesses for a couple of reasons. First, it puts their customers at risk. QR codes are ridiculously easy to spoof.
For years, gas stations and banks have battled fraudsters who manufacture special hardware that fits over a credit card slot and steals credit card details. Now that people are making payments by scanning QR codes, criminals can simply paste a sticker with a malicious code anywhere that a QR code takes a payment, endangering the customer and defrauding the business.
Second, malicious QR codes put your employees and therefore your own infrastructure in danger. Imagine this: an employee scans a QR code to pay at a restaurant, but the code is malicious – a cybercriminal could have pasted it over the real one just a few minutes before. The code appears to take the payment, but also infects the employee’s phone with a virus that siphons off valuable work information from the phone.
The pandemic has ushered a new era of working; the ‘Everywhere Enterprise’, where employees work from wherever they feel most productive and comfortable, and businesses are left with the responsibility of securing their new dispersed workforce.
Research has shown that this model is here to stay. In a recent MobileIron survey, we found that more than eighty percent (82%) of employees never want to return to the office full time, and many will use their own devices to facilitate new flexible working arrangements. If employees are using the same devices that they work from to scan QR codes, they are putting corporate data at risk, as well as their personal security.
This problem will get worse because QR codes are about to get a whole lot more popular thanks to the pandemic. Almost two thirds (64%) of respondents to the MobileIron survey stated that QR codes make their lives easier in a socially distanced society. Scanning a code to pay is a lot safer than using cash or handling a terminal.
Show some ‘QRiosity’
What can you do to protect yourself? As a business, display QR codes in places that are easy to scan at a distance but difficult to physically alter, such as behind the plexiglass at the counter. Protect the work environment on your employees’ phones using unified endpoint management (UEM) coupled with mobile threat defense (MTD) to detect and remediate threats. UEM keeps business applications and data separate from the personal and certifies that communications between the app to the analysis network are encrypted and authorized.
Like any enabling technology, QR codes are mostly used for good. We should embrace them. But we should also be cautious and protect ourselves by showing some ‘QRiosity’ about what we’re scanning. When handling these small images, be sure you see the bigger picture.
Contributed by Alex Mosher, global VP of solutions, MobileIron