The Federal Trade Commission issued a warning about the “growing abuse” of QR codes. Scammers are exploiting the lack of security around QR codes both online and offline. They embed QR codes into emails as an image so that security software isnāt able to detect that the link is malicious. They show QR codes on bogus websites to encourage people to download malware. They paste bogus QR codes over real ones in cities around the world and trick people into going to scam websites. People including, as it happens, my sister.
QR Scams Abound
There has been a rash of scams in the UK where the criminals target car parks and put up posters with their own QR codes on them or put their own QR codes on stickers that they put on top of the genuine codes. People think they are scanning genuine parking app codes, but they are instead directed to an internet site or app run by scammers.
This is the scam that almost caught my sister, who was visiting some friends and parked her car in a public car park. She went to look at the schedule of charges and there was a handy sign advising drivers with smartphones to pay via a QR code. She scanned the code and was directed to a superficially plausible website. After giving her debit card details to what she thought was a legitimate car parking company, my sister fortunately spotted that the website was wholly fraudulent and was able to alert her bank in time to block transactions. But plenty of other people are getting caught in these scams as QR codes are quickly becoming a favourite tool in the criminal fraternity, with one cybersecurity vendor saying that QR featured in a fifth of phishing campaigns it detected in the first weeks of the final quarter of last year.
A few years ago, in connection with a couple of projects I was working on at the time, I looked at the idea that mobile operators do something about the potential for scams by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. This never happened, as Iām sure you are aware, and QR codes became popular precisely because anyone could read them, anyone could use them, anyone could write them.
The result in China, for example, where there was little card infrastructure in place beforehand, was the rapid near-ubiquity of QR in the worldās biggest mobile payments market. And not only China, of course. Many years ago, I wrote a blog post about Kazakhstan because it had the the highest penetration of EMV terminals in the former Soviet Union and I couldnāt resist making fun by posting a picture of a chip and PIN terminal for the well-known fictional character āBoratā to take with him on his next visit to America. Anyway, some 16 years after I wrote that blog post, I finally got to make a chip and PIN transaction in Kazakhstan for myself. I stopped in for a coffee whilst having a wander around the leafy streets near my hotel. I was the only person who did this, by the way, because everyone else who bought coffee used QR. QR was everywhere, from the main streets to the tourist attractions to the mountain tops.
It goes without saying that being early into QR payments, China was also early into QR fraud. A good example was scammers placing fake parking tickets ā complete with QR codes for easy mobile fine payment ā on parked cars. And first to discover some other fun side effects too. A woman in China who wanted to post photos of the dishes from a hotpot restaurant she visited with her friend accidentally included a QR code that was stuck to the table for ordering and paying for mealsā¦ and subsequently recieved an approximately $60,000 bill at a restaurant after other people who saw the code scanned it and placed orders!
The problem is global. In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bankās customers, while in Germany, phoney emails containing QR codes lured online banking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts. And in Texas, criminals hit the streets, pasting stickers of malicious QR codes on to city parking meters and tricking residents into entering credit card details into a fake phishing site.
Even the man who invented QR codes said that they were an interim technology that would be gone by now! In fact he predicted that QR codes would be replaced by something more sophisticated, suggesting that in the future smart software would simply recognise things the real world and would not need codes at all. In fact he said that a secure QR code capable of distinguishing between āwhat you want to share and what you donātā was already being explored in Japan.
Take Care
That smart software isnāt here yet, but QR codes are everywhere. So how can you protect yourself today? Well, hereās what the Federal Trade Commission says: If you see a QR code in an unexpected place, inspect the URL before you open it. If it looks like a URL you recognise, make sure itās not spoofed ā look for misspellings or a switched letter. Donāt scan a QR code in an email or text message you werenāt expecting ā especially if it urges you to act immediately. If you think the message is legitimate, use a phone number or website you know is real to contact the company.
These are all wise words, and you should heed them, but I think that actually a secure infrastructure based on digital identities would be best in the long run.