In QR codes have a huge curiosity factor, Quriosity. Its a wonderful thing. Tie curiosity to advertising and youve got a winner. QR codes can do just that and much more, which is why their popularity is soaring. Each unique square symbol is comprised of black and white markings and can be scanned by many camera phones or other digital readers to provide information, or, in many cases, a link to a website.
Drawing Hackers Attention
Amit Kaul, CEO, Evam Technologies, explains that QR codes, and related mobile tagging formats, can be targeted and manipulated by cyber criminals to easily steer victims to malicious websites in a new opportunity to steal identities and commit fraud. Satish Das, Chief Information Security Officer, Cognizant, states three reasons for QR codes to be driving the attention:
- Vulnerable due to lack of end user understanding of the code
- Since its intended for systems, its difficult for humans to comprehend the actual message from image.
- Extremely easy to make and can be done free over the Internet
QR technology does bring with it risks. QR scanning apps from distrusted sources can be a risk. Like all other apps, they may come with Trojan functionality or malware.
Sandeep Godbole, ISACA India Task Force Member and President ISACA, Pune Chapter, says that QR codes are yet another vector for scammers like phishing email, URL shortening services etc., which makes it an ideal vector for spear phishing type of attacks. Stickers, documents that look genuine and that have QR code can potentially lead users to malware or direct them to phishing sites.
QR Challenges for CISOs
Abhijit Limaye, Director, Development &Security Response, Symantec, reiterates that QR codes are an increasingly popular way for people to convert a barcode into a website link using a camera app on their smartphones. Its fast and convenient, but potentially dangerous. Spammers are already using it to promote black-market pharmaceuticals, and malware authors have used it to install a Trojan on Android phones. In combination with link shortening, it can be very hard for users to tell in advance if a given QR code is safe or not; so, consider a QR reader that can check a websites reputation before visiting it.
Once the bait has been taken, the victim must be reeled in. The next step in these attacks fools the user into taking an action to propagate the threat: for example, installing an app, downloading update to your video software or clicking on a button to prove youre human. The attackers persuade their victims to infect themselves and spread the bait to everyone in their social circles, says Limaye.
Given the QRs complexity, Dr K Harsha, Head-IT, HKM Group, finds QR codes drawing new threats owing to less security awareness with customers, similar fraudulent sites will increase security risk and security breaches and educating clients/customers on QR Code is a tedious process.
Amit Kaul argues that QR codes are not inherently dangerous, but they can get linked to content that might infect a mobile device and steal a wealth of information from the user, or in this case, the scanner of the code.
When a user scans a QR code, it displays a link (QR code has more features than that) in most cases. This allows cybercriminals to use URL shortening services (such as bit.ly and others) to disguise the ultimate address stored in the QR code, which may lead to a page with malware that steals the users credentials or to a phishing site. As a mobile browser may not always be capable of displaying the complete URL of the opened page, the situation is further complicated, says Kaul.
Although there are quite a number of threats due to misuse of QR codes, very few can be because of a large security mistake by the company advertising its product, or whatever, with the QR code. It however can turn out to be quite a nasty PR experience for the company and they need to be careful with the way in which they do it, adds Kaul.
Best Techniques to Counter the Risks
While there is always a technique to solve the toughest puzzle, preventing the risks associated with QR code spells certain best security practices which the CISOs are adhering to.
For instance, HKMs Harsh recommends QR codes should be printed on white or soft pastel colour background for safety and recommends users not to reverse or invert in print. The black must be black or a dark contrast colour for scanners to appropriately pick it up.
There should be at least 55 per cent contrast difference if it is going to be printed in colour between the squares and the background, says Harsha.
Kaul points ou a few precautionary measures for smartphone userssuch as using a client antimalware application (wherever possible), taking advantage of the corporate Wi-Fi network and its standard network protections to block the malware, or using a QR reader application that checks URLs against blacklists of known malware-laden websites.
Kaul recommends three simple procedures to prevent threats:
- Take care before scanning a QR code; just make sure that it is not covering another code. If you have a doubt, do not scan.
- Once you open an app store or a website on your browser, ensure that the QR code has taken you to the site you had to go o. Check to see the applications rating or customer feedback. If there are very few feedbacks or ratings or none at all, its best not to continue the installation. Extra caution is advised before entering your personal data or credentials, including email or e-banking data.
- If your smart phone allows the installation of target="_blank">thousands of malware programs.
Cognizants Das strictly advocates users not to scan when the source is unknown, always verify the website authenticity on scan and ensure mobiles have adequate Antivirus Protection to address any emergencies.
Symantecs Limaye advises users to treat every network as hostile and ensure that all the applications use encrypted communications like SSL or tunnel through a VPN and protect against automated redirection to malicious sites with QR codes.
Add new comment