With increased QR Code scanning comes greater security concerns. While marketers and consumers have realized the mutual benefits QR Codes provide, unfortunately, so to have cybercriminals. Without proper safeguards in place, QR Codes can easily become a vehicle for spreading malware, identity theft, and phishing schemes.
Today, traditional product barcodes (UPC, EAN, ISBN, etc.) appear on virtually every consumer product. Their function and content is essentially well understood: most consumers realize that these barcodes contain a product number of some kind to be used in conjunction with a point of sale system for price lookup and inventory management. The contents of these bar codes are clearly indicated, with the barcode number printed just below the symbol.
QR Codes though typically appear in isolation, with no indication of their actual content. The QR Code may appear with brief text that suggests “Scan the QR Code for more information” or “Scan the code to visit our Website”; but rarely is the actual content of the code provided. Arguably, this is one of the great benefits of the QR Code: a relatively large amount of data (like a lengthy website address URL) can be stored in the bar code, utilizing a small print area. Marketers can store long URLs to deeply linked content in a QR Code, and yet only take up a square inch or so of print area.
But what lies within the QR Code may not be at all friendly, or even the software used to scan and process the QR Code.
Below are some potential security threats posed by QR Codes and their use:
Perhaps the easiest and most common threats are counterfeit or “hijacked” QR Codes. An attacker simply places a bogus QR Code over a valid one (e.g., with their QR Code printed on a sticker), or just adds the QR Code where one did not previously exist. When scanned, the attacker’s QR Code directs the consumer to a hostile website, rather than the one intended by the original campaign. These types of schemes attempt phishing (stealing login and personal information), identity theft, and even malware propagation.
Detecting counterfeit codes can be harder than you think: sophisticated attackers create very convincing “fake websites” that can be difficult to distinguish from a valid site. The behavior of mobile browsers can even help mask fake sites. For instance, to maximize the display area of web pages, many mobile browsers do not display the address bar (i.e., the website URL) at the top of the screen when launched. The user must scroll up after the page is displayed to see the website address. Some QR Code scanning applications that integrate a browser control directly may only display the URL briefly or not at all.
Untrustworthy scanning applications
Visit any mobile application store and search for “QR Code scanner” then scroll through the results. Today there are easily more than 100 different QR Code scanning applications available. Even with the system testing and quality assurance the mobile operating system stores provide (some more rigorous than others) for these applications, can they really be trusted?
While some of these applications truly are simple barcode scanners providing minimal barcode decoding functions, others are very sophisticated multi-function applications for competitive shopping and information sharing. Many QR Code scanning applications request access not just to the mobile device’s camera, but also to contacts, personal information, location, media files, Wi-Fi settings, and more. This creates two security risks:
- Is the application’s use of this broad access trustworthy? With this much access to the device and its contents, a malicious application could mine personal data. Even for applications that have no mal intent, like competitive shopping applications that access your personal data to provide a targeted and customized experience, ask yourself, do you really want a third-party tracking your location or other, potentially personally identifiable information with every QR Code scanned?
- Is the application well written and stable? Accessing all of this information on your phone implies a more complex application; increasing the chance for more software defects that could harm your data or device. Even the most carefully written and tested applications can have software defects that, when triggered, can damage your data or even your device.
Lack of standards
Even though QR Codes have been in use in the United States for over a decade, no industry recognized standards for their use with mobile devices and campaigns have been developed, either domestically or internationally.
There have been several attempts to standardize QR Codes. Several organizations have published whitepapers or suggested standards for the mobile barcode industry (CTIA, GSMA, and OMA to name a few). However, none of these efforts have had widespread adoption. The features and capabilities of mobile barcodes continue to expand and evolve, almost organically as new uses are promoted.
Initially, QR Codes performed a few simple actions like launching a website or dialing a phone number; but today QR Codes can connect you to a Wi-Fi network, send emails, add contacts and calendar events to your device, send SMS, and even launch other applications. The lack of formal standards has led in part to the vast number of QR Code scanning applications in existence today; many with disparate features and capabilities. Conversely, product barcodes enjoy well-established industry standards for virtually every aspect from barcode size and placement, to their content and use (e.g., AAMVA, GS1, HIBC, IUID, etc.).
In a time when preventing data breaches and cyber-attacks seem increasingly impossible, businesses need to ensure their scanning application is providing a layer of protection for themselves and their consumers. You may never be able to control the entire consumer scanning experience end-to-end, but taking a proactive approach to QR Code security can go a long way to protecting not only your valuable data, but also your consumer relationship, and brand identity.
Let us know your ideas and thoughts on QR Code risks in marketing. Reach us on Twitter, #MW&QR!