Can QR Codes Be Used for Phishing Attacks ?
To make it convenient to verify, many organisations have started incorporating QR Codes containing URLs on documents issued by them.
Examples are government issued licenses, inspection reports, insurance certificates, degree & transcripts, pathology reports, receipts etc.
Using plain URLs in QR Codes is inviting phishing attacks
The idea is that when a third-party comes across this document, they can use any QR Code scanning App on their phone — scan the code and it will open the URL on the phone browser.
Though alluringly convenient, this totally disregards everything we have learned while fighting phishing. It is not just theoretical — it is a present and active threat.
Source: Fig 3 in Optical Delusions: A Study of Malicious QR Codes in the Wild
In an earlier era — links within emails were introduced because they were convenient and security an afterthought. Now many are repeating the same mistakes with QR Codes.
Actually this is much worse because:
In an email, an alert user may still catch a phishing URL link because it is text. In a QR Code there is really no hope because the links are only machine readable and most QR Code reading Apps open these links straight away.
A compounding factor is that on smartphones due to limited space — it is even more difficult to discern the page URL. Further many QR Code reading Apps now open the URL within the App itself and the traditional browser based protections do not trigger.
Another issue is that many QR Code reading apps are advertising driven and are collecting information on what is scanned. If QR Codes are being used for sensitive information then you may be leaking this information by encouraging users to use any QR Code reading App to scan your codes. In our business we need to scan QR Codes all the time and we got so alarmed by what we saw that we developed our own App to maintain privacy.
What should be done?
In security/verification applications, immediately stop the practise of placing just URLs inside QR Codes. Just Stop. For such applications use one of the following options:
Develop your own solution or use a solution like Qryptal which helps you generate tamperproof digitally signed QR Codes which are meant to be scanned and verified by approved Apps. Once the code content is secured, you can place whatever makes sense inside it including URLs. This retains all the existing ease of use once the user has installed the approved App.
Stop using QR Codes and print a long unguessable tracking number on your certificates and guide the user to visit your website to enter the tracking number to validate the information. The number should be unguessable because otherwise anyone will be able to visit your website and fish for information. This option is of course not convenient and would deter most from using the system.
Most lay persons have a high level of trust and are unaware that anyone can easily create and/or duplicate QR Codes. A bad experience can undermine the raison d’être of using this technology in such applications.
Just like any “tech” today, organisations should use QR Codes responsibly with security and privacy as primary considerations.