QR Code Security: Protecting Yourself from Scammers

If I promised you $100 to click this link: www.myEvilWebsiteThatWillStealYourMoney.com, you would never do that, right? That is because, first, you don’t know me, and second, you can see that this URL is highly suspicious.

Now let's imagine you have a reservation at your favorite restaurant. The host seats you at your table and tells you that the restaurant uses only QR code menus. You scan the QR code and it shows you the menu, but it also displays a banner that says, “Log into your Google account for a 10% discount!”

What would you do?

QR code security may not have even crossed your mind, since the QR code is stuck to the restaurant table and the host said you can scan it. But what if someone stuck a malicious QR code on the original one to steal your Google account credentials?

We must now ask ourselves if maybe we trust QR codes too much. How can we protect ourselves from scenarios like the one described above and still enjoy the convenience QR codes provide?

First, we must understand what QR codes are.

QR codes are two-dimensional barcodes that encode textual information in a graphic way. QR codes were invented in 1994 by a Japanese automotive company called Denso Wave. The company originally used QR codes to encode spare parts for the robots on their production lines. Nowadays, you can find QR codes everywhere: buses, billboards, newspapers, restaurants, and more.

The main issue with QR codes is that their format is unreadable to humans, so there is no way for us to know if a QR code is authentic or fake just by looking at it. Bad actors can use QR codes against you in the following ways:

• Phishing

  As in the restaurant menu scenario, a bad actor could create a malicious website that looks genuine, encode its link into a QR code, and send it to you via email.

   

• Malware

  Surfing to a malicious website can trigger an unwanted download. If your device is vulnerable and executes the malware, bad actors can get any information they want from it.

   

• Exploit mobile vulnerability

  You may be among the many people who do not upgrade your mobile software right away when there is a new update available. (For example, only around 60% of iDevices have iOS 15 installed on them¹.) Sometimes, before you upgrade, you just want to hear from your friends that there are no issues with the new version. But sometimes those upgrades contain security fixes, and a bad actor can encode a payload that exploits those vulnerabilities into a QR code. When you scan this QR code, your mobile device will be exploited.

QR code security isn’t a lost battle. There are some things you can do to ensure that the QR code you’re about to scan is harmless.

• Don’t just scan any QR code you see

  You won’t click any URL you see while browsing the web. Similarly, you don't know who put a QR code somewhere or what a QR code contains. In most cases, QR code is just a URL presented in a way that is unreadable to humans.

   

• Use scanners that show the URL before launching it

  There are scanners that show you the URL before launching it so that you can decide whether to go to that website. Some phone cameras also do this. Verifying a QR code’s content before you launch it will significantly decrease your chances of being hacked.

   

• Verify the QR code sticker is authentic

  A simple method to ensure QR code security is to physically inspect the sticker. When you see a printed QR code that you want to scan, always verify that no one has stuck another QR code over it.

   

• Keep your device updated with the latest security patches

  As we described before, bad actors can target old mobile phones’ software and attack them through QR codes. Keeping your device updated will help you stay protected from these kinds of attacks.

Fortunately, there are solutions that can automatically detect fake or malicious QR codes.

• Digital signatures

  In general, the way digital signatures work is that the person who creates the message has a cryptographic private key, which must always be kept secret, and a suitable cryptographic public key, which can be shared with anyone.

   

  Two keys are needed here because a message encrypted with one key can be decrypted only with the other key. When I encrypt a message with my private key, anyone who possesses the public key can decrypt this message, so they can know for sure that this message was generated by me and hasn’t been tampered with on the way.

   

  For example, let's consider how international vaccination certificates work.

   

  • The Ministry of Health (MOH) or similar authority in your country signs your data with their private key and encodes it into a QR code.

     

  • When you scan this QR code with the MOH’s dedicated app, it validates the signature behind the scenes with the MOH’s public key. If the signature is verified, it means that all the details inside this QR code are genuine and were created by the MOH. The QR code is then processed securely.

     

  • If you scan this QR code with a regular QR code scanner, you’ll just see a nonsensical string of characters. This is because your QR code scanner doesn’t have the MOH’s public key in it.

     

• Dangerous sites detection

  There are services, like Google safe browsing, that scan a website before launching it and determine if it is a malicious or a phishing website. We can take the restaurant menu scenario as an example: if the QR code scanner used this kind of service, it would alert us that the website www.myevilwebsitethatwillstealyourmoney.com looked malicious.

   

• Tamper-proof QR code

  To prevent counterfeits, manufacturers print QR codes on a product’s package so that the customer can scan them and verify that the product is authentic. But how can we prevent someone from printing the same QR code on a fake product? One solution is by using a copy detection pattern. Every time a digital image is printed or scanned, some information about the original digital image is lost. This is called the "information loss principle".

   

  How can we use it in our favor? We’ll generate an image that contains a lot of details and looks a lot like a QR code, and we’ll put it in the middle of our QR code.

If someone tries to copy this QR code and print it on fake products, the copy detection pattern will lose a lot of information and become invalid. The manufacturer, however, requires a specially designed QR code scanner app, which will analyze this copy detection pattern and alert the customer when they have scanned a product that looks inauthentic.

Ideally, the security community will formulate a proofed security standard for QR codes, just like the vaccination certificate standard. In the meantime, the risks of QR codes outlined in this article are important to remember as we increasingly interact with them in everyday life.

When customers fall victim to fraud through QR codes and other scams, companies are often left footing the bill. To learn more about how Ping Identity can help your organization prevent fraud, read Ping’s Ultimate Guide to Fraud Prevention or contact us today.

Despite their risks, the benefits of QR codes–including convenient and easy access to websites or applications–extend into the identity realm as part of passwordless authentication. Read more about passwordless authentication in this white paper by Ping Identity, and read about Ping Identity’s passwordless solution here.

¹ https://mixpanel.com/trends/#report/ios_15