The Hidden Danger of QR Codes
I am very glad that you are reading my article again, dear friends! It would seem, what danger can a QR code pose? It turns out that you can even lose your cryptocurrency as well as fiat money and internet logins because of several attacks, which are based on the mechanics of QR codes.
Let’s study these attacks and see how we can successfully defend against them!
In this article, I will be referring to various amazing Authors and resources I strongly recommend that you separately study them on your own. The references list is at the end of the article, enjoy reading!
Special Thanks:
The cover for this article was done bymy good friend and artist — RegulLion . We know each other well so in case I disappear, he’ll have the exact details of me. Consider this mycanary . In this article you will see other works, they do not have scientific meaning, but I would like to include them to help you imagine what we are talking about more clearly and put you in the right frame of mind! Much thanks for the help with editing as well!
- Much thanks
Peachs for help with editing & proofreading!
- Much thanks a Deer from Telegram for help with proofreading!
I – What is a QR code?
A QR code is a
This is a string of text, and it’s typically a URL or link to a website or a merchant’s official account on a payment system. Scanning a QR code saves a user the trouble of typing out a long address in a web browser or manually entering a merchant’s username or number in a payment app, among other advantages.
According to
Aztec code is a 2D, or matrix, machine-readable code that is similar in many ways to a QR code and can hold more information than a linear barcode. Initially developed for logistics, you may see it used on packages and envelopes when more data needs to be stored than a linear barcode can provide.
Other types of 2D barcodes can contain an extremely dense amount of data. The PDF417 format found on the back of most driver’s licenses in the United States, for example, can encode up to 1800 ASCII characters.
PDF417 codes like the above can encode text, numbers, files, and actual data bytes, and they’re more resistant to errors than linear barcodes. Companies like FedEx use a combination of PDF417 and other barcodes on packing slips to automate delivery and tracking.
QR codes started in the automotive industry as a way to keep track of cars as they were being manufactured but quickly grew in popularity outside that industry. Similar to other 2D codes, QR codes can pack a ton of data and can even work when reduced in resolution or otherwise damaged.
One fascinating application of QR codes enabled by their larger data capacity is using them to
The convenience QR codes offer and the ubiquity of mobile devices have contributed greatly to the widespread use of these two-dimensional barcodes. However, their popularity has also created fertile ground for malicious actors to spruce up their
QR code malware toolkit to steal not only personal information but also hard-earned assets that are impossible to recover once lost. Threats involving QR codes have become so rife and sly that the FBI has recently issued a
As the agency describes it, the scammer will contact their victim and somehow convince them that they need to send money, either with promises of love, further riches, or by impersonating an actual institution like a bank or utility company.
After the mark is convinced, the scammer will have them get cash (sometimes out of investment or retirement accounts), and head to an ATM that sells cryptocurrencies and supports reading QR codes. Once the victim is there, they’ll scan a QR code that the scammer sent them, which will tell the machine to send any crypto purchased to the scammer’s address.
Just like that, the victim loses their money, and the scammer has successfully exploited them.
Malicious actors seek out ordinary, unsuspecting people who don’t know much, if at all, about QR code safety. So, how does one avert QR code scams?
In this article, I will discuss with you the various ways fraudsters use QR codes to deceive users and recommend tips on how users can protect themselves from QR code scams.
First of all, let’s define what attacks exist and we will start with the very first one that comes to mind – an attack on the money in the bank account where cryptocurrencies and QR is only a tool.
Don’t be discouraged – there are more serious attacks to come, but I want you to understand that government agencies rarely pay so much attention to such a seemingly insignificant type of scam. Maybe there is a reason to kill this type at its very inception and make people aware of such an attack, through QR.
Let’s figure out where it all started! It’s important to note that malicious actors have invested a great deal of time and resources in making their QR code-enabled scams seem legitimate and useful, as illustrated by the following examples:
Overlaid QR Codes
A prime example of a QR code scam that relies on the physical realm has malicious actors printing out QR code stickers and physically placing them over genuine ones. People generally assume that the signs or posters with QR codes in shops and public spaces are safe, and thus might be unaware that malicious actors could replace legitimate QR codes with fake ones as part of their fraudulent schemes.
This was the case in a scheme involving payments for
As a result, the payments of unsuspecting users were transferred to the malicious actors’ accounts, without the users have been able to unlock the bikes for their use.
Just recently, law enforcement in several US cities issued warnings about a similar scheme, where malicious actors had stuck their fraudulent QR codes onto legitimate ones on__parking meters__ to trick users into entering their payment credentials in their phishing websites.
QR Codes used in real-world social engineering
Another example of a QR code scam that takes advantage of the physical realm is a scheme that was carried out in a parking lot in
Malicious actors reportedly approached individuals to pay the parking fee not through the designated machine in the parking lot purportedly because it was broken. Wearing professional-looking attire to look more credible, the fraudsters coaxed their victims into scanning the QR code they had instead, thereby diverting the payments to their account.
QR Codes in phishing emails
Scammers have been known to
In December 2021, a phishing campaign that used QR codes to steal the banking credentials of users in Germany was reported. In the campaign, malicious actors send an email impersonating a bank and asking the recipient to review and agree to changes in the bank’s privacy policy by scanning the QR code in the email. But the QR code links to a phishing site where the victim can unwittingly enter their banking credentials for the malicious actors to collect.
QR Codes for subscribing to premium services
Malicious actors can use QR codes to subscribe unsuspecting users to premium services and steal the funds charged to these users monthly. This scheme was used in the Android trojan campaign known as
QR Code and barcode scanner apps
In mid-2021, QR code and barcode scanner apps that linked to the
After the successful download of the supposed update, the app prompts the user to allow the installation of apps from unknown sources. Since the user was previously made to believe that the update was necessary for the app to work properly, the user grants the permission. Once the update is done, the malware runs on the device and immediately asks the user to grant accessibility service privileges.
Malicious actors gain full control over the device and can perform actions on the user’s behalf after the user enables accessibility service privileges. At this point, the malware-infested app runs and operates as a legitimate app. The stage has thus been set for malicious actors to steal login credentials and gain access to all the information that is shown on the unsuspecting user’s device.
QR Code creator apps
Trojanized apps can masquerade as QR code creator apps. In a scheme perpetrated by the malicious actor group
QR codes used in Doxxing
First of all, anyone can create a tracking pixel, link to a page, and then link it to a QR code. Any popular logger (
The created pixel also can be placed on an external site. It could be a blog (
III – QR Code Bugs & Issues
Apple IOS 11
You need to open the Camera app on your iPhone or iPad and point the device at a QR code. If the code contains any URL, it will give you a notification with the link address, asking you to tap to visit it in the Safari browser. However, be careful — you may not be visiting the URL displayed to you, security researcher Roman Mueller
According to Mueller, the URL parser of the built-in QR code reader for the iOS camera app fails to detect the hostname in the URL, which allows attackers to manipulate the displayed URL in the notification, tricking users to visit malicious websites instead.
For the demo, the researcher created a QR code (shown above) with the following URL:
https://xxx\\@facebook.com:[email protected]/
If you scan it with the iOS camera app, it will show following notification:
Open "facebook.com" in Safari
When you tap it to open the site, it will instead open:
https://infosec.rm-it.de/
There is also a tool which is called a
Even QR code scanners like smartphones can be vulnerable to these kinds of attacks, as QR codes were found to be
Discord QR Login
In December 2020, developers at Discord – a voice and text chat app widely used by the gaming community – announced the launch of a
While this feature was aimed at simplifying the Discord login process for desktop users, news has surfaced that fraudsters have been exploiting the system to gain unauthorized access to accounts.
According to discussions on various Discord servers and on social media, scammers have been posting QR codes with the promise of free
In scanning the code, however, users inadvertently provide the attacker with access to their account.
“The login-by-QR method works without any username/password and 2FA, and while it makes Discord way more convenient to log into everywhere, it, unfortunately, is being exploited in the form of fake Nitro gifts (and possibly other forms),” said one Discord user.
Opinion split over the potential severity of this exploit. For some users, having their accounts compromised may result in little more than frustration – although it’s unlikely that anyone would be happy with someone being able to impersonate them online.
However, after releasing a
Discord did not immediately respond to our request for comment. The staff weighed in on a
“We recently reduced the validity window of the QR code from 10 minutes to 2 minutes,”
We… noticed an uptick in people trying to socially engineer users into scanning QR codes in an attempt to trick them into logging into another device that they don’t control.
Our original thought was that the verbiage on the screen would be enough to deter social engineering attacks, however, we agree that more clear verbiage and a warning could be in place.
Across our mobile app release channels, we have modified the verbiage in the confirmation screen to more clearly emphasize that you are logging into another device, and impose a delay before the ‘log me in’ button is active (hopefully making people read the red text.) You can see this new screen
In addition to being discussed on multiple Discord servers, the issue has already found its way to social media, with one user
“A good amount of misinformation being made here,” they
Over on Reddit, however, the ‘don’t fall for attacks’ argument fell short.
“I don’t get the elitism of, ‘If you’re getting phished, it’s your fault, now bugger off, discord should change nothing,”
Do we know how many other applications that use QR have this vulnerability? For example, in Telegram? Of course, the question is rhetorical.
IV – QR + Crypto = ?..
Keep your Fox Safe!
Scammers may use QR codes to dupe users into downloading
Another related scam is the use of QR codes to obtain unauthorized approval of tokens, which are used to facilitate the transfer of assets from one cryptocurrency wallet to another.
Also, cryptocurrency-related QR code scams involving MetaMask which is a cryptocurrency wallet for interacting with the Ethereum blockchain. Malicious actors can hack into MetaMask extension accounts through QR codes to transfer funds without the account owner’s private keys.
“This is incredibly embarrassing on some levels, Nicholas tweeted. “On others, incredibly traumatizing. Yes, I opened up the QR code and sign the ledger. But I was being severely manipulated and didn’t realize what was happening until it was too late. I was scammed, phished, and robbed. Some assholes are going to say ‘that’s what you get.’ And maybe they’re right. But let’s be clear, a scam is a scam, theft is theft, and I had no intention of transferring or selling those assets. So now I am trying to find ways to get my property back.”
Take look at a new scam method! Do not confuse it with an allowance
When the people behind the ZenGo wallet wanted to add QR code support, they decided to do a bit of research into the security aspects first. What they found was disturbing – but not entirely unexpected. Anyone can simply generate a QR code that sends money to their address instead of the one intended. And no one can tell as pretty much all QR codes look alike.
An investigation from ZenGo:
For example,
Interestingly, they noticed that some
Others muck around with code so that if you try and copy and paste the address to double-check it, the site will copy your address to the clipboard instead of theirs so that you think it matches. ZenGo tracked about $20,000 worth of scammed Bitcoin using the addresses they examined and believed it’s just the tip of the iceberg!
I would add that in my opinion here will help the principle of separation of devices – with one clean device with
V – QRLJacking: A review from the OWASP community
Here’s how the QRLJacking attack works behind the scenes:
- The attacker initials a client-side QR session and clones the Login QR Code into a phishing website. “Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a Victim.”
- The Attacker Sends the phishing page to the victim. (refer to
QRLJacking real-life attack vectors ) - The Victim Scans the QR Code with a Specific Targeted Mobile App.
- The Attacker gains control over the victim’s Account.
- The service is exchanging all the victim’s data with the attacker’s session.
QRLJacking Attack Flow
For more information on QRLJacking tools and extra, please visit the
Proof of Concept examples (Videos)
VI – Tips to ensure QR code safety
While the schemes discussed in this article might seem worrisome, users can keep QR code scams at bay by following these best practices suggested by
- Make sure that the linked website of a government agency or other official service provider is legitimate before you provide your personal information. Check for any misspellings on the URL itself.
- Think twice before you scan a QR code found in emails that are sent to you even if they seem to come from organizations or people you know. Enable multifactor authentication with your banking, enterprise, and other accounts to prevent theft of login credentials.
- When transacting on a merchant or service provider’s premises, check the QR code to make sure it’s not pasted over an original, legitimate one.
- Use QR codes to pay only when you’re transacting directly with trusted merchants, service providers, or persons you know.
- Be careful about granting permissions when an app asks for them, as some of the requested permissions could be dangerous.
If you scan a QR code that seems suspicious, pay attention to what the code is attempting to launch, and do not connect to a Wi-Fi network or navigate to a link that’s shortened. Some researchers even note the benefit of
While most QR codes should be safe to scan on a smartphone, scanning payloads we generated today on a device for scanning tickets or boarding passes may result in some bizarre behavior from the device. Do not scan payloads on a scanner you need working immediately after for an event or work — or any scanner you do not have permission to test — as some of these payloads may cause the scanner to stop working.
I am not asking you to comply with all of this, but you must remember the main rule in this particular case:
If we finally want to give people the opportunity to be their bank, we must realize that in this case, people must be able to replace all those services and actions for which traditional banks get money!
Follow the
Use
That said, it doesn’t matter what industry you’re in. If you have any sensitive, proprietary information at all, then you could very well be a target. This is a good thing to always keep in mind. Also, who knows how many more vulnerabilities lurk in QR codes? Just google QR Code 0day, QR Code 1 day, or QR code CVE and you will see many interesting things – for example,
Learn the latest
Forewarned is forearmed! Stay safe!
References:
Check out my articles:
Support me:
Support is very important to me, with it I can spend less time at work and do what I love — educating Defi & Crypto users! ❤️
If you want to
L O A D I N G
. . . comments & more!
I am very glad that you are reading my article again, dear friends! It would seem, what danger can a QR code pose? It turns out that you can even lose your cryptocurrency as well as fiat money and internet logins because of several attacks, which are based on the mechanics of QR codes.
Let’s study these attacks and see how we can successfully defend against them!
In this article, I will be referring to various amazing Authors and resources I strongly recommend that you separately study them on your own. The references list is at the end of the article, enjoy reading!
Special Thanks:
The cover for this article was done bymy good friend and artist — RegulLion . We know each other well so in case I disappear, he’ll have the exact details of me. Consider this mycanary . In this article you will see other works, they do not have scientific meaning, but I would like to include them to help you imagine what we are talking about more clearly and put you in the right frame of mind! Much thanks for the help with editing as well!
- Much thanks
Peachs for help with editing & proofreading!
- Much thanks a Deer from Telegram for help with proofreading!
I – What is a QR code?
A QR code is a
This is a string of text, and it’s typically a URL or link to a website or a merchant’s official account on a payment system. Scanning a QR code saves a user the trouble of typing out a long address in a web browser or manually entering a merchant’s username or number in a payment app, among other advantages.
According to
Aztec code is a 2D, or matrix, machine-readable code that is similar in many ways to a QR code and can hold more information than a linear barcode. Initially developed for logistics, you may see it used on packages and envelopes when more data needs to be stored than a linear barcode can provide.
Other types of 2D barcodes can contain an extremely dense amount of data. The PDF417 format found on the back of most driver’s licenses in the United States, for example, can encode up to 1800 ASCII characters.
PDF417 codes like the above can encode text, numbers, files, and actual data bytes, and they’re more resistant to errors than linear barcodes. Companies like FedEx use a combination of PDF417 and other barcodes on packing slips to automate delivery and tracking.
QR codes started in the automotive industry as a way to keep track of cars as they were being manufactured but quickly grew in popularity outside that industry. Similar to other 2D codes, QR codes can pack a ton of data and can even work when reduced in resolution or otherwise damaged.
One fascinating application of QR codes enabled by their larger data capacity is using them to
The convenience QR codes offer and the ubiquity of mobile devices have contributed greatly to the widespread use of these two-dimensional barcodes. However, their popularity has also created fertile ground for malicious actors to spruce up their
QR code malware toolkit to steal not only personal information but also hard-earned assets that are impossible to recover once lost. Threats involving QR codes have become so rife and sly that the FBI has recently issued a
As the agency describes it, the scammer will contact their victim and somehow convince them that they need to send money, either with promises of love, further riches, or by impersonating an actual institution like a bank or utility company.
After the mark is convinced, the scammer will have them get cash (sometimes out of investment or retirement accounts), and head to an ATM that sells cryptocurrencies and supports reading QR codes. Once the victim is there, they’ll scan a QR code that the scammer sent them, which will tell the machine to send any crypto purchased to the scammer’s address.
Just like that, the victim loses their money, and the scammer has successfully exploited them.
Malicious actors seek out ordinary, unsuspecting people who don’t know much, if at all, about QR code safety. So, how does one avert QR code scams?
In this article, I will discuss with you the various ways fraudsters use QR codes to deceive users and recommend tips on how users can protect themselves from QR code scams.
First of all, let’s define what attacks exist and we will start with the very first one that comes to mind – an attack on the money in the bank account where cryptocurrencies and QR is only a tool.
Don’t be discouraged – there are more serious attacks to come, but I want you to understand that government agencies rarely pay so much attention to such a seemingly insignificant type of scam. Maybe there is a reason to kill this type at its very inception and make people aware of such an attack, through QR.
Let’s figure out where it all started! It’s important to note that malicious actors have invested a great deal of time and resources in making their QR code-enabled scams seem legitimate and useful, as illustrated by the following examples:
Overlaid QR Codes
A prime example of a QR code scam that relies on the physical realm has malicious actors printing out QR code stickers and physically placing them over genuine ones. People generally assume that the signs or posters with QR codes in shops and public spaces are safe, and thus might be unaware that malicious actors could replace legitimate QR codes with fake ones as part of their fraudulent schemes.
This was the case in a scheme involving payments for
As a result, the payments of unsuspecting users were transferred to the malicious actors’ accounts, without the users have been able to unlock the bikes for their use.
Just recently, law enforcement in several US cities issued warnings about a similar scheme, where malicious actors had stuck their fraudulent QR codes onto legitimate ones on__parking meters__ to trick users into entering their payment credentials in their phishing websites.
QR Codes used in real-world social engineering
Another example of a QR code scam that takes advantage of the physical realm is a scheme that was carried out in a parking lot in
Malicious actors reportedly approached individuals to pay the parking fee not through the designated machine in the parking lot purportedly because it was broken. Wearing professional-looking attire to look more credible, the fraudsters coaxed their victims into scanning the QR code they had instead, thereby diverting the payments to their account.
QR Codes in phishing emails
Scammers have been known to
In December 2021, a phishing campaign that used QR codes to steal the banking credentials of users in Germany was reported. In the campaign, malicious actors send an email impersonating a bank and asking the recipient to review and agree to changes in the bank’s privacy policy by scanning the QR code in the email. But the QR code links to a phishing site where the victim can unwittingly enter their banking credentials for the malicious actors to collect.
QR Codes for subscribing to premium services
Malicious actors can use QR codes to subscribe unsuspecting users to premium services and steal the funds charged to these users monthly. This scheme was used in the Android trojan campaign known as
QR Code and barcode scanner apps
In mid-2021, QR code and barcode scanner apps that linked to the
After the successful download of the supposed update, the app prompts the user to allow the installation of apps from unknown sources. Since the user was previously made to believe that the update was necessary for the app to work properly, the user grants the permission. Once the update is done, the malware runs on the device and immediately asks the user to grant accessibility service privileges.
Malicious actors gain full control over the device and can perform actions on the user’s behalf after the user enables accessibility service privileges. At this point, the malware-infested app runs and operates as a legitimate app. The stage has thus been set for malicious actors to steal login credentials and gain access to all the information that is shown on the unsuspecting user’s device.
QR Code creator apps
Trojanized apps can masquerade as QR code creator apps. In a scheme perpetrated by the malicious actor group
QR codes used in Doxxing
First of all, anyone can create a tracking pixel, link to a page, and then link it to a QR code. Any popular logger (
The created pixel also can be placed on an external site. It could be a blog (
III – QR Code Bugs & Issues
Apple IOS 11
You need to open the Camera app on your iPhone or iPad and point the device at a QR code. If the code contains any URL, it will give you a notification with the link address, asking you to tap to visit it in the Safari browser. However, be careful — you may not be visiting the URL displayed to you, security researcher Roman Mueller
According to Mueller, the URL parser of the built-in QR code reader for the iOS camera app fails to detect the hostname in the URL, which allows attackers to manipulate the displayed URL in the notification, tricking users to visit malicious websites instead.
For the demo, the researcher created a QR code (shown above) with the following URL:
https://xxx\\@facebook.com:[email protected]/
If you scan it with the iOS camera app, it will show following notification:
Open "facebook.com" in Safari
When you tap it to open the site, it will instead open:
https://infosec.rm-it.de/
There is also a tool which is called a
Even QR code scanners like smartphones can be vulnerable to these kinds of attacks, as QR codes were found to be
Discord QR Login
In December 2020, developers at Discord – a voice and text chat app widely used by the gaming community – announced the launch of a
While this feature was aimed at simplifying the Discord login process for desktop users, news has surfaced that fraudsters have been exploiting the system to gain unauthorized access to accounts.
According to discussions on various Discord servers and on social media, scammers have been posting QR codes with the promise of free
In scanning the code, however, users inadvertently provide the attacker with access to their account.
“The login-by-QR method works without any username/password and 2FA, and while it makes Discord way more convenient to log into everywhere, it, unfortunately, is being exploited in the form of fake Nitro gifts (and possibly other forms),” said one Discord user.
Opinion split over the potential severity of this exploit. For some users, having their accounts compromised may result in little more than frustration – although it’s unlikely that anyone would be happy with someone being able to impersonate them online.
However, after releasing a
Discord did not immediately respond to our request for comment. The staff weighed in on a
“We recently reduced the validity window of the QR code from 10 minutes to 2 minutes,”
We… noticed an uptick in people trying to socially engineer users into scanning QR codes in an attempt to trick them into logging into another device that they don’t control.
Our original thought was that the verbiage on the screen would be enough to deter social engineering attacks, however, we agree that more clear verbiage and a warning could be in place.
Across our mobile app release channels, we have modified the verbiage in the confirmation screen to more clearly emphasize that you are logging into another device, and impose a delay before the ‘log me in’ button is active (hopefully making people read the red text.) You can see this new screen
In addition to being discussed on multiple Discord servers, the issue has already found its way to social media, with one user
“A good amount of misinformation being made here,” they
Over on Reddit, however, the ‘don’t fall for attacks’ argument fell short.
“I don’t get the elitism of, ‘If you’re getting phished, it’s your fault, now bugger off, discord should change nothing,”
Do we know how many other applications that use QR have this vulnerability? For example, in Telegram? Of course, the question is rhetorical.
IV – QR + Crypto = ?..
Keep your Fox Safe!
Scammers may use QR codes to dupe users into downloading
Another related scam is the use of QR codes to obtain unauthorized approval of tokens, which are used to facilitate the transfer of assets from one cryptocurrency wallet to another.
Also, cryptocurrency-related QR code scams involving MetaMask which is a cryptocurrency wallet for interacting with the Ethereum blockchain. Malicious actors can hack into MetaMask extension accounts through QR codes to transfer funds without the account owner’s private keys.
“This is incredibly embarrassing on some levels, Nicholas tweeted. “On others, incredibly traumatizing. Yes, I opened up the QR code and sign the ledger. But I was being severely manipulated and didn’t realize what was happening until it was too late. I was scammed, phished, and robbed. Some assholes are going to say ‘that’s what you get.’ And maybe they’re right. But let’s be clear, a scam is a scam, theft is theft, and I had no intention of transferring or selling those assets. So now I am trying to find ways to get my property back.”
Take look at a new scam method! Do not confuse it with an allowance
When the people behind the ZenGo wallet wanted to add QR code support, they decided to do a bit of research into the security aspects first. What they found was disturbing – but not entirely unexpected. Anyone can simply generate a QR code that sends money to their address instead of the one intended. And no one can tell as pretty much all QR codes look alike.
An investigation from ZenGo:
For example,
Interestingly, they noticed that some
Others muck around with code so that if you try and copy and paste the address to double-check it, the site will copy your address to the clipboard instead of theirs so that you think it matches. ZenGo tracked about $20,000 worth of scammed Bitcoin using the addresses they examined and believed it’s just the tip of the iceberg!
I would add that in my opinion here will help the principle of separation of devices – with one clean device with
V – QRLJacking: A review from the OWASP community
Here’s how the QRLJacking attack works behind the scenes:
- The attacker initials a client-side QR session and clones the Login QR Code into a phishing website. “Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a Victim.”
- The Attacker Sends the phishing page to the victim. (refer to
QRLJacking real-life attack vectors ) - The Victim Scans the QR Code with a Specific Targeted Mobile App.
- The Attacker gains control over the victim’s Account.
- The service is exchanging all the victim’s data with the attacker’s session.
QRLJacking Attack Flow
For more information on QRLJacking tools and extra, please visit the
Proof of Concept examples (Videos)
VI – Tips to ensure QR code safety
While the schemes discussed in this article might seem worrisome, users can keep QR code scams at bay by following these best practices suggested by
- Make sure that the linked website of a government agency or other official service provider is legitimate before you provide your personal information. Check for any misspellings on the URL itself.
- Think twice before you scan a QR code found in emails that are sent to you even if they seem to come from organizations or people you know. Enable multifactor authentication with your banking, enterprise, and other accounts to prevent theft of login credentials.
- When transacting on a merchant or service provider’s premises, check the QR code to make sure it’s not pasted over an original, legitimate one.
- Use QR codes to pay only when you’re transacting directly with trusted merchants, service providers, or persons you know.
- Be careful about granting permissions when an app asks for them, as some of the requested permissions could be dangerous.
If you scan a QR code that seems suspicious, pay attention to what the code is attempting to launch, and do not connect to a Wi-Fi network or navigate to a link that’s shortened. Some researchers even note the benefit of
While most QR codes should be safe to scan on a smartphone, scanning payloads we generated today on a device for scanning tickets or boarding passes may result in some bizarre behavior from the device. Do not scan payloads on a scanner you need working immediately after for an event or work — or any scanner you do not have permission to test — as some of these payloads may cause the scanner to stop working.
I am not asking you to comply with all of this, but you must remember the main rule in this particular case:
If we finally want to give people the opportunity to be their bank, we must realize that in this case, people must be able to replace all those services and actions for which traditional banks get money!
Follow the
Use
That said, it doesn’t matter what industry you’re in. If you have any sensitive, proprietary information at all, then you could very well be a target. This is a good thing to always keep in mind. Also, who knows how many more vulnerabilities lurk in QR codes? Just google QR Code 0day, QR Code 1 day, or QR code CVE and you will see many interesting things – for example,
Learn the latest
Forewarned is forearmed! Stay safe!
References:
Check out my articles:
Support me:
Support is very important to me, with it I can spend less time at work and do what I love — educating Defi & Crypto users! ❤️
If you want to
L O A D I N G
. . . comments & more!