Cover this code that I cannot see!
Long shunned by the general public, QR (quick response) codes have now become indispensable and have changed everyone's habits. They play a key role in the fight against Covid 19, but are also widely used in marketing and industry.
Last week, the FBI issued a warning to Americans that cybercriminals are increasingly using malicious QR codes to steal their credentials and financial information.
Here's a quick look at what a QR code is, how it works and the potential security issues associated with its use.
Origin of QR codes
The first QR code system was invented in 1994 by the Japanese company Denso Wave, a subsidiary of Toyota. The company needed a more accurate way to track vehicles and parts during the manufacturing process. To achieve this, it developed a type of barcode that could encode both Japanese characters (kanji and kana) and alphanumeric characters.
Unlike conventional barcodes, which can only be read in one direction and can only store a small amount of information, a QR code is read in two directions - top to bottom and right to left. This allows it to hold much more data.
Data stored in a QR code can include website URLs, phone numbers or up to 4,000 characters of text. QR codes can also be used to :
- Create a direct link to download an application from the Apple
- App Store or Google Play.
- Trigger a call to a phone number or send an SMS
- Authenticate online accounts and verify login details.
- Access or share Wi-Fi by storing information such as SSID, password and type of encryption used.
- Send and receive payment information.
- Store a digital certificate (e.g. those used in the AllAntiCovid application)
A QR code is therefore no more and no less than a standardised representation (ISO/IEC 18004:2015)of a small amount of information. This representation has the ability to correct errors, as the image contains up to 30% redundancy.
A QR code can be read using the native application of a recent iOS or Android phone or using a third party application.
Advice on QR codes
With the massive deployment of QR codes in our daily lives, hackers are increasingly using QR codes as an attack vector. While the use of QR codes has already been identified to bypass spam or antivirus filters, the majority of attacks using QR codes are grouped under the name of "Qishing". Attackers use QR codes to trick their victims into scanning malicious QR codes in order to redirect them to a malicious website or to send SMS messages to premium rate numbers.
The FBI has advised Americans to be careful about the URL they receive after scanning QR codes, to always be cautious when entering data after scanning a QR code, and to ensure that physical QR codes have not been covered with malicious codes.
It is best to avoid installing applications via QR codes or installing QR code scanners (use the one that comes with your phone's operating system instead).
It is also possible to use a QR code reader provided by an anti-virus company that will scan the QR code.
As a general rule, always enter URLs by hand when making payments, rather than scanning a QR code that could be set to redirect you to a malicious site.
Finally, just as you would not open an email attachment if you don't know the sender, only scan QR codes that look legitimate and when you have no other option.
Author: Benoît Arcache