Super Bowl’s Coinbase Commercial Glosses Over Risks of QR Codes
Ignorance is bliss. When it comes to technology, other than emails, people aren’t necessarily trained to question the nature, intent or possible danger of various website links that our friends send us or even QR codes out in the world that we feel compelled to scan.
This was demonstrated recently by the cryptocurrency app Coinbase which organized a creative yet simple advertisement that involved a floating QR code. Millions of individuals scanned the code and were able to download the crypto application—so many, in fact, that volume temporarily crashed the app.
But what if the scenario wasn’t you at home watching the Super Bowl, what if you wanted to scan the QR code to get the menu at a new restaurant or needed to schedule an appointment at the pharmacy for vaccinations? As the world evolves into a post-pandemic experience, many organizations have transitioned into a hands-free business style with the use of QR codes to transmit information to your phone instead of needing a physical copy.
However, it’s still important to practice good cybersecurity habits when encountering QR codes out in the world; let’s dig into their risks and best practices.
What Are QR Codes?
Invented in 1994, QR codes—short for quick response codes—are a type of matrix barcode that can be scanned by mobile devices or other machines to transmit information, direct users to a site, download coupons, and more. With the ubiquity of mobile devices to interpret them, QR codes have cropped up just about everywhere due to their contactless nature and the user’s ability to engage with its information in a dynamic manner.
While the majority of QR codes you’ll interact with at restaurants, medical facilities, etc. can be trusted, it’s still important to use your best judgment and a dash of caution before directly engaging with them since they can be vessels for cyber attacks.
Risks of QR Codes
A recent survey reveals that 59% of individuals believe that QR codes will be a permanent addition, which means they aren’t going anywhere anytime soon. But should we always trust these codes at face value and believe that the end website is indeed safe? What dangers does this remerging technology pose for the end-user? Several, in fact!
Where there is technology, there are bound to be cybersecurity risks, such as phishing. Phishing is a type of social engineering in which an attacker sends a fraudulent email, directs users to malicious websites, or some other type of scam-like behavior via the victim’s own actions of entering sensitive information, unknowingly downloading malware, and more.
That’s why it’s important to note that while QR codes can’t be physically hacked because each one is unique, all that a physical hacker would have to do is simply go to a restaurant and place their own OR code onto the dining table. In this scenario, you’d go to sit down and scan for the “menu” yet you’d get directed to a malicious website that could cause harm to your assets, identity, phone, and more.
At this suspicious site, a multitude of malicious acts may occur, such as:
- Your device may become subject to a chain of bots creating a botnet that may be responsible for the next major DDOS attack
- Exploits on the website might enable access to your phone’s camera and/or microphone
- The information you enter on a website such as usernames and passwords can be captured
- And more!
The difficulty with combating this “emerging” type of attack is that we generally only scan QR codes on our phones, and sometimes the configuration or layout of a website on our phone may make checking the website’s URLs on our phones difficult—plus, it’s simply not something we frequently do. There may be popups and redirections of URLs which, to us end-users, all seem normal and to be expected but which might be a threat to security.
Best Practices for QR Codes
Since QR codes are inevitable, it’s good to know that there are ways to stay safe against these types of potential attacks lurking in QR codes.
The best protection against QR code attacks is the usual motto of think before you act. Generally, within banks where areas are monitored and in pharmacies or even restaurants where there are supposed to be QR codes they are safe. In these cases, it is wise to compare a few at the same location to are any noticeable differences.
But what about street advertisements on the wall or on a possible malicious website? As a best practice try to use a QR code scanner which gives you the ability to view the actual URL before proceeding, this is the equivalent of hovering over a link on your computer before clicking.
Next, remember to always be suspicious whenever any kind of application asks you to input any personal information or any kind of usernames or passwords. If you are unsure about the website, then it may be better to simply close the website, delete all your cookies and try another way to reach the designated website.
Overall QR codes are here to stay, and hackers know this. Cybercrime has risen by 600% during the pandemic and cost a total of $6 trillion in damages. The underlying idea behind QR attacks is the same as phishing emails and therefore the majority of the protections are the same as well. The best protection against QR codes or any kind of cybercrime is to think logically—and if it’s too good to be true, then it probably is.
Reduce Your Risk with SCA Security Awareness Training
Want to reinforce good cybersecurity practices in order to reduce risk at your enterprise? Partner with the experts at Security Compliance Associates to develop a plan to reduce your organization’s cybersecurity risks!
We’ll help improve cybersecurity awareness with training and social engineering tests that address human error and result in real value added to your team. Contact us at (727) 571-1141 to speak with one of our experts.