QR codes can be used by cyber crooks to steal your money or your identity.
QR codes are popping up everywhere - in magazines, on billboards, street posters, buses, business cards, t-shirts and merchandise, on almost any object, providing information, incentives and special deals. They're super convenient to use and with their growing popularity, cyber criminals are likely to manipulate this technology to trick you.
It's easy for the bad guys to use malicious QR codes to get you to visit malicious web pages where they can attack you. So you need to know how to protect yourself but, first, let me explain a bit more about what QR codes are and how they are used.
Wikipedia tells us a QR code, short for Quick Response, is a specific matrix barcode (or two dimensional code), readable by dedicated QR barcode readers and camera phones. The machine readable code consists of black modules arranged in a square pattern on a white background. The information encoded can be text, a URL or other data, up to 7,089 characters long. A common barcode can only hold a maximum of 20 digits.
QR code for the URL of my web page http://www.avg.com.au/security-evangelist/. Note that the white border is part of the encoding.
Although initially used for tracking parts in vehicle manufacturing by Toyota subsidiary Denso-Wave, QR codes are now used in a much broader context, including both commercial tracking applications and convenience-oriented applications aimed at mobile phone users - termed mobile tagging.
QR codes can be used to display text to the user, to add a vCard contact to the user's device, to open a Uniform Resource Identifier (URI), or to compose an email or text message. Users can also generate and print their own QR codes for others to scan and use by visiting one of several free QR code generating sites.
Users with a camera phone equipped with the correct reader application can scan the image of the QR code to display text, contact information, connect to a wireless network, or open a web page in the smartphone's browser. This act of linking from physical world objects is termed hardlinking or object hyperlinking.
But what if cyber criminals start manipulating this technology for their own nasty purposes? It's very easy and viable for them to generate their own malicious QR codes and put them as stickers over the legitimate QR codes in the real-world for both small and large-scale attacks.
The bad guys are also skilled at using more sophisticated attacks like spear phishing or other variants of social engineering. Printed flyers offering irresistible deals, but accessible only via a QR code, could be left in public places.
By such simple means, the bad guys could then easily use their nasty QR code to phish or pharm you off to a web page designed to look like it's by a legitimate advertiser. The cyber criminals will have their own web form asking you to sign-up for a service or competition, or purchase some bargain. By completing the form you provide them with your private details and/or your money.
Using other less subtle tricks, they could easily take your browser to a malicious web page and install malware onto your smartphone.
Hopefully, most people today are already aware of the risks when they click on malicious links in email messages or on web pages. Well camera equipped, mobile device users today need to understand that QR codes pose similar security risks.
The message here is, you need to take similar precautions for using your camera smartphone to those you take when using your personal computer. Install always on, up-to-date security software on your mobile device straight away.
Tips for Quick Response Safety
Never implicitly trust any QR code. Be suspicious and alert when you go to use it.
Make sure you have security software installed on your mobile device. The vast majority of smartphone, tablet and e-reader users currently don't have any security software installed. Yet these devices can be even more susceptible to malicious attacks by cyber criminals. Free and paid security software solutions are available for most device platforms.
If you are taken by a QR code to a web page which asks you to provide your username, password, bank account details, and/or credit card details, then the person behind the web page is either a thief, or an idiot. So don't provide those details to them.
If you are taken by a QR code to a web page where you need to login, then don't login. Instead, go directly to the web page by putting the correct URL into your browser address bar, or via some other trusted means. Doing this means you're much less likely to fall victim to a phishing scam.
Please be warned that QR codes aren't the only mobile tagging code format in use. There are a number of other proprietary and non-proprietary, optically readable codes around. For most of them the same security concerns and safety warnings apply. So please play it safe when using all of them.
Lloyd Borrett is the Security Evangelist for security software distributor AVG (AU/NZ).
