As I reported Feb. 26, Google is to roll out QR codes to replace SMS two-factor authentication codes for Gmail users in the coming months. This security upgrade is to be welcomed, but with multiple warnings about QR code attacks, from police forces to Google’s own threat intelligence group, the question remains: how safe are QR codes?
What Is A QR Code?
The simple answer, and the one most often provided in online FAQs, is that a QR code is a type of barcode that can store more data than the more familiar barcodes we have become used to when shopping or on parcel labels etc. The more detailed description is that the Quick Response code, that’s what QR stands for, developed in 1994 for the Japanese automotive industry, is a method of encoding information in both horizontal and vertical directions. The resulting pattern is actually a combination of a number of components including the finder patterns located top-left, top-right and bottom-left corners, the large squares, which let the scanner configure the proper alignment. Then there are the various black and white squares which are actually data modules encoding the information in binary format and error correction codes that enable successful scanning even if a quarter of the code block is unreadable. When scanned, most commonly by your smartphone camera, the pattern is decoded, the embedded information extracted and, most commonly, a URL provided which can be clicked on to connect. The red flag should already be starting to wave from the malicious potential perspective.
The QR Code Attack Surface
I’ve already dropped the big clue when it comes to the attack surface that is presented by malicious QR code usage, and that’s the fact they often link to a URL. The problem being, it isn’t always clear where that link is going and, as such, QR codes become something of a wet dream for phishers and scammers. Research from Cisco Talos threat intelligence in November 2024 revealed that 60% of all emails that contain a QR code were spam, and the majority of spam comes complete with a malicious threat these days. “Not all email messages with a QR code inside are spam or malicious,” Jaeson Schultz, a researcher with Cisco Talos said; “Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on.” The problem being that many are phishing links or, as Schultz warned at the time, “multi-factor authentication requests used for phishing user credentials.”
Some of the warnings we have seen recently include that of a 70-year-old woman who thought she was paying her car parking fee when scanning the machine QR code, but was actually signing up to a monthly premium gaming subscription service. Another even involved attackers sending printed QR codes masquerading as an official government severe weather warning app download information leaflet. Google’s warning, linked to at the start of this article, involved Russian threat actors targeting victims with QR codes abusing the Signal app’s linked devices feature. The point being that the attack surface is broad and threat actors use multiple different methodologies to deliver the QR code threat.
Mitigating The QR Code Threat
Despite the apparent success of QR code scammers, the threat can be mitigated and it basically comes down to applying common security sense: treat QR codes just like you should any other unknown link, and that means with suspicion. Here are five tips you should follow when it comes to QR code security:
- Always check to see where the QR code link is actually taking you before clicking through. Your QR code scanner should reveal this to you and if it doesn’t, look for an alternative method of connecting to the site. No legitimate process would use a QR code without any other information regarding the site you are being taken to, if they don’t, then don’t use it. It’s always better to be safe than sorry.
- Ensure any physical QR code has not been tampered with by the use of a secondary sticker on top of the original.
- Never download apps directly from a QR code, use a known connection to your device’s official app store.
- Never blindly follow a QR payment code in an email, always locate the company through a trusted site and call to confirm the authenticity of the demand.
- Don’t download QR code scanning apps as this increases the risk of malware when your smartphone can scan the codes using your device camera instead.
