Share this article on:
Matthew Lowe from Ivanti explains why and how stakeholders must act to minimise security threats posed by the use of QR codes to curb the spread of COVID-19.
With businesses reopening in NSW and other parts of the country in the coming weeks, QR codes will once again become a central part of our lives.
These are being implemented for COVID-safe check-ins with integrated proof of vaccination, and even across financial institutions.
However, QR codes are a favourite threat vector among hackers, and signal an imminent threat to privacy if utilised by businesses without precautions.
Service NSW is not the only organisation relying on QR codes to keep the state moving. EFTPOS just announced a new payment system via QR code that is likely to be rolled out at major retail venues across the country before Christmas. In addition, many travel or vaccination certificates being created across the globe are based on QR codes.
Allowing us to access many of our favourite day-to-day freedoms amid a pandemic, consumers have developed high levels of trust in QR codes when the reality is that these are far from secure. In fact, almost a third of respondents to our latest global survey said that QR Codes have directed them to a suspicious site or caused unexpected actions.
The nature of the threat
For years, we have encouraged users to be aware of links before they click on these and to look for telltale signs in the URL that it may not be trustworthy. However, with QR codes, there is no way for users to know it is malicious at face value.
Also concerning is how easy QR codes are to build as well as hack. These have become accessible and opportunistic targets for hackers, with easy scripts and tools available to create malicious codes and embed links triggering malwares or phishing attacks.
Hackers have been known to create adhesive labels with malicious QR codes and paste these over legitimate QR codes, allowing them to intercept or sit in the middle of transactions and capture payment information.
A malicious QR code can provide an avenue for loss of data from of the device, provide access to contacts, and even send email from the device or initiate a payment, all without the user’s knowledge or interaction.
Consumers are the primary targets of these attacks, but they are just likely to impact organisations and more specifically, employers, into the future as well. A study from last year shows that 36 per cent of Australian workers access their company data with personal devices, and it is certain this number is even higher now. The probability that hacked devices are connected to sensitive company data is high and there’s a need to take measures and educate consumers and employers alike on how to protect themselves from malware.
Potential defences
There are actions which can be taken at both the user and organisational level to prevent the likelihood of malicious attacks and privacy or data breaches.
At the user level:
At the organisational level:
Alongside a boom in QR codes, we could see a surge in data breaches and mobile devices being hacked across the country if we don’t take the aforementioned precautions.
Matthew Lowe is the area VP for ANZ at Ivanti.