The Risk is Not in the QR Code, but in Where the Code Directs You

Superbowl 2022 is almost 2 weeks old now, and most of us have moved on. But something left a lasting impression for cybersecurity – something that, we think, still needs attention.

It wasn’t the game itself of course, but one of the commercials that had the community talking. Somewhat of an odd attention-getter, and not one of this year’s celebrity-packed moviesque productions, this ad showed nothing but a colorful dancing QR code on the screen.

The ad by Coinbase was memorable, not so much because of the company behind it, nor because of its weirdness, but because of the resulting flood of disapproving commentary and discussion that came from the cybersecurity world – a knuckle-rapping of sorts from experts calling out the QR code (or use of it) as not secure.

What was the Coinbase Superbowl Commercial?

Coinbase launched what seemed like an ingenious ad with a colorful dancing QR code. Curious viewers could point their cameras at the code and get sent to a website, where $15 to anyone who signed up for the service over the following two days awaited. So many viewers scanned that QR code that eventually Coinbase crashed!

But the bigger problem as seen in the Security World was that Coinbase was encouraging what experts see as irresponsible or unsecured use of the QR code – potentially opening it up to bad actors to exploit. Much debate and negative press ensued around the ubiquitous QR code.

Hank Schless, senior manager of security solutions at Lookout, had this to say:

“The real risk in this situation is if someone edits the commercial and adds a malicious QR code to it, especially on social media platforms.”

In fact, the ad aired just a few weeks after a public service announcement from the FBI, which aimed to draw attention to the rise in the malicious use of QR codes by cybercriminals in an effort to steal personal information.

QR Codes are everywhere now – from advertisers to banks to restaurants to retail – both on- and offline. So, What’s the Problem with QR Codes?

What are the potential security risks around QR Codes?

The fear around the malicious use of QR codes is warranted. HOWEVER, the risk is not in the QR Code or the technology, but in the destination the QR Code takes the user. Think of the QR Code as a tool – like a hammer – which can be used for good or for evil.

Here are some of the ways QR codes can be compromised:

  • Flyers or printed material could be distributed containing QR codes that direct users to malicious web pages and prompt them to download software that steals data.
  • Bad actors could copy ads and create malicious QR codes that direct users to a different landing page than what was intended by the original ad.
  • Counterfeit QR codes could be pasted over legitimate ones, directing users to phishing websites rather than an offer page originally intended.

What’s the Difference Between an Insecure and a Secure QR Code?

If the code is static – that is, one can use the same code repeatedly and direct the user to a website for example, that QR code could potentially be changed to direct the user maliciously.

It’s also about what’s inside the image, i.e., an active link, or an identity payload.

If, on the other hand, that code is tied to the technology and for one-time use in order to verify the user, it can’t be hacked because it will no longer be visible.

It’s important to know how the technology is being used. With some security solutions, for example, a user’s camera (no app required) can be used to scan a QR code containing a link which then directs the user to an online location. While this may be perceived as an advantage, NOT tying the authentication directly to the provider and the user could leave the user susceptible to attack. An attacker could potentially insert a different QR to redirect the user to a malicious location.

The Right Use of the QR Code

As mentioned, the QR code itself is not insecure. There’s nothing wrong with the technology. Rather, it’s HOW the code is being used.

TraitWare – providing Passwordless Multi-Factor Authentication (MFA) and Single Sign-On (SSO) for login – utilizes the QR code as a tool for authentication – delivering a one-time code that times out. TraitWare’s use of the QR doesn’t take the user anywhere, does not collect personal data, and does nothing when scanned by anything other than the TraitWare app. With TraitWare, you have to visit the login page first and request it. For those customers still not convinced in the QR, or for facilities not allowing a camera TraitWare offers alternative options for access or factors for authentication.

For more information about TraitWare for Real Passwordless MFA+SSO for True Zero Trust Access / Simple Secure Login, please reach out any time.