As QR Codes Pop Up More And More, Have You Considered The Cybersecurity Risks?

Have you noticed the growing number of little square-shaped stickers with barcode-like patterns affixed to store windows, restaurant tabletops, and even elevators?

Up until about 18 months ago these little two-dimensional barcode squares likely went unnoticed by the average consumer, even though they have been around since the early 1990s when car companies began to utilize them to track vehicles and parts. However, due in some part to the Covid-19 pandemic, there has been an uptick in the use of QR codes as we look for ways to be a more touch-free society. So, while we may be taking measures to protect ourselves against a deadly virus, are we simultaneously putting the security of our data and personal information more at risk?

So, what exactly are these barcode-like squares?

QR is short for “Quick Response.” A QR code is like a barcode but holds over a hundred times more data than a traditional barcode. The information is stored both horizontally and vertically and can be read by smartphone cameras. When you point your smartphone camera at a QR code, it will scan the code and direct you to visit a website, an application, or display information. Perhaps you have seen them on the window or door of your local convenience store, in an elevator, a bus stops or train station, in a movie theatre, the mall, on food packaging, or in magazines?

As we are all looking to reduce health risks during the current Covid-19 pandemic, opportunities to become a more touch-free society are being recognized. If you have been to a restaurant in the past few months, you may have been forced to use a QR code to see the menu. If you have attended a sporting event recently, you may have noticed there are no physical tickets, but instead, an electronic ticket that has a QR code, filled with all the information about the time of the game and location of your seats, all ready to be scanned upon entry to the event.  If you have recently taken a flight, the airlines will have you fill out your personal information and Covid-19 status before flying, before issuing you a QR code that remains with you throughout your travels. As more and more opportunities present themselves for QR codes in our day-to-day lives, the more you will start to notice them; that is until they become so commonplace you don’t remember a time without them.

How to use QR codes and additional purposes.

Several Apps can be used to scan the QR code, you can even use your cell phone’s camera, which has built-in QR scanners. Once the App or camera scans the QR code, a website URL (address) will appear. You simply click on the URL link, and it sends you to the intended website. Some Apps will take you right to the website upon scanning the QR code. These QR codes eliminate the need to take out your phone, go to a web browser APP, and type in the website address. QR codes are becoming even more prevalent than just accessing a particular website. Today scanning a QR code can allow you to purchase goods, receive a coupon, connect to Wi-Fi, obtain more information about an item, the sale of property, and even provide details about an exhibit at a zoo or museum.

Do QR codes pose security risks?

The good news is QR codes themselves are secure and cannot be hacked or compromised. The security risks are not in the QR technology, but instead in the destination that a QR code may send a scanner. A bad actor can make a QR code which leads to your data being compromised. The key is to be aware and to only scan “good” QR codes. This can be tricky as the QR codes are not in a format that a human can read its content, making it difficult to determine if the QR code is legitimate or malicious.

While legitimate QR codes do not collect personally identifiable information (PII) from a user, your location information is being tracked, as well as the number of times the QR code is scanned, the time it was scanned, and the operating system (like iOS or Android) of the device scanning.

Malicious QR codes can compromise a user’s data and privacy. Some can even disable the device used to scan the QR code. Your name, credit card information, passwords to your applications and email, as well as posting to applications without a user’s knowledge are all possible outcomes with a compromised device. Malicious code could even launch a ransomware attack. A common scenario after scanning a malicious QR code is a user being led to a webpage that captures the unknowing victim’s username and credentials. This consequence is very similar to clicking on a bad link in an email, where the QR code sends you to a website you believe to be the intended one but instead causes you to unknowingly disclose personal information.

How do you protect yourself?

First and foremost, keep your guard up. It is so easy to develop complacency after becoming comfortable with using QR codes.  As enticing as a QR code promoting a 50% coupon can be, remember this could be a scam created by a hacker looking to embed malicious code or malware on your phone. Since the QR codes are only computer-readable, it is difficult to identify whether the code has been altered without scanning it first. So, some quick tips to protect yourself:

1. Download Apps from trusted sources that are designed to check the scan to verify it is free from malicious links before presenting the information or page you are seeking.
2. Be as cautious with QR codes as you are with links and attachments in emails.
3. Consider your environment before scanning, avoid scanning from emails or in public places.
4. Ask yourself, is this a trusted business or trusted source? If not, do not scan.
5. Does the QR code appear to be affixed properly or is it peeling or a sticker on top of a genuine QR code? If so, do not scan.

What can Capsicum do to help?

At Capsicum, we work with attorneys, corporations, private investigators, and insurance companies providing incident investigations and response. We handle cases involving compromised/hacked devices, ransomware, assist in the recovery of data, perform root causes, and providing recommendations for security going forward.  We also offer proactive solutions such as penetration testing, security assessments, tabletop exercises, and security awareness training.

Should you find yourself in a situation in which you have accidentally scanned a malicious QR code or fallen victim to another type of cybersecurity incident please contact Capsicum Group. As each cybersecurity incident is unique, our experts will work with you to assess the situation and determine the appropriate plan of action moving forward.

About Capsicum:

For over 20 years, Capsicum Group has been providing comprehensive support in the areas of hosted eDiscovery services, digital forensics, data recovery, computer investigations, privacy and security, vulnerability assessment, penetration testing, technology delivery, regulatory compliance, cyber-crimes, and incident response.

Capsicum helps clients reduce eDiscovery time and costs with robust review technology and industry-leading services. Capsicum combines our deep knowledge of law and technology to help clients meet challenges and respond to opportunities. We have performed thousands of collections across many different media and platforms. Our consultants and eDiscovery analysts are certified professionals who have worked on such cases as computer hackings, data breach investigations, intellectual property theft, global bankruptcies, crimes against children, white-collar criminal defense, and internal corporate investigations. We are recognized in the industry as experts and have testified in state, federal, and international courtrooms. Capsicum is headquartered in Philadelphia, PA with offices in New York, Florida, Texas, and California.