Morioh
Login
Marielle Rippin

Marielle Rippin

3 years ago

If it seems like QR codes have popped up everywhere these days, you’re right. Ever since they were first used by the Japanese auto industry to streamline manufacturing processes, companies everywhere have capitalized on the benefits of QR codes. They’re cheap to deploy and can be applied to almost anything — which is why every industry from retail to healthcare is now using them as a quick and easy way to link people to websites, promotional campaigns, store discounts, patient medical records, mobile payments and a whole lot more.

QR codes aren’t just cost-effective and simple to use. They’re also essential, especially during a pandemic where contactless transactions have become the norm. What’s more, at least 81 percent of Americans now own a smartphone, and nearly all of those devices can natively read QR codes with no third-party app required. So, QR codes are clearly having their moment.

What the Numbers Say (Hint: It’s Not Good)

My company, MobileIron, wanted to better understand current QR code trends, so in September we conducted a survey of more than 2,100 consumers across the U.S. and the U.K. It confirmed that QR codes are indeed more widely used today. For instance, in the last six months, more than one-third of mobile users scanned a QR code at a restaurant, bar, retailer or on a consumer product.

The results also highlighted some alarming trends: Mobile users don’t really understand the potential risks of QR codes, and nearly three-fourths (71 percent) of respondents can’t tell the difference between a legitimate and malicious QR code. At the same time, more than half (51 percent) of surveyed users don’t have (or don’t know if they have) mobile security on their devices.

Like so many things that feel like they’ve been part of our lives forever, we don’t give QR codes much thought. Mobile devices have conditioned us to take quick actions — swipe, tap, click, pay — all while we’re distracted by other things like working, shopping, eating (and unfortunately, yes, driving).

This is exactly the kind of implicit trust and thoughtless action hackers thrive on. And it’s why, if mobile employees are using their personal devices to access business apps and scan potentially risky QR codes, enterprise IT should start taking a much closer look at their mobile security approach.

So What, Exactly, Are the Risks of QR Codes?

Hacking an actual QR code would require some serious skills to change around the pixelated dots in the code’s matrix. Hackers have figured out a far easier method instead. This involves embedding malicious software in QR codes (which can be generated by free tools widely available on the internet). To an average user, these codes all look the same, but a malicious QR code can direct a user to a fake website. It can also capture personal data or install malicious software on a smartphone that initiates actions like this:

  • **Add a contact listing: **Hackers can add a new contact listing on the user’s phone and use it to launch a spear phishing or other personalized attack.
  • Initiate a phone call: By triggering a call to the scammer, this type of exploit can expose the phone number to a bad actor.
  • **Text someone: **In addition to sending a text message to a malicious recipient, a user’s contacts could also receive a malicious text from a scammer.
  • **Write an email: **Similar to a malicious text, a hacker can draft an email and populate the recipient and subject lines. Hackers could target the user’s work email if the device lacks mobile threat protection.
  • Make a payment: If the QR code is malicious, it could allow hackers to automatically send a payment and capture the user’s personal financial data.
  • Reveal the user’s location: Malicious software can silently track the user’s geolocation and send this data to an app or website.
  • Follow social-media accounts: The user’s social media accounts can be directed to follow a malicious account, which can then expose the user’s personal information and contacts.
  • Add a preferred Wi-Fi network: A compromised network can be added to the device’s preferred network list and include a credential that automatically connects the device to that network.

#infosec insider #malware #mobile security #web security #brian foster #contactless #cyberattacks #how to spot #infosec insider #malicious links #mobile security #mobileiron #qr codes #scanning #security threats

QR Codes: A Sneaky Security Threat

threatpost.com

QR Codes: A Sneaky Security Threat

What to watch out for, and how to protect yourself from malicious versions of these mobile shortcuts.Add a contact listing: Hackers can add a new contact listing on the user's phone and use it to launch a spear phishing or other personalized attack. Initiate a phone call: By triggering a call to the scammer, this type of exploit can expose the phone number to a bad actor.

1.20 GEEK