QR Code Security: What You Need to Know Today

January 19, 2021
| |
3 min read

QR codes are very common today, enough so that attackers are discovering ways of using them for profit. How can QR codes be used this way, and what can you do to boost QR code security and protect against these scams?

What Are QR Codes Used For? 

QR codes — short for “quick response codes” — were born in 1994 as a way for Japanese auto parts maker Denso Wave to track parts in car factories. These two-dimensional barcodes enable a smartphone camera to read up to 4,000 characters of information instantaneously. 

After growing in use and breadth of application for decades, QR codes are having a moment. In 2020, consumers and businesses embraced touchless solutions. App-centric payment companies, charities, nonprofits and point-of-sale systems used online QR code generators as a way to make customer portals that avoided button pushing and credit card exchanges. 

The largest tech companies are embracing QR codes in a big way. Silicon Valley companies (and others) are finding QR codes useful for self-service information in retail stores, transactions and other uses. Most interestingly, they’ll also become useful for augmented reality. QR code stickers on an object or wall or table can serve as both an anchor in 3D space for virtual reality objects and the source of the data. 

Smart displays can now support QR codes for scanning grocery items to add to a shopping list. Social networks have embraced QR codes for linking to personal profiles. There’s no question QR codes are now totally mainstream. 

A survey by MobileIron found that 84% of respondents had scanned a QR code before, with a third having done so in the prior week. Which raises the question: are QR codes safe?

QR Code Security Issues

They can be. QR codes are convenient — and uniquely powerful for criminals. 

Essentially, they can serve as URLs, offering the same kind of risks as opening a malicious website on a phone. But unlike a URL, people are less likely to recognize a malicious QR code. Beyond URLs, it also benefits the bad guys that most people don’t know that a QR code can write an email or text message or make a phone call. More than one-third of respondents in the MobileIron survey say they are not concerned about the security risk of using QR codes. 

Threat actors can deliver malicious QR codes via instant messages, social media, email, SMS — you name it. And QR codes can initiate action on smartphones, such as launching a payment app and making a payment, adding a contact or following a malicious account on social media. They can also divulge the victim’s location or add a malicious Wi-Fi network.

Dynamic QR codes are a special risk. The data stored on them can be changed after they’re generated, or they can present different data to different types of devices. 

The rise of QR codes also coincides with the rise of cryptocurrency, to unhappy effect. Bitcoin addresses are often conveyed via QR codes, which is far more convenient than typing out a long Bitcoin address. QR codes inject data, and Bitcoin is data, so the abuse of QR codes to steal Bitcoin was an inevitability. 

Tips for Avoiding QR Code Scams

Users have several ways to minimize the risk of QR code scams and QR code security issues. 

  • If anyone appears to send a QR code, contact the supposed sender and ask if they sent it. 
  • Look out for URL-shortened links appearing after scanning a QR code, which can hide malicious URLs. 
  • Organizations: Deploy a mobile defense solution that blocks phishing attempts, exploits, phone take-overs and unauthorized downloads. 
  • Embrace multifactor authentication in place of password access to applications and cloud resources. 

These days, it’s important to cover all your bases when it comes to mobile data protection. Defending against pervasive and growing malicious QR codes should be on the top of that list. 

Mike Elgan

I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...
read more