QR codes are not new, in fact they existed since 1994, invented by a Japanese automotive company Denso Wave. They also haven’t been developed specifically for web, but this pseudo-lazy technology has proven to be great for customer experience. It reduces friction of user entering a string manually into the phone browser, for example URL of the website you want to visit. COVID-19 forced us more to rely on personal items, so many restaurants opted-out from paper menus and just replaced them with… QR codes that you can scan with your mobile to open the webpage with a menu. One could say, it’s a green option, too.
Phishing emails aka the scams
After many years of phishing going on in our lives, we all (or most of us at the very least) know we should not click on links in emails coming from unknown senders. We still fall for them from time to time, if the quality of the forged email is high, but again most of us realise what we have done immediately after. A rogue website can inject a payload, a malware, some sort of malicious content that may lead to the system and our data being compromised.
Yet… we are so keen to use QR codes and no one ever told me to be careful when I do.
My own experience
I recently went to London with my beloved wife, she’s an artist, so we spent a fair amount of time in art galleries and museums. We still live in post-covid world, so one of the exhibitions required you to book the tickets on-line, there was no ticket office. The QR code was printed on an A4 sheet, laminated and mounted to the railing with cable ties… Nothing wrong with that, right? I scanned the code, which took me to the booking website, booked the ticket and et voila, we’re in! That moment it dawned on me, how dangerous that could be, as the ticketing website, was operated by a third party, so the URL wasn’t related to the one that the original gallery runs off. Most of us wouldn’t give it any second thoughts though.
Attack vectors
The obvious one is that someone replaces the QR code. We’re not talking about replacing on-line generated ones, by genuine websites, we’re talking those to which we have physical access… and so do the attackers, just like in the example above. This could be a restaurant, museum, a missing cat poster, virtually anything that looks and quacks like a genuine QR code.
You may say, but hold on, if I scan and open the website and it’s not what I expect I know it’s a scam. At the risk of stating the obvious (hacking level of a preschool), the malicious website may do the damage first, but then take you to the intended destination. I have created this example below. The QR code takes you to https://phish.iamworld.co.uk, (QR code scanner should show it, iPhone’s camera for example prints the URL below the code) and the only function of that site is to redirect you to the BBC’s website. You can see my point.
The situation gets even worse, if you’re on a Wi-Fi network belonging to the malicious actor. All your traffic goes through a rogue system and despite encryption, new possibilities arise, but that’s a topic for another blog.
The identity of the QR code
Hopefully you can see now, why I think those pictures have their identity. In order to trust them, we need to be able to verify their origin. This isn’t a case for username and password or public key infrastructure and checking digital signatures, it has to be simple and quick, to preserve the low friction of the method and what comes with it, excellent customer experience.
How do we stay safe?
I think there are two parts to the solution. First comes from the owner – publisher of the code. The way I see it, no code should be printed without the URL that it takes you to. That way you have the ability to compare it with the QR scanner/camera. If someone replaces the code for a spoofed one, it won’t match. If they replace the code and the URL, the publisher now has an ability to spot the difference and act on it. With code only, there’s no way to quickly tell where it’s taking you. Secondly the URL’s should be short, simple and relevant to the publisher. If the URL is long and complicated, it cannot be quickly processed by our brain while only having a quick look. It also needs to have some quality to it, rather than just being an A4 print. It may be a good idea to frame it, or keep under lock behind glass, vs exposing externally. In ideal world, they wouldn’t be prints, but LCD displays.
Secondly the users – ourselves. We should be very careful and never click on the link from the code if we’re not certain or if it looks tampered with. Ideally the publishers will make it easy for us and if you pay for your restaurant food online in Wagamama, the QR code actually uses wagamama.com domain for the payment. If we get a message that the certificate is invalid, don’t ignore it. While there are times when administrators forget to update them, it’s very rare and in all honesty professional malpractice. It’s not worth the risk, especially, if payment is involved. It’s also safer to use mobile data vs WiFi when accessing the codes.
Conclusion
Don’t be scared of QR codes, they’re really good tools. Next time however, when you’re our and about, spend those few valuable seconds looking at the URL before you commit to clicking it.