The Dangers of QR Codes

At the HCRCWA AGM on March 9, cyber security expert P. Ariss took us through a number of instances where QR codes are being used to scam the public. There was one instance in February where someone had replaced the QR codes on approximately 75 Kelowna parking meters directing people to the fraudster’s website. RCMP quickly identified and arrested three individuals.

The Government of Canada has a website titled “Canadian Centre for Cyber Security – Security considerations for QR codes” that deals directly with the fraudulent use of QR codes. The following information takes some of the highlights from that website to help you identify and understand the risks of using QR codes.

A Quick Response (QR) code is a small white square with two-dimensional black markings, similar in look to a barcode. QR codes contain information that can be read by your device through a camera lens.

Once scanned, decoded text of the QR code can trigger actions such as:

Opening a website
Downloading an app
Joining a Wi-Fi network
Verifying information
Creating a contact
Sending an email message
Dialing a phone number

QR codes can contain personal information. They can execute an action that prompts you to enter personal information. Once this information has been entered, scanning the QR code will display the stored information on your device.

By scanning a QR code you could be susceptible to the following risks:

Tracking your online activity by websites using cookies, meaning your data can be collected and used for marketing purposes.
Exposing financial data, such as your credit card number, if you used it to purchase goods or services on the website.
The actions the QR code performs can also pose risks, such as allowing threat actors to infect devices with malware, steal personal information, or conduct phishing scams.

How QR codes can attack you:

Cloning: Threat actors clone an authentic QR code that redirects you to a malicious site or infects your device with malware to extract your personal data when you scan it.
Leveraging: Malicious QR codes can direct users to legitimate-looking websites designed to steal credentials or credit card data.
Quishing: Threat actors can use a QR code inside a phishing email, or to direct the user to a phishing website which prompts the user to disclose personal information.
Scanning apps: Threat actors can use third party scanner apps to spread malware and gain access to some privacy settings on your mobile device, such as viewing your network connections or modifying the contents of your USB storage.

Here are some things to avoid if you are using QR codes:

Authorizing your device to automatically execute the QR code action.
Scanning a QR code posted in a public setting, such as in a public transit station or advertisements on the street.
Scanning a QR code printed on a label that could be covering another QR code (i.e. a Kelowna parking meter).
Scanning QR codes received in emails or text messages unless you know they are legitimate.
Using QR scanner apps from unknown companies or institutions.
Putting convenience before security. Type in a website URL to view content, such as an online restaurant menu, instead of scanning a QR code.

Some people, including myself, have eschewed the use of QR codes altogether believing the risks outweigh any convenience.

Dave Schroeder
HCRCWA Board Member

Tagscrime crime watch priddis turner valley