How to manage the imminent QR code security threat

With businesses reopening in NSW and other parts of the country in the coming weeks, QR codes will once again become a central part of our lives.

These are being implemented for COVID-safe check-ins with integrated proof of vaccination, and even across financial institutions.

However, QR codes are a favourite threat vector among hackers, and signal an imminent threat to privacy if utilised by businesses without precautions.

Service NSW is not the only organisation relying on QR codes to keep the state moving. EFTPOS just announced a new payment system via QR code that is likely to be rolled out at major retail venues across the country before Christmas. In addition, many travel or vaccination certificates being created across the globe are based on QR codes.

Allowing us to access many of our favourite day-to-day freedoms amid a pandemic, consumers have developed high levels of trust in QR codes when the reality is that these are far from secure. In fact, almost a third of respondents to our latest global survey said that QR Codes have directed them to a suspicious site or caused unexpected actions.

The nature of the threat

For years, we have encouraged users to be aware of links before they click on these and to look for telltale signs in the URL that it may not be trustworthy. However, with QR codes, there is no way for users to know it is malicious at face value.

Also concerning is how easy QR codes are to build as well as hack. These have become accessible and opportunistic targets for hackers, with easy scripts and tools available to create malicious codes and embed links triggering malwares or phishing attacks.

VIEW ALL

Hackers have been known to create adhesive labels with malicious QR codes and paste these over legitimate QR codes, allowing them to intercept or sit in the middle of transactions and capture payment information.

A malicious QR code can provide an avenue for loss of data from of the device, provide access to contacts, and even send email from the device or initiate a payment, all without the user’s knowledge or interaction.

Consumers are the primary targets of these attacks, but they are just likely to impact organisations and more specifically, employers, into the future as well. A study from last year shows that 36 per cent of Australian workers access their company data with personal devices, and it is certain this number is even higher now. The probability that hacked devices are connected to sensitive company data is high and there’s a need to take measures and educate consumers and employers alike on how to protect themselves from malware.

Potential defences

There are actions which can be taken at both the user and organisational level to prevent the likelihood of malicious attacks and privacy or data breaches.

At the user level:

• Check before you scan or click: Before scanning a QR code, particularly those on a printed material in a public place, double check that it has not been pasted over with a different code. If it looks like a sticker has been placed over an existing code, check with the owner of the business before scanning – it could be malicious. If a bit.ly URL appears after scanning a QR code, verify the link before clicking on it by adding a plus symbol (+) at the end — this will direct you to a page displaying the link’s information so you can determine if it’s legitimate or not.
• Know what security is on your device: Ivanti’s recent research shows 49 per cent of people either do not have, or don’t know if they have security installed on their mobile device. Ensure you have security software active on your device that will help to detect and remediate malicious code and threats.

At the organisational level:

• Educate employees: Ensure employees are aware of QR code threats, share information about how they can best protect themselves and explain the personal and business implications of not doing so.
• Adopt a Zero Trust approach to security: Even with a robust education plan in place, there’s still a high level of risk of compromise as threats evolve, become more sophisticated and become harder to spot. The best option is to technically restrict the devices that can be used to access company network and data with a Zero Trust approach to security. With adoption of the "everywhere workplace", devices like mobile phones are being connected to the same networks as company-issued laptops, meaning any device compromised by a QR code threat could put the entire network in danger if the right security protocols aren’t in place.

Alongside a boom in QR codes, we could see a surge in data breaches and mobile devices being hacked across the country if we don’t take the aforementioned precautions.

Matthew Lowe is the area VP for ANZ at Ivanti.