Are your QR Code scans secure?
In the summer of 2016, there was another pandemic of sorts that had spread across the world. Pokémon Go was all the rage. People had taken to playing Pokémon Go on their mobile, seeking the elusive Pokémon at every nook and corner in their cities.
This had a curious side-effect, though. As part of the game, players were expected to search for friends’ QR Codes and scan them. This resulted in a surge in Quick Response (QR) Code usage. While QR Codes have been in use since 1994 for various uses, it’s adoption has been mostly muted.
Until the last couple of years.
The accompanying Google trend graph suggests a significant increase in interest around QR Codes globally.
In focus.
While there have been several articles talking about the “second coming” of QR Codes, it is fascinating to get behind the reasons for the current surge in usage of QR Codes.
The on-going pandemic has necessitated minimal contact based physical transactions across the world. Most commerce activities have been moved online. Suddenly quite a significant fraction of people who have been engaging in some kind of selling or buying have started using e-commerce apps and tools to conduct their business. In addition, many savvy users who have taken a hit in their jobs, due to the pandemic have also jumped on to the bandwagon.
The leap.
Most everyday economic activities are now being conducted online. But, almost every activity has a phase which needs to be realized in the physical world. QR Codes are being used extensively for bridging this gap between the physical and virtual worlds. Be it scanning to get tickets (movies, rail, flight); digital menu (at restaurants); connecting to WiFi; sharing contact detail; tracing and tracking of packages; labeling medical test samples; payment systems; product catalog; restaurant menu, QR Codes are connecting every such activity.
However, the leap from the real to the virtual is not without its hazards and risks. With the rise in the adoption of QR Codes for legit applications, there is a corresponding increase in the methods cybercriminals deploy to circumvent the intended actions of the legitimate QR Codes. The URLs that are encoded in the QR Code can be taken over and made to
- serve malware,
- redirect to impersonating payment sites,
- represent fraudulent product information leading to malicious commerce sites,
- capture personal information which are then traded elsewhere on the dark web.
There are other simple QR Code manipulation attacks on the ground which are capable of causing significant financial losses for the stakeholders involved. These include pasting a impersonating QR Code on a valid one at store fronts; on packages for rerouting, etc.
A Secure Experience?
As consumers, we regularly scan QR Codes everywhere all the time, to conduct transactions. How can we mitigate these not so obvious, but highly probable attacks that may impact our finances, our identity, our businesses?
The current tools — mobile apps — available to scan and make use of the QR Codes serve their purpose to a limited extent. Features that could help the user, understand the security posture of QR Codes they’re scanning, are invariably absent in most apps. Thus, exposing us — the users to the dangers of QR Code transactions, detailed above.
In pursuing our vision of enabling end-to-end secure data exchange, we, at Dhiway, would like to engage with consumers and other stakeholders interested in building safety nets for such use cases. Talk to us on Twitter (@dhiwaynetworks).
