QR codes – why you shouldn’t get too comfortable using them

• QR codes are back in business, driven by a need for touchless interactions between consumers and business, especially in contact tracing
• In the US alone, an estimated 11 million households scanned a QR code in 2020
• But we shouldn’t get too comfortable with them, as hackers seek to exploit their convenience of access to personal devices 

Quick Response Codes, more commonly known as QR Codes, have experienced a bit of a renaissance in the last year.

First designed in 1994 for Japan’s automotive industry, these matrix barcodes – or machine-readable optical labels – were found popping up in shops, bars, and restaurants, as the health crisis uncovered renewed potential in the technology.

Businesses could quickly and easily deploy their own unique black-and-white square signatures, and with practically everybody owning a half-decent smartphone, QR codes offered a cheap and effective solution for contact tracing. Customers could scan the code to ‘check-in’ to a location, ensuring that in the event an outbreak was traced back to that establishment, they could be contacted and informed.

But businesses quickly embraced the wider touchless potential of QR codes in interactions between the business and customers, such as providing access to a paperless menu.

According to a recent survey by Statista, in the US alone, an estimated 11 million households scanned a QR code in 2020, up from an estimated 9.76 million scans in 2018.

Despite existing for nearly 30 years – and offering a simple and versatile means of digital customer interaction on-the-fly – in the Western world, QR codes fell out of favor in the decade or so running up to the pandemic, perhaps due to lack of reliability with then-current smartphone models and poorer data connectivity leading to long page-load times.

“QR codes have been around for decades, but up until now, they were never really adopted by the consumer – partly because businesses failed to acknowledge the value of the QR code from a marketing perspective,” Roger Wade, founder, and chief executive of UK street food, retail, and events concept Boxpark, told Campaign.

“I’ve been saying for nearly 10 years that QR codes would have a renaissance, and as a result of the Covid-19 pandemic, usage is now widespread.”

Since the pandemic, businesses and governments have adopted QR codes for a multitude of uses, beyond just contact tracing. Multinational brewer Carlsberg added QR codes to various touchpoints, enabling customers to gain points, accept invitations or find details about new products.

The American giants such as Walmart, Starbucks, and Decathlon are using QR Codes for payments and loyalty accounts. Similarly, Nike, Home Depot, and Diesel are using them for marketing.

Leaked files in June last year also suggested Apple was working on a way of introducing augmented reality apps triggered by scanning QR codes, which could bring a new experiential approach to marketing for businesses, big and small.

QR codes – a cybersecurity risk?

But as QR code technology enjoys a new appreciation among businesses and consumers, a new report by Forbes suggests that they could become the fastest-growing threat vectors globally – thanks also to their ease of set-up and use.

“Fraudsters are quick to capitalize on the opportunity QR codes’ soaring popularity present too. Combining social engineering with QR codes that can be created in a second, fraudsters are using them to open victims’ bank accounts and drain them within seconds, install malware, penetrate entire corporate networks, and more,” the report stated.

Given the frictionless nature of QR codes that make it easy to catch users off guard even without advanced exploits, using free QR code software, a hacker could direct users to a website asking them to sign in with Facebook or Gmail. Many other non-technically advanced phishing and clickjacking scams are possible if someone had access to change the QR code.

A report by MobileIron found consumers vulnerable: 71% couldn’t tell the difference between a legitimate or malicious code. At the same time, more than half (51%) of surveyed users didn’t have (or don’t know if they had) mobile security on their devices.

As they become a more natural part of life, enabling quick, thoughtless, and convenient interactions — swipe, tap, click, pay — QR code technology offers an increasingly successful vehicle for cyberattacks.

That’s a problem for businesses too, as remote workforces – or even those back in the office – may be using company devices, or their own personal ones with company access, to scan fraudulent codes which could ultimately compromise enterprise IT networks.

Just a few approaches hackers could take is adding a contact listing to a device that could be used for a spear-phishing attack later; initiating a phone call to expose the victim’s number; making payments or capturing the user’s finance data; revealing the user’s location, or adding a compromised wi-fi network.

Users can protect themselves by making sure QR codes look legitimate, especially printed ones that can be pasted over. Codes should also be scanned only from trusted senders, while URLs can be checked as pages load – bit.ly links are often used to disguise malicious code.

According to MobileIron senior vice president of product management Brian Foster, companies need an on-device mobile threat defense solution that has to be deployed on every device that accesses business apps and data, “because enterprise security is only as good as the weakest link in your company.”

“If you do nothing else, now’s the time to consider eliminating password-based access to business and cloud apps, which is one of the top causes of data breaches today. By shifting to passwordless multi-factor authentication, you not only eliminate the threat of stolen passwords, but you also eliminate the hassle of maintaining them — which makes everyone (except hackers) a lot happier and more productive,” he added.

In short, the QR code is back, but while that’s a great thing, users shouldn’t get too comfortable.