Published on September 22nd, 2022 📆 | 8251 Views ⚑0
Are QR codes a great invention or a cybersecurity threat?
In 2021, 75.8 million smartphone users in the United States scanned a QR code on their mobile devices, up by 15.3% compared to 2020.
The usage of mobile QR code scanners is projected to experience continued growth, reaching approximately 99.5 million users in the U.S. by 2025.
QR codes have grown more appealing to threat actors as it has become more widely adopted. The same accessibility that makes them helpful also makes them efficient delivery methods for malware and phishing scams.
With 59% of respondents believing that QR codes would be a permanent part of using their mobile phone in the future, what are the cybersecurity ramifications of mainstream QR Codes?
Cybersecurity specialists Ping Identity have explored the rising threat of QR Code attacks and how to protect yourself from getting scammed.
What are QR codes?
QR codes are matrix bar codes that frequently let customers access exclusive coupons, go to business websites, get exclusive offers, or discover more about goods and services.
Consumers can easily scan and interpret the message contained in a QR code box by pointing a smartphone’s camera at the code after installing a QR code reader application.
Why QR codes are not often secure
The biggest problem with QR codes is that humans cannot read their format, making it impossible for us to tell if a QR code is real or false just by glancing at it.
Below are some ways that malicious parties can utilise QR codes against you:
Another issue known as QPhishing is the usage of QR codes in phishing scams. A cybercriminal could add a phishing website URL to a legal QR code.
Users are then prompted by the phishing website to divulge their data, which crooks will then sell on the dark web. In addition, they could pressure you into purchasing for goods that bring them money.
These phishing websites are barely distinguishable from real websites, giving the victim the impression that they are trustworthy.
With a few small exceptions, they are largely perfect reproductions of the original. For instance, the “.com” in the domain name can be changed to something else, such “ai” or “in.”
To infect anyone who scans them with malware, cybercriminals may include dangerous URLs in QR codes that are displayed in public places.
Occasionally, simply accessing the website could start malware downloading covertly in the background. In addition, they may send phishing emails with QR codes that, when scanned, infect the user’s device once more with malware.
The infection can then do consumers harm in a variety of ways. It could create backdoors for additional malware infections or steal information about the victim invisibly and transfer it to attackers.
Such malware infections can occasionally even be ransomware assaults that hold your data captive until you pay the ransom.
The widespread use of QR codes as a payment method presents opportunities for threat actors.
Fraudsters may use QR codes as a payment method, but they may send your money to the incorrect account or even send more money than is necessary from your account.
Better QR code security is required
There is nothing about utilising a QR code that makes it riskier than using a smartphone app or online browser. However, fraudsters and other bad actors can cleverly tamper with QR codes to use them as an offline-to-online route.
The application of best practices for QR code security is essential from both a company and user perspective.
Consumers must look for techniques to assess the security and legitimacy of a QR code scan. To increase scans, clicks, and eventually conversions, companies must communicate and signal the validity of their codes.
When customers fall victim to fraud through QR codes and other scams, companies are often left footing the bill.
Zain Malik at Ping Identity commented: “In the world’s uneven transition to digitalization, numerous criminals have developed cutting-edge attack vectors to take advantage of both individuals and organisations.
“Even though QR codes cannot be read by humans, sensitive data still needs to be encrypted to safeguard users’ privacy, and developers must adhere to secure development best practices”.
Get the latest news from DIGIT direct to your inbox
Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.
To subscribe, click here.