QR codes: are they safe to scan?

The Coinbase Super Bowl ad that featured a bouncing QR code set to music was so popular it caused the cryptocurrency app to temporarily crash. What does this tell us about how these codes are used and how safe they are to scan? Sarra Alqahtani, computer science teacher at Wake Forest, answers questions about QR codes, cybercrime and protecting your personal information.

As a computer science professor studying cybersecurity, what was your reaction to the Coinbase ad?

It was a fun ad to watch, but I immediately started thinking about standardizing this technology without an equivalent awareness of its security issues. As with any new technology, security usually comes after the fact, not only for developers, but also for users. I’m hoping for an effort to educate people about QR code security issues and how to protect their privacy.

How likely is private information to be compromised by scanning a QR code?

The QR code can be replaced with a malicious code (the easiest way is to physically stick one code on top of another), which could lead the user to a fake website similar to the original website . The hacker can then implant a small piece of software (malware) in the user’s phone to track and collect their data.

What do hackers do with the information they steal?

They can steal usernames and passwords that we use in different apps and websites and sell them on the dark web. This data can be used to guess user/employee credentials in other attacks – like what happened in the Colonial Pipeline ransomware attack.

Is there a way to tell if a QR code is safe?

We cannot recognize any difference between legitimate and malicious code with our eyes, but when we scan the code, we must pay attention to the website link before clicking it. This is why it is recommended to include the website link with the code when sharing publicly.

What should we look for when checking a URL before clicking?

If there is a security risk, the URL will look like the original URL, but with slight modifications. For example, instead of www.yahoo.com, the hacker can use yaho0.com which looks a lot like him. This kind of trick falls under the realm of phishing attacks which has a long history in cybersecurity.

What’s your best tip for protecting personal information when using QR codes?

I recommend not scanning QR codes as much as possible and using paper manuals and menus. I also advise to use the built-in cameras in smartphones instead of using third-party apps, because the built-in cameras show the website link and ask the user to click on it, which is usually not the case with third-party apps.

If you think you clicked on a fake website and installed malware, what should you do?

It depends on the phone you are using, but in general you need to clear your browser cache, back up your files, change your credentials. If your phone does not have built-in protection, you will need to use malware detection software to detect and remove any malware.

Do you have a book or resource that you could recommend to those who want to learn more about QR codes?

Read the FBI’s public service announcement, “Cybercriminals forge QR codes to steal victims’ funds.” This article on QR Code Security: A Survey of Attacks and Challenges to Usable Security provides more detailed additional information.