QR CODE ATTACKS AND SECURITY SOLUTIONS

In September 2011, Kaspersky Lab detected a first-of-its-kind malicious QR code. The attack method used in the QR code was that when a user scans the code he is directed towards a website and then a malicious file downloads in the user’s device without the knowledge of the user. Till now, this is the only method of attack known about malicious QR codes. They detected several malicious websites containing QR codes for mobile apps (e.g. Jimm and Opera Mini) which included a Trojan capable of sending text messages to premium-rate short numbers.

SECURITY SOLUTIONS

• QR codes are tricky because you cannot weed out the bad from the good by simply looking at the code. Because the vulnerability is practically part of the design, consider downloading an app on your phone which provides a preview to each code before it opens a webpage (eg: I-nigma) reader. This way, you will have right to refuse the QR code is corrupted.
• Scan a code and get directed to a login form, always remember never to fill it in for it may be a trap used by criminals to get access to personal information. Legitimate QR codes never ask for personal info.
• Include signage telling the user what the code does. Otherwise the user has no way of knowing if the code should point to a URL, phone number, or SMS.
• Print the URL near to the code. This way if the code is hijacked and pointed to http://evilsite.xxx/ the user can see they're not visiting the correct site.
• Include https in the URL. Get users used to checking for https before they interact with you.
• If possible, use a short domain. Not only will it reduce the size of the QR code, it will give your users confidence if they can see the full domain in their phone's URL bar.
• Don't ask a user to get their credit card out on a busy street. Use a mobile payment solution which charges to the user's phone bill or deducts it from their credit.
• Every time you put out a QR Code in a public area, you should know where it is. If a code is on a billboard, on a storefront, or anywhere else it can be accessed by the public, it could be at risk. But you’ll know your code is working correctly when you see “normal” traffic through it. If the traffic suddenly stops, check up to make sure that the code is still there and hasn’t been tampered with.
• Distinctive, branded QR Codes with special colors or other design features are far more likely to get attention, so you should be using them anyway. But what’s more, it’ll help people to know that they’re dealing with a legitimate link to your brand and not a counterfeit code. It’ll be much more difficult for a hacker to simulate a highly designed and colorful code than a plain one.