Quick Response (QR) codes are rising in popularity. According to a survey conducted by MobileIron, more than 66% of respondents stated that a QR code makes life easier in a touchless world–despite a majority of people lacking security on their mobile devices. However, 53% of respondents stated they do not have, or do not know if they have, security software installed on their mobile devices, while 37% of respondents accepted that they are unable to distinguish a malicious code. More than 60% of respondents feared that hackers can target them using a QR code. But, at the end of the day, people consider QR codes to be an easy way to make payments and interact in a touchless world.
With new technology and innovation comes new threats and vulnerabilities, and mobile devices are an appealing target for hackers because the mobile user interface prompts users to take immediate action while limiting the amount of information available. Users are also distracted when using their mobile devices, making them more likely to fall victim to attacks.
Security Risk Associated With QR Codes
The exponential increase of QR code use has created a new avenue of opportunity for hackers. They use QR codes to infiltrate mobile devices, steal enterprise data and, ultimately, wreak havoc on organizations. Some of the risk factors associated with QR codes that hackers can exploit are as follows:
- Making a payment—If the QR code is malicious, making a payment may allow hackers to capture a user’s personal financial information.
- Following social media accounts—If a user’s social media accounts come in contact with a malicious account, their personal information and contacts may be exposed.
- Revealing the user’s location—Malicious actors can use the QR code to send a user’s geolocation information to an application (app) or website.
- Adding a contact listing—Hackers can use a QR code to automatically add a new contact listing to a user’s phone, triggering spear phishing and other attacks.
It has become critical for individuals and enterprises to prioritize mobile security while ensuring a seamless user experience. QR codes are a valuable and versatile marketing tool for organizations that can help facilitate efficient consumer interactions.
Mitigation Strategies
Individuals and organizations can take action to help mitigate the risk of QR code security threats. The following steps will help increase secure implementation and use of QR codes:
- Promote security awareness within the organization.
- Before scanning, touch the QR code to find out if a sticker has been applied over the original and legitimate QR code.
- Use only a QR reader app with built-in security features and understand that some QR reader apps are more secure than others. Secure QR reader apps display the content of the link to which is going to be navigated and check the link against a database of known malicious links.
- Never log in to an app using a QR code.
- Pay attention to the URL being directed to and ensure that the links are legitimate.
Final Thoughts
A unified endpoint management solution can provide the IT controls needed to secure, manage and monitor every device, user, app and network being used to access enterprise data, while maximizing productivity. A zero trust security strategy should be implemented to continually verify each asset and transaction before permitting access to the network.
Hafiz Sheikh Adnan Ahmed, CGEIT, COBIT 5 Assessor, CDPSE, GDPR-CDPO, Lead Cloud Security Manager, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, ISO/IEC 27701 LA/LI, is a governance, risk and compliance (GRC), information security and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter, IAPP KnowledgeNet Chapter Chair, and volunteers at the global level of ISACA as a Topic Leader for the engage online communities, member of the IT Advisory Group and the Chapter Compliance Task Force, ISACA® Journal article reviewer, CGEIT® Certification Working Group. He is a Microsoft Certified Trainer, a PECB Certified Trainer and an ISACA-APMG Accredited Trainer. He can be reached via email at adnan.gcu@gmail.com and LinkedIn.