“Scan here for a great deal!”
“Want to know more? Scan this code!”
Quick response, or QR, codes are everywhere, from store windows to magazines to gas pumps. With a quick scan of your smartphone and a reader application, these codes can take you to a website, another application or even deliver content, like coupons, right to your phone. For anyone trying to market a product or service, a QR code is a great way to provide important details on the spot — and increase the likelihood a customer will make an immediate decision.
Yet for all of the benefits that QR codes offer businesses and their customers, they aren’t without risks. In fact, some experts caution that QR codes could be the next great risk when it comes to your privacy and security.
The Anatomy of an Attack
Imagine you’re shopping for a new appliance. As you roam the aisles, comparing models, you come across one that has a QR code posted on the corner of the price tag. You pull out your smartphone, scan the code and you’re immediately taken to the manufacturer’s website, where you can learn more about the features of the machine and watch a video of how it works.
But wait … there’s more. When the QR code took you to the manufacturer’s website, it also launched malware on your mobile device. While you’re busily watching a famous morning talk show host demonstrate all of the features of the appliance, a more malevolent application is working behind the scenes, sending all of your phone’s data to a hacker and installing software that will record everything you do on your phone going forward.
Now, obviously the appliance manufacturer didn’t install the malware in its QR code. The code you scanned was a fake, an imposter code that a criminal created using readily available software, then printed and stuck over the existing code when the home improvement store employees weren’t looking.
Fake QR codes are one way attackers are gaining access to mobile devices and wreaking havoc on unsuspecting victims’ lives. Because QR codes can be scanned from anywhere, including computer screens, it’s not uncommon for scammers to add malicious codes to websites to catch people unaware. For example, you’re visiting a certain website, and it offers a QR code to scan and gain access to an application that will allow you to access it on the go. You scan the code and, suddenly, you have malware on your phone that sends premium text messages at a dollar a pop.
Direct and Indirect QR Codes
Understanding how QR codes can put your privacy at risk starts with understanding the two types of codes. Direct codes take you right to the content you’re after — you may go directly to the coupon or website without installing anything else. That’s not to say direct codes are without risks, as going directly to an unfamiliar site can leave you vulnerable to infection.
An indirect code requires you to do something else, usually installing an app, to access content. However, unless the app comes from a trusted source, you could be playing with fire. In addition, the app could ask for permissions that aren’t necessary; there is little reason for most apps to have access to your contact list or have the ability to send text messages.
Protecting Your Network
While anyone is vulnerable to infections due to infected QR codes, in today’s “bring your own device” environment, corporate security professionals are especially concerned about the risks the codes present to corporate networks. An infected device that accesses the network could create a significant security breach. For that reason, some businesses have prohibited employees from reading QR codes on work devices or have established strict protocols regarding acceptable applications. Advanced network security solutions that quickly identify and contain threats can help mitigate the risk as well, blocking malware from infected devices from accessing the corporate network.
QR codes are growing in popularity among marketers, but they aren’t without risks. Use caution when you scan; is an extra 10 percent off worth the potential harm malware could cause your device and your data? As a user, you can protect yourself against potentially malicious QR codes by practicing the age-old concept of “buyer beware.” Most codes from legitimate, established businesses will be fine. The same goes for codes you find in publications. However, before scanning any code in a public place, check to make sure it is the original code.