The Hidden Dangers of QR Codes

Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+

Those black-and-white squares you see in ads may look harmless, but lurking behind the quick-response code is the very real possibility of a malicious attack.

More than 30% of QR code readers in the Google Play app store are malicious code, according to David Maman, chief technology officer of the database security company GreenSQL.

"Malicious code providers have started realizing that a lot of people will try downloading QR reader applications," Maman says.

Google tries to police its application marketplace, but it's hard to keep up, Maman says.

Equally troublesome, Maman says, is that hackers have accessed the advertising programs used to generate the QR codes themselves, to redirect the Internet addresses they generate to malicious sites.

Often companies such as banks do not generate their own QR code; they use a marketing or advertising agency that lets them generate the codes through their system. Even if the original link was legitimate, the ownership of the original link is manipulated and forwarded to a site with malware that attacks Android devices, Maman says.

Another threat is fraudulent ads containing malicious QR codes.

Maman recently conducted an experiment during a three-day security conference in London. He created a small poster featuring a security company's logo and the sentence, "Just Scan to Win an iPad."

Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.

Over the three days, 455 people scanned the sign and browsed the link: 142 iPhone users, 211 Android users, 61 BlackBerry, and 41 unknown browsers.

Maman's QR code simply linked to a Web page featuring a smiley face. "If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated," he says.

"QR codes are becoming more and more prevalent, and most of us don't have the same antivirus filtering technology on our phones or tablets that we have on our PCs," Maman says. "Can we really fully trust the QR codes we see on the streets, in restaurants or in ads? Regretfully, the answer is no."

What should a bank that uses QR codes do to protect itself? "Make sure the link inside the QR code will be under the bank's own domain" — such as bankofamerica.com — "and that people can see this is a legitimate link," he says. "Then it will be much harder for anybody to try to manipulate it or try to hack in."

Such a defense would of course require the end user, the bank customer, to be aware of the URL showing up on his mobile device, which is not a given.

"Eighty percent of people who get a link from an unknown sender will never stop and think about it," Maman says.

Any other advice?

"Stop using smart phones. … I'm kidding," Maman says with Borscht Belt timing. "It will only get worse, and eventually 90% of the prevention is very simple thinking. Most likely today nine out of 10 QR codes are safe, but mobile devices are becoming more and more the way to surf the Web — Facebook has declared 50% of its users come in through smartphones. I think within a year it will be 75%, even more. I think next year each and every security vendor is going to have a security solution for mobile devices."

The most important takeaway: "Think before you click anything."

JOIN THE DISCUSSION

SEE MORE IN

'The Law Penalizes the Consumers It Set Out to Protect': Comments of the Week

American Banker readers share their views on the most pressing banking topics of the week. As excerpted from the Comments sections of AmericanBanker.com articles.

(Image: Fotolia)

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

The FinTech 100

FIS and Tata once again top the annual FinTech 100 list of vendors, ranked by revenue; IBM and Hewlett-Packard lead the pack of tech companies serving multiple industries; and Bionym and Silver Tail are among the 10 Tech Companies to Watch.
DAILY ENEWSLETTER UPDATE

A Newsletter featuring Bank Technology News' top stories plus special reports and data

This feature displays payments industry news and analysis from American Banker sibling brand PaymentsSource. Registration is required; for more information contact customer service.

TWITTER
FACEBOOK
LINKEDIN
Already a subscriber? Log in here
Please note you must now log in with your email address and password.