Embed Size (px)
Citation preview
QRurb Your Enthusiasm: The Growing Risks of QR Codes
490 East Middlefield Road, Mountain View, CA 94043
[email protected] • www.mobileiron.com
Tel: +1.877.819.3451 • Fax :+1.650.919.8006
091820QRCR-v1.2-EN-US
2QRurb Your Enthusiasm: The Growing Risks of QR Codes
QR codes have been around for decades, but within the past few years they’ve gone mainstream around the world. Today they’re used for ad promotions, marketing campaigns, app downloads, access control, mobile payments, and countless other use cases. But in the past few years, the use of QR codes has skyrocketed for at least a couple of reasons:
1. QR codes are more accessible than ever. In 2016, many Android devices installed QR code scanning features directly in the native camera app, and iOS came out with a native QR code scanner in 2017. These built-in readers meant users no longer had to install separate scanners to read QR codes. In 2020, 81 percent of all U.S. adults own a smartphone, and nearly all of those devices can natively read a QR code with no third-party app required.
2. Contactless transactions are not just convenient, they’re now essential. Almost overnight, the COVID-19 pandemic turned mobile devices and apps into a lifeline for people across the globe. In a touchless world, we now rely on them for every transaction from order delivery and payment to contact tracing and visitor processing at border checkpoints. In fact, 46% of mobile users say they have scanned a QR code in the past week, while 72% of users have scanned a QR code in the past month.*
Convenience, cost, security. Pick two.
History has shown that whenever a technology becomes rapidly and widely adopted, the downsides can also be swift and dramatic. So while QR codes have proven to be easy to use and cost-effective, security has not kept up and hackers are now in on the game. QR codes can be used to direct users to a phishing website, download malicious software, or execute an attack that can hack into the device’s camera, microphone, and apps — all without the user knowing.
Now the question is, how can mobile users and organizations protect themselves from risky QR codes and still enjoy all of their incredibly convenient benefits?
58%
48%
of mobile users want to see QR codes used more broadly in the future.*
of users have privacy, security, financial or other concerns about using QR codes, but still use them anyway.*
Convenience
Security
Cost
3QRurb Your Enthusiasm: The Growing Risks of QR Codes
What are QR codes and how are they used?
A quick response (QR) code is a 2D barcode that provides easy access to information through a smartphone. Today, nearly all mobile devices can natively read a QR code. The user simply points the device at a QR code, which opens a barcode reader app that works in conjunction with the phone’s camera.
QR codes can be used to make a call, send a message or email, make a payment, navigate to a location, download apps, access a store coupon, and more. QR codes have also been a dream technology for marketers because they can provide instant data about a campaign’s effectiveness and reach. They can capture the number of scans, geolocation, whether or not the scan converted to a purchase, or boosted followers on social media. And younger consumers like QR codes because they help curate the experience they want, whether it’s accessing product information at point of sale, avoiding checkout lines, or taking advantage of an in-store promotion.
83%
1/3
of all mobile users have scanned a QR code before.*
Approximately 1/3 of mobile users have scanned a QR code from a restaurant, retailer, or consumer product.*
4QRurb Your Enthusiasm: The Growing Risks of QR Codes
Can QR codes be hacked?
Established QR codes can’t be hacked because this would require the ability to change around the pixelated dots in the code’s square matrix. Instead, hackers can find ways to embed malicious software into QR codes they create themselves — but many users are completely unaware of the risk. In fact, 40% of users are either unsure or don’t believe that they can be hacked using a QR code.* This is why there’s always a risk of scanning a code that doesn’t come from a trusted sender.
Today, hackers can launch attacks across various mobile threat vectors, including emails, text and SMS messages, instant messages, social media, and other modes of communication. Here are just a few ways hackers can exploit a mobile device after a user scans a malicious QR code:
47%
63%
of users don’t have or don’t know if they have security software installed on their mobile devices.*
of users cannot distinguish between a legitimate and malicious QR code.*
Add a contact listing:
Automatically add a new contact listing on the user’s phone, which could trigger an exploit.
Initiate a phone call:
Cause the phone to call a number and expose the phone number to a malicious actor.
Text someone:
Create a text message with a predetermined recipient.
Write an email:
Draft an email and populate the recipient and subject lines.
Make a payment:
Facilitate a payment within seconds. If the QR code is malicious, it could allow hackers to capture personal financial information.
Reveal the user’s location:
Send the user’s geolocation info to an app.
Open a web page:
Send the web browser to a predefined URL.
Create a calendar event:
Place a meeting on the calendar and potentially expose the app’s data to hackers.
Follow social media accounts:
Cause one of the user’s social media accounts to follow a predefined account and expose personal information.
Add a preferred Wi-Fi network:
Include a credential for automatic network connection and authentication, and then introduce a malicious or compromised network on the device’s preferred network list.
What’s the future of QR codes?
We’ll likely see the use of QR codes continue to increase in the coming years, especially because they make things like payments, authentication, and other daily tasks so much easier in a contactless world. According to Juniper Research, by 2022, 5.3 billion QR code coupons will be redeemed by smartphones and one billion smartphones will access QR codes.
This is because QR codes are extremely cheap and easy to deploy, mobile users love them, and they can be used to create all kinds of experiences. For instance, after scanning a code, customers can enjoy an augmented reality (AR) experience in a new car they want to purchase. Or they can scan the code on an appliance and instantly envision what it would look like in the kitchen. Industries like healthcare already use QR codes in hospital settings, a trend that will likely accelerate because they provide a cost-effective way to improve patient care. A nurse or doctor can simply scan the QR code on a patient’s wristband and get the latest patient details, such as allergies, medications, the last time a dose was administered, and more. By eliminating manual data entry and lookup, QR codes have been a great way to help healthcare professionals deliver more efficient patient care while minimizing data entry errors.
53%
45%
of users plan to use a QR code as a payment method in the near future.*
of people would vote using a QR code received in the mail, if it was an option.*
6QRurb Your Enthusiasm: The Growing Risks of QR Codes
The importance of mobile security
We’ve seen how easy it can be for hackers to use QR codes to gain access to mobile devices, apps, and data. The good news is, there are also easy ways to minimize these security risks — and it comes from a combination of user education and mobile device security that can prevent these types of exploits in the first place.
What users can do
Scan before you scan: Before scanning a code, especially one on printed material in a public place, make sure it hasn’t been pasted over with a different (and potentially malicious) code.
Ensure the company is legit: We know that phishing attacks can be extremely professional-looking and hard to detect. But if the source of the QR code seems sketchy, don’t scan! Also avoid URLs that differ from the legitimate URL of the company, especially if it redirects you to a different site.
Double check bit.ly links: If a bit.ly URL appears after scanning a QR code, check the link before clicking on it. Bit.ly is a free URL shortening service that can also be used by hackers to disguise malicious URLs. The good news is, you can safely preview a bit.ly link by adding a plus symbol (“+”) at the end of the URL. This will direct you to a page displaying the link’s information so you can determine if it’s legitimate or not.
Eliminate passwords
Reduce the risk of data breaches that result from stolen credentials.
On-device detection and remediation for mobile threats
Machine learning-based protection against device-, network-, application-level and phishing attacks (DNAP). No Wi-Fi or cellular connectivity required.
Multi-vector anti-phishingOn-device machine learning and phishing URL lookup canbe expanded to include cloud-based lookup for improved effectiveness.
The foundation for the industry’s first mobile-centric security platform.
Create and enforce compliance policies to secure your digital workplace.
MULTI-TIER SECURITY STRATEGY:Device Network ApplicationPhishing
ATTACK VECTORS:Corporate email
In-app browsers
Text SMS
Messenger apps
Social media
What companies can do
As mentioned previously, research has shown that users typically have no idea what kind of security exists on their mobile devices, which can create huge security gaps on devices that also access company apps and data.
On-device mobile threat defense is critical for protecting against phishing and other malicious exploits that can leverage QR codes to bypass typical antivirus software. Specifically, organizations need a complete mobile security solution that protects against phishing attacks as well as device, app, and network threats — one that’s always on and continually updated even without network connectivity. And, by expanding the use of multi-factor authentication, companies can also eliminate passwords — one of the top causes of phishing-related data breaches.
MobileIron covers all of your mobile security bases
By combining MobileIron Threat Defense (MTD) with MobileIron Zero Sign-on (ZSO), on a secure foundation of MobileIron Unified Endpoint Management (UEM), organizations can detect and remediate mobile threats on any device, remove the pain of passwords, and enable secure and seamless access to enterprise services. With MobileIron, customers get a complete, layered zero trust security solution that protects users, devices, apps, and data wherever they work. To learn more about the importance of mobile security, please visit www.mobileiron.com
*MobileIron, “QR Code Consumer Sentiment Survey,” Sept. 2020. https://www.mobileiron.com/en/qriosity
