Stop forcing us to scan them!
I’ve started to notice the sudden rise of QR codes within the UK. This started to increase around the same time as COVID. Companies have now started to include them in menus, shop windows and takeaway items.
A few simple examples being restaurants, fast food, coffee shops and even charity bags. Although this movement can help point your customers in the right direction, it’s also reducing our awareness of risk, or training our behaviour.
When we use something so frequently, it becomes second nature. With second nature, we “think” less about what we are doing. The idea of something we do so often suddenly becoming a risk becomes a low priority. This can amplify dramatically when you see the same method but in different situations or sceneries (More companies expecting you to scan QR codes).
So, what is the risk?
Hover over. For iPhone users, you can use the default camera.
As you can see, the only option it gives is the “Open in [Browser]”.
That doesn’t give us much to go on or explain what this is, so you suddenly put your trust in the object you found it on. For restaurants, the staff will tell you to scan it, which often lowers your shield.
For some known sites, it will try to match the URL. Hover over the below:
As you can see, it will say Github. If you did accidentally click this, you would see it downloaded a file (ZIP). See how easy that was.
Now imagine, if I used a redirect, spoofed/similar domain or hosted this on a trusted site (Cloud, File Hosting). You would see the trusted or known domain and be more likely to click the link.
“Not a big deal, the company wouldn’t print a malicious QR code”
For that I say, you are probably right. A company wouldn’t print malicious URL codes, however what if someone was to swap them?
- What if the airport didn’t’ use QR codes but you saw them anyway?
- What if that wasn’t a link to login to the Wi-Fi?
- What if that wasn’t company Xs login page?
These QR codes could point you to various malicious or phishing sites to steal your credentials, finance information or other sensitive data.
Malicious parties track our behaviour. That is why certain Phishing campaigns are so successful. They monitor users’ behaviours and adapt their attacks. With these types of attacks, It’s simpler. If you printed off a matching menu and swapped a few, do you think the staff would know?
I’ve even seen a simple QR code stuck to the wall with no reference.
This triggers curiosity and can even be more successful than some direct attacks: “the unknown or what if”.
Who is to say that QR code has anything to do with Canada?
So, what’s the answer?
It’s the same steps for normal Phishing attacks. Education, education, and user awareness. Although it won’t prevent the usage, it should at least trigger a pause for the user: “should I click this”. This is what all in Cyber Security hope for. That split second before a click where the users hesitates or questions.
The other side to this is on the companies using these. STOP FORCING US TO USE THEM AND PROVIDE OPTIONS. I’ve been in some restaurants where you can only use the QR code… these types of business should stop. Until the awareness is there, or we have tools to mitigate, we can’t be forcing users down this path.
These “tools” should also come by default. This doesn’t need to be anything special, but what if we had transparency or “customisation”. For example:
- Settings to block any redirect URLs.
- Show the domain for all, regardless of domain.
- A flag if the URL ends with a file format. (.zip, .apk etc…).
- A button to view the URL “Defanged” (if long).
- A warning that there is zero protection if the user clicks.
Not all users will use the above but having it by default at least allows us to protect the few that will. I like the last one as often people think that security is always there by default. That Apple or Google have the option to scan QR codes in their app so there must be some level of protection. This thought process is dangerous and one we need to drop (assumptions of protection).
Although this will continue to be “low risk” for now, it’s important to try and spread awareness when we can. Bombarding users to do this and that will only steer them to another type of attack.
A simple reminder or a simple post such as this can hopefully keep that “should I click this” mechanism ticking over.
If you enjoyed reading my content and want to support, why not consider signing up and becoming a member. It’s $5 a month, for unlimited access to all stories on Medium. Join now! 🙂
Need help? Why not also check out my Fiverr or UpWork.
Regardless, thank you for reading!
Leave a Reply