QR: Quick response or quite risky?

[harlan4096]

We explain how to avoid getting burned by QR codes.

You can find QR codes on everything from yogurt containers to museum exhibitions, from utility bills to lottery tickets. People use them to open websites, download apps, collect loyalty program points, make payments and transfer money, and even to give to charity. The accessible and practical technology is convenient for many, including, as always, cybercriminals, who have already rolled out a variety of QR-based schemes. Here’s what can go wrong with those ubiquitous black-and-white squares, and how you can use them without fear.

What QR codes are, and how they are used

Nowadays, almost everyone owns a smartphone. Many of the latest models have a built-in QR scanner, but anyone can download an app that reads all QR codes, or opt for a special one, for example, for a museum.

To scan a QR code, a user simply opens the scanner app and points the phone’s camera at the code. Most of the time, the smartphone will prompt you to go to a certain website or download an app. There are other options, however, which we’ll get to in a bit.

Specialized scanners use a specific set of QR codes. You might find such a code on a sign for a historically important tree in a park, for example, in which case scanning it with the park’s official app might start a guided tour, whereas a standard scanner would simply open a description on the park’s website.

Furthermore, some apps can create QR codes to give certain information to anyone who scans them. For example, they might receive the name and password of your guest Wi-Fi network, or bank account details.

How cybercriminals use QR codes

QR codes are just a more advanced version of bar codes, so what could go wrong? Plenty, as it turns out. Humans can’t simply read QR codes or otherwise check in advance what scanning them will do, so we rely on the integrity of their creators. We also can’t know everything a QR code includes, even when we create our own. The system is very exploitable.

Fake links

A QR code created by cybercriminals might point to a phishing site that looks like the login page of a social network or online bank. That’s why we recommend always checking links before tapping or clicking. A QR code, however, affords no such accessibility. Moreover, attackers often use short links, making it harder to spot a fake when the smartphone asks for confirmation.

Similar schemes can trick users into app download errors, for example, by downloading malware instead of the intended game or tool. At that point, the sky’s the limit; malware can steal passwords, send malicious messages to your contacts, and more.
...

Continue Reading