Smartphone users may not realize it, but they have a built-in scanner that gives them an entirely different way to interact with the world around them. Some researchers worry, however, that proper mobile device management isn’t in place to protect against potential QR threats.
Most people know them on sight if not by name: The black-and-white checkered boxes on advertisements, storefronts, in magazines or left hanging in strange places known as quick response(QR) codes. By scanning them with a mobile device consumers can learn things about a product or service or whatever the coder intends. That’s precisely what worries some experts like Scott McKinnel of New Zealand.
“There’s a body of evidence to say that people writing QR code-reading applications aren’t thinking about security,” said McKinnel in an interview with CSO Magazine.
A study by market research firm Chadwick Martin Bailey found that only 21 percent of respondents actually know what a QR code is by name, though 81 percent know them on sight. Only about half of all smartphone users have ever used the codes, meaning that knowing how codes work or what they even are doesn’t necessarily factor into whether consumers will scan them or not. If smartphone owners are scanning QR codes without knowing anything about them, the possibility for data security breaches could be even greater, as users won’t take steps to protect themselves.
As the complexity and diversity of codes become farther reaching, the concern is that they will unknowingly open more smartphone users to malware and other threats. McKinnel pointed out that it wouldn’t be difficult for a hacker to read the QR code, print another leading to a malicious URL and simply paste it over the original, giving no indication to users or original posters that anything is wrong.
This is particularly troubling as usage becomes more widespread. Ritz-Carlton hotels recently began using QR codes in various places throughout their establishments to provide customers with useful or fun information throughout their stay, from wine pairings to scavenger hunts. A University of Minnesota class has begun a project to increase forestry awareness in St. Paul by hanging QR codes on different kinds of trees around campus. They’re currently seeking a grant to get funding for more permanent placards, as the current signs are too flimsy to stand up to the elements.
One of the most intriguing uses, and perhaps the one with the highest data security risk, comes from Sweden. The nation already uses QR-coded coins, but now it intends to issue paper money with the codes as well. The issuing bank, Svergis Riksbank, may be printing all the new notes, but that doesn’t mean officials aren’t worried about security. Similar to McKinnel’s concerns, the bank is aware that in Sweden and other parts of the world, QR codes have been linked to malicious sites and have been involved in hacking incidents.
A statement from the bank acknowledged the original release of the bills should have taken place in 2015, but no current data is being given at this point. Svergis Riksbank says that QR codes in their current form are “neither practical nor appropriate” due to ongoing security concerns.