Quick Response (QR) codes live up to their promises by providing quick answers to products, services and events. However, security experts warn about potential threats to data security.

Abuse of the trendy strings for social engineering attacks and sophisticated scams with QR-code scans can put not only personal information of individual users at risk, but the entire information security of enterprises. The risk has been rising in recent years since QR codes started becoming more and more popular in the advertising industry for gaining customer loyalty and developing an appropriate brand image. Appearing like squares with integrated labyrinths at first glance, they can be scanned with a mobile phone camera and in an instant reveal a link to a brand portal and the mobile Internet.

Originally from Japan, QR codes were first developed and used in the early 90s by Toyota to mark assemblies and components in the automotive production and only later gained popularity in the advertising industry. Today, the square bar code adorns virtually every consumer product or service. The black and white matrix can be found on packaging, posters and billboards, in magazines and newspapers - and at first sight seems pretty unimpressive. But in reality, the accumulation of small dots and squares is no less than a stepping stone from the offline to the online world, allowing fast access to information via mobile Internet portals.

QR codes can be decrypted to reveal their information pool with free reading programs from the Internet, which run on most Java-enabled mobile phones. The mobile phone camera photographs the code, hands it on to the Java application for decryption, which in turn makes the browser of the phone open the page with the additional information. For sales and marketing experts this is a dream come true, since they can lead their customers, practically free of costs, to very targeted information about their products and services.

According to an eBay study of December 2011, the potential of generating direct revenues this way is tremendous: 48% of the respondents would have purchased immediately online, if they found a QR code on an interesting product. Thus, the QR code mutates literally to the smallest online store in the world, increasingly embraced by manufacturers as a sales booster.

The fact that users really enjoy the convenience of the scan and browse experience offered by the QR code, is exactly what makes the coded information carrier interesting for hackers. Cyber criminals take advantage of the growing popularity of QR codes with so-called social engineering attacks, which means that they exploit human characteristics and weaknesses to acquire information illegally.

The human "weakness" in dealing with QR codes is not only pure curiosity of what happens when a code is read, but also unawareness. Users assume that they can “trust” the integrity of the code provider and that the code from the selected destination address is legitimate.

Small square, large target

As the code is hidden in many small dots, untraceable for individuals, internet fraudsters and data thieves have a walk-over in leading the mobile user to malicious sites or malware. Moreover, so-called QR code scanners for smartphones often have a direct connection to other smartphone features such as email, SMS, local services and app installations, which increases the potential risk to the mobile device itself and opens the door for viruses, worms and malicious code. Hence, the small square provides hackers with a much easier target that it would seem at first glance.

The first step of an attack is the clever distribution of the code to the potential victims. A simple but very efficient distribution option is to embed the code in an email, where it can serve as bait for a phishing attack. Most often, faulty QR codes are widely spread on documents appearing trustworthy, such as flyers for trade shows and seminars, or in the form of vouchers and authentic-looking labels, as used for certain promotional activities.

Beware of Virtual Pickpockets

Once the code is circulated, the attacker has a variety of options he can choose from for fraud. QR codes could lead the user, for instance, directly to false websites or online stores to collect their credit card information. More sophisticated attacks could direct the user to sites conducting a “jailbreak”, removing all use restrictions on the end device and providing access to the operating system. Like a so-called “drive-by download”, the hacker can then install malicious software applications, such as key loggers and GPS trackers, on the mobile device - without knowledge or consent of the user.

Perhaps the greatest potential risk for mobile users is the growing implementation of online banking and payments over the phone, since these transactions provide a vast amount of highly sensitive bank account-, credit card-, and financial information. Hackers can operate as virtual pickpockets in "mobile wallets" by using QR codes, cracking mobile devices and settling in with applications. Further danger comes from already existing QR-based payment solutions, which are right now still used very little, but are expected to rise rapidly with increasing public acceptance of QR codes.

Clever Scanners, Data Encryption and Education for Protection

The most important precaution to avoid risks regarding hip QR-codes lies in the early revelation of their secret information. Users should be able to find out all details on which link or source code is called up immediately when scanning the square. Some "smart" QR-code scanners already offer this essential transparency and ask if a certain link or action should actually be executed or not. This gives the user the ability to assess the validity of a link before the scanned code is enabled.

For company smartphones, a data encryption solution should be considered, keeping confidential business data protected against hackers even when a defective QR-code is installing a Trojan or other malware on the mobile device.

Continuous education, higher awareness and a comprehensive enterprise-wide integrated security solution is crucial for dealing with new threats such as malicious QR codes. Be aware of risks, while exploiting the full potential of mobile channels with QR codes that are last but not least a predestined point of contact for business.

By Daniela La Marca