{"id":95111,"date":"2020-10-22T11:00:44","date_gmt":"2020-10-22T08:00:44","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/why-threats-from-qr-codes-are-flourishing-cloudsavvy-it\/"},"modified":"2020-10-22T11:00:44","modified_gmt":"2020-10-22T08:00:44","slug":"why-threats-from-qr-codes-are-flourishing-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/why-threats-from-qr-codes-are-flourishing-cloudsavvy-it\/","title":{"rendered":"#Why Threats from QR Codes are Flourishing \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3894a04fc78\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3894a04fc78\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/why-threats-from-qr-codes-are-flourishing-cloudsavvy-it\/#The_QR_Code\" >The QR Code<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/why-threats-from-qr-codes-are-flourishing-cloudsavvy-it\/#The_Problem_with_QR_Codes\" >The Problem with QR Codes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/why-threats-from-qr-codes-are-flourishing-cloudsavvy-it\/#What_Can_a_QR_Code_Do\" >What Can a QR Code Do?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/why-threats-from-qr-codes-are-flourishing-cloudsavvy-it\/#Think_First_Scan_later\" >Think First, Scan later<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Why Threats from QR Codes are Flourishing \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure id=\"attachment_7497\" style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"imgchk9 wp-image-7497 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/8d4da33f4a274278d2b928d181e61834\/p\/uploads\/2020\/10\/69da02cd.png\" alt=\"Using a phone to access QR codes.\" width=\"700\" height=\"300\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/womens-hand-uses-mobile-phone-application-1648721011\" data-credittext=\"Shutterstock\/shisu_ka\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/womens-hand-uses-mobile-phone-application-1648721011\">Shutterstock\/shisu_ka<\/a><\/span><\/figcaption><\/figure>\n<p id=\"the-qr-code\">QR codes make it easy to reach web-based resources without struggling with the tiny keyboard of your smartphone. But do you really know what you\u2019re going to get when you scan one?<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_QR_Code\"><\/span>The QR Code<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/QR_code\">Quick response (QR) codes<\/a>\u00a0are suddenly everywhere again. Invented in 1994 by an\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.denso-wave.com\/en\/adcd\/info\/detail__251.html\">award-winning team<\/a>\u00a0at Denso Wave, a subsidiary of Toyota, the QR code has found its way into almost every industry. They\u2019re like a\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Barcode\">barcode<\/a>\u00a0on steroids. They might look like drunken chess boards, but the higgedly piggedly black and white squares hold much more information than the s<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/trip-and-travel\/\" data-internallinksmanager029f6b8e52c=\"10\" title=\"Trip &amp; Travel\" target=\"_blank\" rel=\"noopener\">trip<\/a>es of a barcode. And QR codes can trigger one of a selection of\u00a0<em>actions<\/em> inside the scanning device\u2014usually a smartphone.<\/p>\n<p>QR codes are found on product packaging, bus stops, and billboards. They\u2019re on printed promotional material like tickets, flyers, and bar mats. You can see them on company vehicles, in-store promotions, and pop-up stands at exhibitions. Want to find out more about the product, event, or whatever is being promoted? Scan the code with your smartphone.<\/p>\n<p>You can find QR codes hidden away inside servers and other hardware. If the visiting technician needs to refer to the manual but doesn\u2019t have a copy to hand, they can scan the QR code and access the manual online.<\/p>\n<p>If you use the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fwww.linkedin.com%2Fhome&amp;key=204a528a336ede4177fff0d84a044482\">LinkedIn<\/a> mobile <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>, tap the cluster of squares in the search bar, then tap \u201cMy Code.\u201d You\u2019ll see your own personal QR code. It takes people straight to your LinkedIn profile. Increasingly, people are adding these to their CVs.\u00a0You can even see QR codes in\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/digitallegacys.com\/\">cemeteries<\/a>.<\/p>\n<p>The COVID-19 pandemic has helped fuel the QR code renaissance. The glory of QR codes is you don\u2019t need to touch anything apart from your own smartphone to use them. It is a quick and easy contactless system\u2014and everybody is already carrying a suitable scanner. And that makes it the perfect mechanism to access\u2014or collect\u2014information in a pandemic.<\/p>\n<p>That\u2019s why the advent of COVID-19 has seen the QR code take a central position in many businesses that routinely deal with the public. Restaurants, for example,\u00a0 are using QR codes to display the menu on diners\u2019 smartphones. No need to handle a printed menu that has been doing the rounds in the restaurant since who knows when.<\/p>\n<p>In the United Kingdom, the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.nhs.uk\/\">National Health Service\u2019s<\/a>\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/covid19.nhs.uk\/index.html\">Track and Trace<\/a>\u00a0application is based on QR codes. Venues display a custom poster with a location-specific QR code on it. Visitors scan the code, and the app records where you were and when. If someone reports symptoms of COVID-19, the NHS servers can crunch the data and work out who else has come into contact with that person.<\/p>\n<h2 id=\"the-problem-with-qr-codes\"><span class=\"ez-toc-section\" id=\"The_Problem_with_QR_Codes\"><\/span>The Problem with QR Codes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The most common use of a consumer-facing QR code is to launch a webpage on your smartphone. But they can do a lot more than that. QR codes can invoke different actions on a smartphone according to the information contained within the QR code.<\/p>\n<p>Before you click on a weblink you probably visually check it for inconsistencies. It makes sense to verify the webpage it is going to take you has a sensible and plausible name. Is it really going to take you to the site it says it will, or to a copy-cat site that will steal your login credentials? With a QR code, you can\u2019t tell. To the naked eye, they are completely impenetrable\u2014their contents cannot be read by humans. Scanning a QR code is a leap of faith.<\/p>\n<p>Our smartphones are an avatar of our real-world identity. They hold all sorts of personal data that is invaluable to the threat actors as well as access to apps like online banking, PayPal, and cryptocurrency wallets. A compromised smartphone is every bit as bad as a compromised computer.<\/p>\n<p>Smartphones blur the lines between people\u2019s private digital lives and their corporate or workplace digital lives. Some people who are issued with a company smartphone also have a private smartphone. For the majority, it\u2019s easier and cheaper to have a single smartphone\u2014their company smartphone\u2014and use it for business and personal use.<\/p>\n<p>People tend to be less security conscious in their personal web use than they do for corporate use. But if their smartphone becomes compromised, it jeopardizes the corporate network because connection details to VPNs and other accounts can be harvested by the malware. Business emails can also be siphoned from the device.<\/p>\n<p>Of course, workers without a business smartphone will have a private smartphone, and are likely to connect that to the corporate Wi-Fi. Private smartphones are less likely to be protected by a\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Virtual_private_network\">VPN<\/a>\u00a0or\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Endpoint_security\">endpoint protection suites<\/a>.<\/p>\n<p>Whether it is a company smartphone or a personal device, a compromised smartphone is a risk if it connects to the corporate network.<\/p>\n<p>And smartphones can be compromised at the place of business. It\u2019s becoming more common to include a QR code on a <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Curriculum_vitae\">CV<\/a> or <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/R%C3%A9sum%C3%A9\">r\u00e9sum\u00e9<\/a>. It might take you to the applicant\u2019s personal blog, or to their LinkedIn profile, or it might be malicious. Sending in a fake CV with a QR code on it is a low-key way to compromise a smartphone, with a paper-based attack.<\/p>\n<figure id=\"attachment_7485\" style=\"width: 331px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7485 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/d7c18b15c2b76d0f137527e8173a965b\/p\/uploads\/2020\/10\/714ab862.png\" alt=\"LinkedIn QR code for Dave McKay\" width=\"331\" height=\"432\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\">A LinkedIn personal QR code.<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"What_Can_a_QR_Code_Do\"><\/span>What Can a QR Code Do?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>QR codes can trigger a number of different actions within a smartphone.<\/p>\n<ul>\n<li><strong>Launching a website.<\/strong> If it is malicious, it might be a copy-cat credential harvesting site, or it might infect your smartphone with a\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Trojan_horse_(computing)\">Trojan horse<\/a>. The malware will then connect to the threat actors\u2019 servers. Data may be transferred from your smartphone to the servers, or other malware can be downloaded to your smartphone.<\/li>\n<li><strong>Add a malicious entry to your contacts.<\/strong> A specially crafted contact entry containing malicious information can trigger exploits on your smartphone.<\/li>\n<li><strong>Add and connect you to a Wi-Fi network,<\/strong> which might be a malicious or a compromised network.<\/li>\n<li><strong><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/QR_code_payment\">Make a payment<\/a>.<\/strong> Often on the pretext that it is a means to donate to a charity, malicious QR codes can take payments and allow the threat actors to capture your personal and account details.<\/li>\n<li><strong>Make a voice call.<\/strong> If that call is to the threat actors, they now have your number and caller ID information. They may try to <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social<\/a>ly engineer other information out of you.<\/li>\n<li><strong>Create an\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/SMS\">SMS text message<\/a>.<\/strong> The QR code can create a text message addressed to the threat actors (or anyone they choose). This leaves you open to text-based\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Phishing\">phishing attacks<\/a>, known as\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Phishing#SMS_phishing\">smishing attacks<\/a>.<\/li>\n<li><strong>Compose an email with pre-filled recipients and subjects,<\/strong> leaving you open to email phishing attacks.<\/li>\n<li><strong>Sign up to follow social media accounts.<\/strong> Posts to the social media account will contain links that victims will tap, downloading malware to their handset.<\/li>\n<\/ul>\n<p>QR codes can also create entries in your calendar, or obtain your location from your smartphone\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Global_Positioning_System\">GPS,<\/a> but these are less likely to result in a compromise.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Think_First_Scan_later\"><\/span>Think First, Scan later<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>With QR codes, context is paramount. Where is the code? Who is the owner or provider of the code? If it is on a homemade flyer stapled to a telegraph pole, you can\u2019t vouch for its veracity. You have no provenance for that code. If the QR is on a professionally printed poster in the reception area of a doctor\u2019s surgery or a hospital, you can have greater confidence that the code is genuine.<\/p>\n<p>But even so, check that another QR code hasn\u2019t been printed on a paper label and stuck over the genuine code. You can\u2019t tell by looking at it if the QR code is benign or malicious, but you can look for signs of tampering or modification. If it looks like it has been meddled with, don\u2019t scan it.<\/p>\n<p>Go through the settings in your QR code scanning app, and set it to display web addresses before launching the website or, in fact, conducting any other action. It\u2019s a pity you need to introduce a human review in the use of QR codes, which are designed for a \u201cscan and done\u201d pain-free workflow, but combatting cybercrime requires constant diligence.\n<\/p><\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/7457\/why-threats-from-qr-codes-are-flourishing\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Why Threats from QR Codes are Flourishing \u2013 CloudSavvy IT&#8221; Shutterstock\/shisu_ka QR codes make it easy to reach web-based resources without struggling with the tiny keyboard of your smartphone. But do you really know what you\u2019re going to get when you scan one? The QR Code Quick response (QR) codes\u00a0are suddenly everywhere again. Invented in&#8230;<\/p>\n","protected":false},"author":1,"featured_media":95112,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/10\/69da02cd.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-95111","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/95111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=95111"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/95111\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/95112"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=95111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=95111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=95111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}