Quick Reaction (QR) codes have been around for over a decade, but their use has skyrocketed over the last five years. Ten years ago, only a handful of people understood QR codes. According to Eric Holtzclaw’s Inc. article, “QR Codes? Don’t Bother. 5 Reasons,” in 2012 only 3% of customers knew what a QR code was but then a popular social media platform called Snapchat embraced QR codes and their use soared. In 2017, Snapcodes (Snapchat quick links to users) were being scanned 8 million times per day, and 34% of American mobile phone users had checked a QR code, posts Jay Leonard in “The Rise and Fall of the QR Code” on the business professional platform, Business 2 Community. In “The State of QR in 2021,” the products platform Blue Bite reports that between 2018 and 2020 there was a 96% growth in total QR code reach. What made QR codes so popular? It was indeed a perfect storm. The COVID-19 pandemic hit, and businesses needed a way to provide menus to customers without the risk of spreading germs. Many companies recognized the cost savings and enjoyed no longer having to pay to print or reprint menus when there was an item change. Marketing teams have also embraced QR codes, putting them on t-shirts, commercials, signs and flyers. Today we see QR codes everywhere, at tables in restaurants as menus and payment methods, in parking garages to remember where someone parked, in hotels to order room service, at coffee shops to connect to Wi-Fi and as the contact information on business cards.
This sounds like a net positive for most businesses, so how could QR codes put a company at risk? Unfortunately, computer hackers have a terrible habit of ruining everything.
To understand how hackers can use QR codes, it’s first essential to know how a QR code works. According to Leonard, they were invented in 1994 by a Toyota subsidiary company called Denso Wave to improve barcodes. Denso Wave found QR codes superior to barcodes because QR codes can be read in any direction and can store around 3,000 characters or 3,000 bytes on average, which is about 10 times the amount of data a barcode can hold. Initially, Denso Wave used all that space to store automobile tracking and manufacturing information. Now, the public uses QR codes to store website URLs, links to the app store, everything (ID and password) needed to connect to Wi-Fi and payment information.
Depending on the reader’s experience with data, 3,000 bytes may not sound like much room to write a malicious program or perform an attack. To provide some perspective, computer programs can vary from a few bytes to gigabytes. For example, Windows 10 (the most popular desktop operating system) is approximately 6GB. A gigabyte is about 1,000,000,000 bytes, which might make the QR code sound small in comparison, but a QR code has more than enough room to write a virus in it or link to a malicious page. Many computer viruses can infect a machine using less than 100 bytes. For example, according to Mark Ludwig’s “The Giant Black Book of Computer Viruses,” the Trivial Boot virus is 45 bytes and is a very capable boot sector virus.
Some of the attacks that caught my attention were the Austin, TX, parking meter attacks and the tampering of QR codes in restaurants. Yaniv Masjedi writes about these attacks in the article “How to Spot a Fake QR Code Scam [9 New Examples]” on aura.com. Early this year, the Austin Police Department released an update via their Twitter account that detailed an attack where hackers were putting fake QR codes on parking meters and asking for patrons to scan the QR code on the meters to pay for parking. Customers were shocked to find out that after paying for their tickets, their vehicles were still ticketed and, in some cases, towed.
Another popular attack vector by hackers is to place fake QR codes in restaurants and tempt germ-wary patrons with contactless order and payment. The QR code leads to a link that looks much like the one from the restaurant but is aimed at stealing money and data from the customer. The attackers will put up a sign that looks like it belongs to the restaurant and clones its webpage so that the customer is none the wiser. The customer thinks they are ordering a meal when, in fact, they are just sending money to the hacker.
Stories about hackers comprising QR codes are starting to pop up everywhere. The problem has become so prominent that the FBI released a public service announcement earlier this year warning of a rise in hacker activity around QR codes. There have been several reports of hackers using QR codes to redirect people to fake corporate websites, payment sites, connections to malicious networks, injecting code or even writing a virus in QR. Hackers use these techniques to steal money or data from their victims.
Currently, beyond human review, there isn’t much protection against malicious QR codes. One protection mechanism is a QR scanner, like this free Kaspersky QR scanner that can be downloaded at https://usa.kaspersky.com/qr-scanner (i-PRO Americas Inc does not endorse this scanner, just using it as an example). It will check the QR code for standard malicious techniques, scan the website to ensure it is okay and review the code behind the image to ensure it is safe.
How can a business protect itself better? If a company has QR codes, then make sure they are being physically inspected by staff regularly to ensure that no one has put a malicious QR code over the real one. I suggest using a branding tool to put the company logo inside QR codes. This will help staff recognize fake QR codes with a little more ease. Also, inspect company grounds to ensure that no one has posted their QR codes on company property and train staff to avoid scanning QR codes from an unknown email address or an email address that looks suspicious. Consider asking employees to download a QR scanner like the Kaspersky one mentioned earlier if they need to scan QR codes regularly. For more information or to report a QR code scam, please contact a local FBI field office at www.fbi.gov/contact-us/field-offices.
QR codes can be an excellent business enabler, a marketing tool and a cost saver on marketing materials. Businesses should continue to use QR codes, train staff on what to look for in malicious codes and report malicious codes to the authorities when detected.