Application Security

QR Code Security

What is QR Code Security?

A quick response (QR) code is a type of barcode that stores information as a series of pixels in a borderless square-shaped grid to be read by a digital device. When a QR code graphic is positioned in front of the lens of a smartphone camera, the code is read by the device, and it immediately triggers a response. QR codes were developed in the mid-1990s for manufacturing and inventory control, and they are now utilized for many purposes including marketing, advertising, authentication, accessing wi-fi, payments, app downloading, medical purposes, and sharing documents.

QR codes make transactions fast and easy, which makes them attractive attack vectors for cyberattackers who can use them for malicious activities or for profit. Cyberattackers can embed malicious code into QR codes, and then place the QR codes in public spaces where curious people may scan them. Cyberattackers may also cover up a legitimate QR code and replace it with a malicious one. Since humans cannot read QR codes, they are unable to detect a fraudulent QR code, which makes it easier for cyberattackers to carry out this type of attack. Some of the things that a malicious QR code can do include1:

  • Adding unwanted and potentially malicious contacts to your contact list
  • Connecting a device to a malicious network
  • Sending text messages to contacts in your address book
  • Sending emails to contacts in your address book
  • Making outgoing calls to phone numbers that incur charges on your phone
  • Compromising financial data and accounts
  • Sending payments to unrecoverable destination
  • Capturing your personal data, such as login credentials
  • Tracking your geolocation

The following tips will help you to protect yourself from malicious QR codes and their related consequences:

  • Do not scan randomly found QR codes
  • Be suspicious of QR codes that lead to your being asked to supply a password or login credentials
  • Do not scan QR codes that you receive in emails, unless you are certain about their legitimacy
  • Do not scan QR codes that are applied over another QR code, unless you are certain about their legitimacy
  • Use QR scanners that you know and trust
  • Never download apps from QR codes
  • After scanning a QR code, check the destination URL for accuracy before proceeding
  • Do not make electronic payments via QR code
  • Turn on multi-factor authentication (MFA) which helps to protect your sensitive accounts  

1 Roche, 2021, “Cybersecurity Fact Sheet: QR Codes”