QR codes went mainstream during the pandemic, as businesses sought ways to offer customers ‘touch-free’ services. Criminals have taken note, and have been swapping tips on exploiting QR codes to steal funds and break into systems. Organisations should bolster their mobile security, experts advise, and make sure their employees and customers are aware of the risks.
How QR codes went mainstream
Quick response (QR) codes were invented in 1994 by Japanese car parts maker Denso Wave to track vehicles through the manufacturing process. A QR code is essentially a two-dimensional bar code, with around 100-times the data storage capacity, according to PayPal. Combined with widespread smartphone adoption, they offer an affordable way to transmit data that can be attached to any surface.
Initially dismissed by some in the West as a low-tech fudge, QR codes became an essential part of the digital payments infrastructure in China. The country’s two biggest payment apps – WeChat Pay and AliPay – introduced QR codes as a way to initiate payments in 2011. By 2016, an estimated $1.25trn in transactions were initiated by QR code in China.
QR codes became a global phenomenon during the pandemic, as customers sought to avoid physical contact with surfaces. ‘Touch-free service’, where customers can scan a QR code for a menu or to pay, is now commonplace. QR codes were central to the UK government’s contact tracing app, which asked citizens to ‘check in’ to venues by scanning a code on their phones.
As a result, QR codes are now mainstream. According to a report by Juniper Research, 1.5 billion people globally used a QR code to facilitate a payment in 2020. A survey of UK and US citizens in September 2020 by endpoint security provider MobileIron found that 8% had scanned a QR code in the previous 24 hours.
Digital payment providers PayPal and Apple Pay both launched QR code features last year, while banks including Natwest, Royal Bank of Scotland (RBS) and Deutsche Bank now allow users to log into the online banking services using a QR code. Others have introduced QR codes to facilitate ATM withdrawals. As a result, adoption is poised for rapid growth, especially in the US, where Juniper predicts a 240% rise in user numbers by 2025.
Are QR codes secure?
This growing use of QR codes has not escaped the attention of criminals. "We know cybercriminals are abusing this behaviour,” says Anna Chung, principal researcher at Unit 42, the threat research arm of cybersecurity company Palo Alto Networks. "During the pandemic, Unit 42 has observed cybercriminals in underground online forums discussing ways to abuse QR codes and target mobile devices. We also found open-source tools and video tutorials offering training on how to conduct attacks by using QR codes."
We know cybercriminals are abusing this behaviour.
Anna Chung, Unit 42
Many QR code-related threats work by tricking users into scanning a code that directs them to a malicious site or initiates a criminal payment – a technique known as QRLjacking.
Last year, Belgian police issued a warning about a scam in which hackers, posing as customers, would send QR codes to small businesses supposedly to confirm payments. Scanning the code would grant the hackers access to the sellers' bank accounts. "The code does not, in fact, refer to a payment confirmation, but to a login portal that the fraudster, in combination with the bank account number provided, will have direct access ... to your current and savings accounts," said commissioner Olivier Bogaert of the country's Federal Computer Crime Unit.
Another emerging threat is the phenomenon of QR code phishing, or 'quishing', whereby criminals trick users into scanning a malicious QR code via email, directing them to a fake site that prompts them to enter their login details. This technique bypasses many anti-phishing systems, which work by scanning the text of emails, explains Mark Harris, senior director at Gartner. "Because you can't see the URL or it's not visible in the email, [quishing] gets past those traditional techniques."
Chung says that Unit 42 has observed 'quishing' scams that spoof corporate share drives. “We have come across attackers sending out QR codes to phish employees... to trick them onto a web page that looks like a corporate share drive.”
The technique may have an added impact as employees may not have been trained to view QR codes as potential phishing threats, adds Peter Gooch, partner in cybersecurity and privacy at Deloitte. "If it's seemingly from a known company to you, you might not think twice about it,” he says.
Managing the cybersecurity risk from QR codes
How can organisations reduce the cybersecurity risk posed by malicious QR codes? One essential approach is to ensure that employee smartphones are secured, something that can be overlooked. "The majority of [companies] have fairly strict security protections over the laptop," explains Chung. "But not so much for the corporate phone ... because that's an extra layer of investment and protections that you need to continuously control. So that is another layer of effort that I know [many] companies overlook."
Another crucial measure is to raise awareness of the risks, both among customers and employees, Chung says. “QR code stands for a quick response, so [being] quick is its advantage," she explains. "But at the same time, it could be a disadvantage for people who are not fully familiar with this technology and the potential risks that come with it."