QR codes are everywhere and, as it turns out, most of us are using them! According to a recent consumer sentiment study conducted by MobileIron, 40% of respondents have scanned a QR code in the past week, and 86% have scanned one in the past year. That’s a lot of people. But what are all those codes being used for, and could they potentially do something unexpected?
QR code ≠ URL
Most people (67%) know that scanning a QR code can open a URL, and that is currently the most frequent use case for QR codes. However, that may be changing. Thanks to Covid-19 and our shift to a touchless world, new uses for QR codes are springing up, and our dependence on them is increasing as we navigate this new world.
The “QR” in QR code is short for “quick response,” and that’s just what it is: a small code that causes a device to immediately take a defined action when the code is scanned by a compatible device, such as a smartphone. Because QR codes are a reliable tool for users in a touchless world, there has been a significant uptick in QR code use in recent months. For example, by using a simple QR code, restaurants can provide menus, doctors can check in patients, and retailers can allow customers to make payments.
Because QR codes are so convenient, most people (53%) want to see them used more broadly in the future. However, because QR codes can initiate a variety of actions beyond simply opening a URL and taking you to a landing page, an increase in use of QR codes comes with a variety of risks.
The other things a QR code can do
Most people are accustomed to scanning QR codes for simple tasks like opening a URL or checking in, but QR codes are becoming increasingly common in many places that people live and work. According to our data, over a third of respondents have scanned at restaurants/bars (38%) or retailers such as supermarkets or electronics stores (37%), and 32% have scanned on product packaging. While less common, respondents note scanning at places of recreation like movie theaters and bowling alleys (12%), at financial institutions (11%), at their places of work (11%), while traveling (10%), at doctors offices (9%), and even at fitness locations (8%).
Given that we use QR codes in so many locations, it’s surprising that we aren’t very familiar with everything they can do. Here are just a few of the actions a QR code can prompt your device to take:
Make a phone call, draft an email, or write a text message: QR codes can cause your phone to initiate a phone call that can expose your caller ID information, or draft an
email and populate the recipient and subject line, or write a text message with a predetermined recipient.
- Reveal your location: A QR code can send your geolocation to an app.
- Create a calendar invite: A QR code can be used to place a meeting on your calendar without your knowledge, including any text or links within the invite.
- Add a preferred WiFi network: A QR code can include credentials for automatic network connection and authentication.
- Add a contact listing: QR codes can automatically create a new contact listing on your phone.
- Follow social media accounts: A QR code can cause one of your social media accounts to follow a predefined account.
- Make a payment: A QR code can facilitate a payment within a few seconds.
Payments are an increasingly common use case for QR codes. In fact, CVS is equipping 8,000 stores with touchless payment technology that will enable them to accept Paypal and Venmo payments via QR code. As companies continue to innovate to accommodate for a Covid and post-Covid world, even more touchless payment options will arise. But with them come some serious security considerations.
While half of respondents have concerns about using QR codes, only 15% are concerned enough not to use them, leaving those who do choose to scan vulnerable. Without proper device security (which 31% say they don’t have, and another 20% aren’t sure if they do), a malicious actor could easily spoof a QR code and have it direct unsuspecting victims to take a number of actions, as outlined above.
So why should we care? Well, given that QR codes are going to continue to increase in popularity, we can assume that hackers are going to also take advantage of their security gaps and use them to wage attacks. From launching phishing attacks to automatically downloading malware to stealing banking or financial account information, the risks are many and varied, and we all need to be mindful of them when we’re all out there in the world scanning away.
Contact us for more information on how MobileIron Threat Defense can protect devices from attacks waged at the device, network and application level – including contactless QR code phishing attacks.