QR codes on packaging, posters or in bars as a security trap?
QR codes, as used on packaging, posters or in bars, seem to be a practical thing. They tempt you to simply hold your smartphone up to them. Despite the many advantages for companies and consumers, Chester Wisniewski, security expert at Sophos, advises: "I would stay away from them."
It's a well-known fact that people tend to be convenient. Why bother using a browser with a small smartphone display - a QR code is just the thing. Information that is needed on the spot is so quickly at hand. More and more companies are using these advantages, for example to provide customers with additional information on products or their use. And as is always the case, cyber criminals are not far away as soon as a technology has become established in everyday life. QR codes can be a security trap: "quishing" is the name of the type of fraud using QR codes. Sophos has analyzed the trend in this article. We interviewed Chester Wisniewski, Director and Global Field CTO at Sophos. He answers the most important questions about the security of QR codes.
QR codes are proving increasingly popular in sales, marketing and payment systems. How did this development come about and to what extent do they improve the customer experience?
Chester Wisniewski: Nobody likes to talk in computer-speak. The advantage of being able to use a smartphone for quick information or action is a strong motivation for both providers and users of QR codes. This, combined with the environmental benefits of not having to print out documents and the fact that many companies can incorporate complex tracking tokens into URLs, further contributes to the spread of QR codes.
While QR codes offer great added value, there are growing concerns about their security. What types of fraud or malicious activity have emerged in recent years that have targeted users via QR codes?
Anyone can produce QR codes and it is not possible to authenticate them. It requires a high level of trust from the consumer that the QR code they see at the parking ticket machine or on the coffee table is genuine. We've heard of incidents, specifically involving payments, where fraudsters have printed out QR codes and stuck them onto real QR codes to direct people to a phishing website to grab their credit card details and personal information.
For example, what steps can retailers take to ensure that the QR codes they use in-store or online are secure and legitimate? How can they protect their customers from potential fraud or phishing attacks?
Stores, retailers, restaurants, etc. that use QR codes should check them regularly - especially if the QR codes are displayed publicly. This becomes more of a challenge with distributed systems such as parking ticket machines. Consumers are well advised not to scan QR codes that they don't really trust and prefer to use another means of payment with fewer risks. I personally avoid ATMs that have dodgy keyboards or are clearly not in their original condition - the same could be applied to QR stickers. QR codes should really never be used online, as most are just a visual form of a URL. If you want someone to click on a link, then you should use a link. There are exceptions, but generally they prove the rule.
What "red flags" should consumers be wary of when scanning QR codes in public or on products to avoid falling victim to criminals?
QR codes transfer an image into a website address. When the code opens in the browser, you should look at the address bar and check where the user is being directed to. If you do not like this destination, it is wise to close the application. The safest way for the consumer? Don't scan the QR code. Instead, use your favorite search engine. However, there are also applications for mobile devices, such as Sophos Intercept X, which contain QR code scanners that draw attention to malicious links.
A look into the future: How will the role of QR codes in retail and other industries develop? Will they become more secure with new technologies or will security remain a challenge?
I don't see the security of QR codes improving. They were originally developed for machines and not for people to use them in everyday life. Authenticating QR codes is a task that cannot be solved so easily. Ideally, QR codes should be firmly and visibly embedded in posters, product packaging etc. and not just a sticker stuck on somewhere. Ultimately, however, the responsibility lies with the consumer: If a QR code seems strange, it is better to keep your hands off it and rely on a tried-and-tested, secure information retrieval or payment method.
