While not new, QR codes have grown in popularity alongside the increased availability of smartphones. Built-in cameras scan these two-dimensional bar codes, which are used to make payments, download menus in restaurants, for general marketing purposes and more.
However, according to Simeon Tassev, MD and QSA at Galix, they can also be used by attackers to steal personal and payment-related information.
He says convenience is the killer, as QR codes are incredibly user-friendly. "These days, we see them everywhere. They are on the back of consumer products, and we can scan them to get more information. They are in restaurants so we can scan them to view the menu without touching a physical menu card. They are used to enter competitions, in children’s books to access online content. They are also used by various apps to allow small business vendors to accept credit card payments.”
But while smartphones can read the QR code, people cannot, which poses a risk as they have no idea where the code will direct them. The link could easily be malicious, or direct the user to a fake website, or even pay the wrong vendor.
“Opening a QR code could trigger an executable file or potentially malicious code, which can then be used by cyber criminals to steal personal information, including payment data,” Tassev adds.
Think before you scan
The issue is neither with the QR codes themselves, nor with the payment apps, because these are both secure and mature technologies, he explains. “QR codes are easy to generate and can be done for free online, meaning genuine codes can easily be replaced by fake ones.”
Tassev says the greatest risk is that we use these codes in scenarios where we are not thinking about cyber security.
“If possible, verify the payment before you process it – check with the vendor that you are paying the right person, visit links directly through your browser or use an alternative method where possible,” he advises.
In addition, have endpoint security on all devices to protect them from malicious content. “Most of all, be mindful. QR codes are fun, easy and convenient, but they are vulnerable to abuse and we need to be aware. You wouldn’t just click a link in an e-mail without checking, so why scan a QR code without verifying it first.”
Share