12-Jan-2012 15:58
QR Codes-Business Opportunity or Criminal Abuse?
Caution has been urged by Security Experts over the increasing use of QR Codes on smartphones, claiming that they could become a likely target for hackers and malicious users actively seeking to steal your personal data.
The strange black squares that have been cropping up in increasing numbers in magazines and newspapers; on posters, tickets and websites are likely to become even more commonplace in 2012 with many companies utilising them in increasing numbers.
However, presuming they are harmless could be playing into the hands of cyber criminals.
According to a recent study around 50% of the 1,200 consumers surveyed interacted with a QR code when they saw one, with 21% then going on to share personal information.
Curiosity and information-gathering were the primary reasons for wanting to scan a code, and the promise of discounts and special offers seemed to be the most effective way to generate interest.
A QR matrix barcode can store alphanumeric characters in the form of text or URLs – all you need to “visualise†such a code is a smartphone with a camera and a QR reader application to scan it.
The code would typically direct you to a website, however, it can also promote online videos, send text messages and e-mails, or install and launch apps.
Fast, easy and very popular, QR codes are clearly a convenient way to stay informed anytime, anywhere. But the downside is that you often don’t know the content of a QR code until you scan it.
For this very reason you should take the same degree of care when scanning a QR code as you would when downloading an unknown file on the internet.
Cyber-attackers might use these codes to redirect you to malicious websites that ask you to download applications that may be infected with malware.
These, in turn, could:
Make your calendar, contacts and credit card information (if you shop or bank online using your smartphone) visible to cybercriminals.
Attempt to steal your Google or Facebook password – many apps are integrated with various social networks.
As a result, some users may enter their information without suspecting that it is being sent to an illegitimate source.
Track your location.
Install keylogging software.
Send an SMS to a premium number, racking up your phone bill.
“Jailbreak†a device and distribute additional malware.
Redirect users to malicious applications.
So if you care about your mobile security, you'd be wise to stay away from malicious QR codes!
One notable attack via QR code took place in Russia in 2011, and involved a Trojan disguised as a mobile app called Jimm. Once installed, “Jimm†started to send a series of expensive text messages (which cost £4 each), racking up unwanted charges.
This is just one of the ways malicious users can take advantage of these codes in order to gain control over a smartphone, so it goes without saying that users should take particular care of what they’re scanning and be aware of what they’re expecting to find.
So how can you spot and avoid malicious QR codes:
1. Educate children on the nature of QR codes – with many youngsters now sporting smartphones it could be all too tempting for them to scan these codes simply out of curiosity, which could leave them at risk of attacks similar to those described above. Better yet, installing a mobile security suite can help protect them against hidden threats, offering you significant peace of mind.
2. Use a mobile QR code-/barcode-scanning app that previews URLs. Avoid scanning suspicious codes and links that don’t seem to match the ads they’re incorporated in; also avoid shortened links.
3. Don’t scan QR codes in the form of stickers placed randomly on walls or billboards. QR codes can be generated by anybody and placed in public places with the intention of peaking an individual’s curiosity, and unless the message gets out there that these may not all be from legitimate sources, scammers will look to take advantage of this relatively new technology to further their own ends.
4. Be extra careful if your smartphone works on the Android mobile operating system. Android is an open platform, which means that its source code can be examined by criminals and exploited more easily when they find a weakness in, for example, the Android browser. That’s why most malicious apps transmitted via QR codes target the Android-based smartphones. So, make sure your Android browser is always up-to-date and only scan QR codes from trusted sources.
5. Be particularly wary of QR codes that are linked to monetary and transaction services – these direct links to money are typically prioritised by malicious third parties when choosing how and where to attack.
6. Consider installing a mobile security app.
So be careful out there folks; the world of technology is rapidly evolving, mostly for the better, but we must remain fully aware of possible misuses and abuses & apply our common sense whenever possible…
Norman Feiner, Managing Director - SimplyFone Ltd
(Idea for Blog, Source: Comms Business)