QR Code Care
QR codes are awesome, but they're also one of the fastest-rising points of attack for stealing your data.
QR codes are awesome, but they're also one of the fastest-rising points of attack for stealing your data.
You can't have wonder in the world without grime; the light and the dark are intertwined inexorably, and it's no less true for technology than for any matter of deep and timeless philosophy.
Take QR codes, for instance.
The other day, I went strolling about town with my wife and a friend of ours, having a great old time.
Then, lo, my friend pauses and whips out their phone. A wild QR code had appeared!
At the corner of this little sloping yard, two QR codes stood on metal rods, encased in plastic, turning the edge of an otherwise ordinary-seeming garden into a miniature museum display.
The codes led us to a really lovely piece of local news about the old woman who lived in that house her entire life, and had been featured on the local news. It touched our hearts, and the evening was better for the discovery.
And yet, any time we scan a QR code in the wild, we're running an incredible risk. That's because bad actors – scammers desperate to steal whatever they can, wherever they can – frequently use QR codes in their illicit ventures.
QR codes are everywhere—restaurants, airports, parking meters, you name it. They provide a quick way to access information or complete transactions without the hassle of typing out a URL. It makes sense to use them.
But the convenience of the QR code comes with the very real risk of falling victim to malicious links and scams. The problem has become even more prevalent since the COVID-19 pandemic, which saw a rapid increase in the adoption of touchless technology, including QR codes (Sharevski et al., 2022).
QR Codes: A Rising Cybersecurity Threat
The primary danger posed by QR codes lies in their ability to link users to potentially harmful URLs. As Rafsanjani et al. (2023) put it, "malicious Uniform Resource Locators (URLs) are the major issue posed by cybersecurity threats" (p. 1).
A URL is what we think of as the website address. It's everything alongside the "www." in the address bar of your browser. One of the most common ways that cybercriminals break into your accounts is by getting you to go to a malicious link. Instead of www.google.com, for instance, you might click on www.gooogle.com. That extra "o" makes all the difference.
On this new website, you might find a login page that asks you to enter your email and password. It would look very convincing. But, as soon as you enter your info... BAM... your account is compromised.
Cybercriminals can even more easily replace a legitimate QR code with a malicious one, directing unsuspecting users to websites designed to steal information or install malware on their devices. Since there's nothing human-readable about a QR code, scanning one can far more easily land you on a dangerous website than even just malicious URLs alone. In fact, the dangers of QR codes are even worse, as noted by Cerf (2023), "suitably composed malicious sites could automatically download malware as a result of activating a QR code" (p. 1).
Why Do People Fall for Malicious QR Codes?
The simple answer is convenience. The global pandemic made QR codes a staple of everyday transactions, from signing into venues for contact tracing to accessing menus at restaurants. In a study involving 173 participants, it was found that a majority (67%) were willing to sign up using their Google or Facebook credentials when presented with a malicious QR code, all for the sake of convenience (Sharevski et al., 2022).
But the true problems at work go far deeper than this study suggests. It strikes me that there is a fundamental lack of even the most basic security awareness when it comes to the technologies we use every day.
Giant tech companies have infiltrated school programs throughout the United States. While kids are learning how to use curated and simplified software, they're not learning the fundamentals of how -- and why -- technology works the way it does. This has implications for everything from future job satisfaction to personal safety in an increasingly complex online landscape.
What Can Be Done?
Eventually, we need to seriously reconsider how we teach people to use and think about technology from an early age. But while we're waiting to make the systemic changes, there are some more immediate steps we can start taking.
Enhancing security around QR codes is essential. One proposed solution is the use of machine learning for detecting malicious URLs, which has proven to be more effective than traditional methods (Rafsanjani et al., 2023). We should be looking toward the developers of QR reader apps to build in some safety tools as well. While blacklisting is a slow method that won't catch all instances, blacklisting with an easy report function could be a handy way to build in networked security at some level.
Ultimately, it comes down to goo user-practices at the moment, though. This is not ideal, but the best thing we can do is help as many people as possible understand the risks, so they can better protect themselves in the future.
Common Safety Tips
- Inspect QR Codes: Before scanning, examine the QR code. Does it look like a sticker pasted over something else? Any signs of tampering should be a red flag.
- Use a Trusted Scanner: The built-in QR code readers in Apple and Android devices may (do) transmit sensitive data to the corporations... but are generally acceptable for normal use. Be very wary of apps with built-in QR code scanners other than these!
- Question Convenience: Remember that convenience is often used as bait. If you’re scanning a QR code and being asked to enter personal information, consider whether it’s truly necessary. As Sharevski et al. (2022) found, people are more likely to compromise their credentials for convenience—don’t fall into this trap.
- Manually Type URLs: When possible, type in URLs manually or use official apps instead of scanning QR codes. This reduces the risk of being redirected to a malicious site.
- Use DuckDuckGo to generate a QR code: This is more of a fun tip, but the DuckDuckGo search engine allows you to easily generate QR codes for any URL or email address! In the DuckDuckGo search bar, simply type "QR", a space, and whatever you want to QR-ify.
The use of QR codes is not going away, and they offer undeniable benefits. But as Cerf (2023) aptly puts it, "the convenience of digital services comes with potential hazards against which we all need training and tools to avoid" (p. 1) It’s up to us to stay vigilant, use the right tools, and think twice before we scan.
👋 Hi there!
I’m Odin Halvorson, a librarian 📚, independent scholar 📖, film fanatic 🎬, fiction author 📝, and tech enthusiast 💻. If you like my work and want to support me, please consider becoming a paid subscriber to my newsletter for as little as $2.50 a month! 📣
Support me in other ways:
- Use this affiliate link to sign up for Libro.fm, the best audiobook platform around! 🎧
- Want your own Ghost website? Check out MagicPages for the cheapest rates via my affiliate link (they even offer lifetime hosting plans!) 📈
References
Cerf, V. G. (2023). On QR codes and safety. Communications of the ACM, 66(2), 7–7. https://doi.org/10.1145/3578891
Rafsanjani, A. S., Kamaruddin, N. B., Rusli, H. M., & Dabbagh, M. (2023). QsecR: Secure QR code scanner according to a novel malicious URL detection framework. IEEE Access, 11, 92523–92539. https://doi.org/10.1109/ACCESS.2023.3291811
Sharevski, F., Devine, A., Pieroni, E., & Jachim, P. (2022). Phishing with malicious QR codes. Proceedings of the 2022 European Symposium on Usable Security, 160–171. https://doi.org/10.1145/3549015.3554172