QR Codes Pose Significant Security Risks Most Users Are Unaware Of

Person scanning QR code with his smartphone to make a payment

The humble QR code, largely ignored by the US and Europe for almost two decades, has made a comeback since the start of the pandemic. However, the gain in popularity is also likely to cause a surge in QR code fraud. Understanding QR codes and their use is key to preventing such scams, a study by MobileIron warns.

The Nifty Two-Dimensional Barcode

A QR code, or Quick Response Code, is a two-dimensional barcode that can be read by a QR code reader. iPhones running iOS 11 or higher and some Android devices come with an in-built reader. If you have an older model, it is likely that you could download a third-party app with the same functionality.

The first QR code was introduced way back in 1994. Its inventor, Masahiro Hara, developed the matrix barcode to track vehicles during manufacturing. The barcode can contain all sorts of data. For example, a locator, identifier, time tracker, a tracker that points to a website or application, and more.

QR Codes quickly became popular outside the automotive industry. They are super easy to create, easy to read – even when partially damaged – and have a far greater storage capacity compared to standard barcodes. They have various uses. QR codes are common in the advertising world, have been incorporated into currency, can be used for payments, to join a Wi-Fi network, etc.

Gaining in Popularity

In September 2020, software company MobileIron conducted a survey in the US and the UK amongst 2100 consumers. One of the first findings the consumer sentiment study revealed, was that QR codes are rising in popularity and use. The increased use of contactless payments in retail and contactless data collection are two of the main drivers.

Here are some survey results.

  • 86% of people have scanned a QR code before, with 67% having scanned a QR code recently, i.e. in the past week or month.
  • In the last six months, 38% of respondents have scanned a QR code at a restaurant, bar or café; 37% at a retailer; and 32% on a consumer product.
  • 53% of respondents would like to see QR codes used more broadly in the future; 43% plan to use a QR code as a payment method in the near future; and 40% would vote for using a QR code received in the mail, if it was an option.

What You Didn’t Know QR Codes Can Do

The study results also show that most consumers have little knowledge of what QR codes are capable of. Thus opening pathways for fraudsters to exploit the humble code as a gateway for all kinds of scams. A QR code can, for example:

  • Automatically create a new contact or contact list on someone’s phone
  • Start a phone call, create a text message or draft an e-mail
  • Make a payment within a few seconds
  • Share geolocation and other information
  • Open a web page and/or download an application
  • Cause a user to follow someone on social media
  • Add a Wi-Fi network to your preferred list

Unfortunately, mobile devices are appealing targets for hackers. They usually prompt their owners to take immediate actions, while the amount of information available is, in most cases, limited. This is especially the case with QR codes, which are a bit of a mystery to most people. Plus, users are often distracted when they use their mobile phone, making them more likely to fall victim to fraudsters.

Significant Security Risks

Clearly, some of the capabilities of QR codes mentioned above pose significant security risks. If an automatically created contact listing contains malicious information, for example, it could trigger an exploit on your device. If the QR code contains a malicious URL, it may take you to a fake website. And if the QR code is malicious, hackers could capture personal or account information. And so on.

Remarkably, over half (51%) of the respondents have concerns with using QR codes but use them anyway. A third (34%) have no concerns. Moreover, 40% are unsure or do not believe that they can be hacked using a QR code. Nonetheless, a third (33%) reported that at some point in time, a QR code did something they did not expect it to, or that they were unsure if the QR code did what it was supposed to do. Despite all this, less than half (49%) of respondents have security software installed on their mobile devices, like a virus scanner or antimalware.

“I expect we’ll soon see an onslaught of attacks via QR codes”, said Alex Mosher, Global Vice President of Solutions at MobileIron. “A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or, the hacker could embed a malicious URL that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.”

Avoiding QR Code Scams

Most QR code scams can easily be avoided. Firstly, users should educate themselves and take some precautionary measures. Examine the displayed sign for any indications of tampering, for example, like a sticker placed on top of the original sign or poster. Avoid scanning codes in public places that can easily be tampered with. And in general, as with most scams, it is recommended to look out for spelling mistakes or “typo’s” in links or names, and to never share sensitive information.

Also, to make payments via a QR code, be aware that you only need to scan a QR code. You should never have to share your card number, expiry date, PIN or CCV. It is also wise to not use third party apps such as Screenshare, Anydesk and Teamviewer to enable or receive payments. These apps are genuine, but screen sharing can be used to gain access to bank credentials.

Finally, it is wise to use a secure QR code scanner that can flag malicious websites. You could also, and preferably in addition to the secure scanner, install antivirus software or antimalware on your device. This software can detect malicious or unwanted activity and avoid websites to, for example, embed a trojan or malware into your system.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments.