QR Code Security For A Business

The desire for contactless interaction has unintentionally provided a pathway for personal device hacks. One of the most common ways, especially since the Covid-19 pandemic, has been through the use of QR Codes. We all know those black-and-white matrices. Likely to scan one to add a friend on an app, send or receive payment, or open a menu at a restaurant.

The usage of QR codes has surged by over 43%, in the last year. With over 70% of that being attributed to the food industry. The convenience of not having to touch potentially infected surfaces propelled this technology to be quickly adopted and implemented. However, with great convenience comes potential danger. With warnings from the FBI informing users of the threats of bank transfers, false dating app profiles, fake crypto wallets, and invoice fraud. 

In this blog, we’ll highlight the dangers of malicious QR Codes, how they can negatively impact your business, and how you can protect yourself against them.

What are QR Codes?

Quick Response Codes colloquially known as QR Codes are a kind of barcode initially invented by the Japanese company Denso Wave in 1994 for the purpose of labeling automotive parts. 

Part of the reason why they have become a powerful technology is due to the QR Code’s capacity for data storage and machine readability, not to mention their ease of setup and implementation. This explains why they are almost everywhere, but it also extends the attack surface for outdated software and devices. 

Now, you might be wondering why outdated software and devices might be an attack vector. Think of them as doors with the deadbolt rusted off, to the outside observer it may seem secure but if a malicious actor were to just push, the door would open easily for them.

You’re probably wondering how a simple QR code could possibly jeopardize your business, the following kinds of attacks are some of the most common methods for a malicious actor to hijack legitimate QR codes.

Attacks via QR Code

While a QR code itself cannot be hacked, it can be replaced by a counterfeit QR code that feigns as the original. Since QR codes are designed to be read by machines, humans would not be able to distinguish between the two. The difference is that given a QR code’s extent for data storage a simple QR code can execute a number of malicious attacks such as:

Qshing

In 2022 the FBI issued a warning to QR code users over an increased report of stolen credentials and monetary loss. Attacks that exploit QR codes are known as Qshing. As with regular Phishing a malicious actor is after personal information that they can use for nefarious purposes be it passwords or financial data. 

Man in the Middle Attacks

A fraudulent QR code can enable man-in-the-middle (MITM) attacks, where malicious actors intercept communications between two parties and can manipulate the data transmitted. By redirecting this data, malicious actors can redirect users to fake websites that look just like the real ones therein enabling them to eavesdrop on sensitive information, skim credit card information, and steal login credentials, all without the victim’s knowledge. This can lead to financial loss, data breaches, and reputational damage for your organization.

Malware Distribution

On top of MITM attacks, a malicious QR code can clear the way for the distribution of malware, such as ransomware, spyware, and trojans. Malicious actors can embed malicious codes within the QR codes themselves or link them to download sites hosting infected files. When scanned, these codes lead users to inadvertently download malware onto their devices, granting attackers unauthorized access to sensitive data, compromising your network and potentially causing significant financial and operational damage.

What can these lead to on your own systems? 

Any of the above or a cocktail combination can result in what cyber security experts call initial intrusion. This can result in identity theft, personal data loss, downloading malware onto your device, giving access to your devices, or sending a fake payment portal to skim your banking and credit card accounts. 

But wait there’s more, If you’re part of a company this kind of attack can expose your organization to a campaign of targeted spear phishing or infiltrate a network using your trusted device credentials or exploiting weaknesses on public-facing web servers.

This in turn can lead to ransomware, lateral movements, and other sensitive data being compromised. 

As some businesses have the ability to hire full security teams to detect and respond to potential intrusions, small businesses don’t always have the budget to do so. 

Small Businesses Concerns

If you’re a small business, the potential hijacking of your well-intentioned QR is relatively easy, all a malicious actor needs is a sticker printer to cover your legitimate QR code with their counterfeit one. The presence of a malicious QR code can lead to a myriad of negative consequences such as financial loss, reputational damage, data breach/identity theft, and legal consequences. 

Financial Loss

A malicious QR code can lead to unauthorized transactions, resulting in significant financial losses for both businesses and their customers. As a small business, such incidents can be devastating and may even lead to bankruptcy.

Reputational Damage

A single fraudulent QR code incident can deteriorate a small business’s reputation, causing customers to lose faith in the brand. Rebuilding that trust can be more cost and time-intensive than initially earning it.

Data Breach and Identity Theft

Malicious QR codes may redirect users to phishing websites aiming to collect a victim’s sensitive information such as login information and personal data. This kind of data breach can be devastating for customers and businesses alike.

Legal Consequences

Small businesses may face legal consequences if customer data is compromised or if their negligence in implementing strong security measures is proven in a court of law. This does not include the cost of repairing the damage. In 2022, the average cost of a data breach in the US was $9.44 million.

While these examples of attacks are potent, there are some measures that you can take as an individual or business to mitigate your risk against malicious actors.

Hardening your defenses

You might be asking yourself, how can I possibly protect myself from fraudulent QR codes? There are a few security tools that can aid in your defense. Some of these include multi-factor authentication (MFA), mailbox backups, and tracking logins.

The Cyber Security & Infrastructure Security Agency (CISA) encourages the setup and use of multifactor authentication. With MFA you make it harder for a malicious actor to gain access to your accounts, even if they have your password, they don’t have the authentication method needed to fully complete the unlocking of the account, think of it as a lock with two keys. Your password is one of those keys, the MFA method being the second. With that said MFA is not a silver bullet.

Mailbox/server backups are essential before the event of a ransomware attack. Should the malicious actor make good on their promise to erase your data you can rest easy knowing that all that data is safely backed up. Not that you want to ever have to recover lost data in the first place. Prevention is tantamount to reaction.

Monitoring logins is another simple tool you can use to make sure that it is only you or trusted individuals and their devices who are accessing your network, sensitive data, etc. 

Getting Started

At Hada Security, we’re all about making your users an essential part of your cyber defense. We know that one solution doesn’t fit all. That’s why our set of security products and services meet our clients where they’re at in their security journey. Take the first steps with our 5-Minute Security Quiz – it’s a fun way to get started! Let us help make your business a fortress against cyber threats.