Queasy About QRs?

qrcodeHave you noticed the QR (Quick Response) codes that are popping up everywhere like dandelions after an April shower? Use of this matrix barcode, first developed for tracking inventory by the Toyota subsidiary Denso in 1994, took off when phone apps were created to read the symbols, which in turn point the user to more information online. The QR code to the left, for example, will direct you to a web page about the Information Security Group when you scan it with your smartphone.

You can now find QR codes everywhere, including magazine ads, real estate signs, even on chocolate slices. Publishers are cranking out books with titles such as Scan Me: Everybody’s Guide to the Magical World of QR Codes or The QR Code Marketing Guide for the marketing professionals. So the odds are high that you’ll be seeing more of them.

And if you speculated that a technology, which might make something easier and faster might also have some risks attached, then you would be correct. While QR codes are a quick way to link to a website without entering text, they also offer an ideal way to distribute malware. This could be as simple as putting a fake QR code sticker onto an existing one in the magazine you’re reading in the doctor’s waiting room, or cyber criminals hacking a website and replacing actual QR code. Scanning the fake code then directs you to a malicious site.

To see how this works, Kaspersky has this visual representation of an attack: Malicious QR Codes: Attack Methods & Techniques Infographic. They also offer this demonstration that you can run on your smartphone: Malicious QR Codes: How They Work Demo.

Don’t despair, though.  With care you can learn how to protect yourself so that you can go through your day scanning items like a Star Trek crew member on an away-mission to an uncharted planet.  Here are some tips to keep you safe:

1. Your QR Code Reader: Use a well-reviewed, trusted QR reader with a built-in security features that allows you to review a link after you’ve scanned it and before launching it to prevent randomly executing malicious code.  Understand how it works with your device. interacts with URLs and how permissions are granted with your mobile OS.

2. Your phone’s security: Install an anti-malware application and keep it updated.

3. Common Sense: Be vigilant. If the circumstances look suspicious — such as a code posted in a location not normally used, a sticker that doesn’t appear to be the original one, or an offer too good to be true — don’t scan it. Be careful of landing pages that direct you to login.  Never give out your personal information needlessly. Verify that the URL is what you expected. Don’t allow a QR code to dial a number or send an SMS unless you are sure the number is legitimate.

Sources

Resources

Posted in Safe Computing, Winter 2012 Edition | Comments Off