Friday, September 13, 2013

QR Codes and 2 Common Issues of Security Risks


Generally, all we know about QR codes are encoded messages that contain information such as URL, phone number, text, or even a Wi-Fi access password. This information can be used to market a business or to provide further information about the company’s products and services. A tool such as QR codes scanner, or a smartphone QR codes scanner application can easily decode it. However, scammers might use these QR codes to redirect users to websites, which may contain viruses or malwares, via malicious links. From here, incautious users may become cyber-attack victims when scanning untrusted QR codes.

In this post, I will discuss about 2 common issues of security risks and solutions to avoid when using QR codes.
1. Shortened URL in QR code is really dangerous:
SHORTENED URLS COULD BE MALICIOUS LINKS. Currently, most URLs in QR codes are decoded as shortened URL version because it is easier to save a short, simple URL than a long, complex one. For instance, tinyrul.com, bit.ly and goo.gl are some URL shortening services to help convert any long, complex URL to a shortened version.
For example:

Quang Pham blog's QR code

This is my full blog address: http://quangpham-cs100w.blogspot.com,
and its shortened URL is http://goo.gl/1JtEKN  



Scammers site's QR code



 
A website's link that may contain viruses or malwares: http://scammers.com,
and its shortened URL is http://goo.gl/qEKd6Y





Are you able to see if the two shortened URLs above lead us to trusted websites? When we click to those shortened URLs to get access to webpages, we cannot know if the sites are viruses or malwares free or not. Are there any solutions for this problem?

YES! WE SHOULD PREVIEW THE SHORTENED URLS BEFORE USING THEM. Several website tools help us to get a full URL address from the shortened URL. In addition, some URL shortening services, such as goo.gl, give us an option to preview the shortened URL first by add a “+” at the end of the URL. 
As I type in “http://goo.gl/qEKd6Y+”, the preview page will show full address “http://scammers.com” in order to let us know if it is a trusted destination.
2. Scanning randomly malicious QR codes is an easy way to get attacked from scammers:
STAY AWAY FROM MALICIOUS QR CODES! Scanning QR codes in the form of stickers placed randomly on the street's walls is most dangerous. It is a very common way that scammers use to get people scan the code just because of curiosity. Reports say, “46% just said they were curious what this odd little jumbled cube could do. So, we should not scan any QR codes that are not from trusted sources. 
Malicious QR Codes everywhere on the street.
A malicious QR code on the street.

LOOK CLOSELY TO A QR CODE BEFORE DO ANYTHING ELSE! Another way to avoid getting hacked is to know if QR codes are legit codes or under a form of adhered stickers over other ones. Most trusted companies will market their products and services by publishing their posters in public areas. Usually, all QR codes are printed directly on these posters. However, scammers may produce malicious QR codes as stickers and adhere them onto legitimate ones.

QR Codes Sticker can be use to adhere on original one
QR Codes Sticker can be use to adhere on original one

There is no double that QR codes are on the upswing. In a near future, we may start to see more intuitive ways of deceiving people via QR codes. However, the two essential issues above are most common ways to attack users when incautiously scanning QR codes. So, everyone should be careful with those little black-and-white squares.

References:  
1. A General Introduction about QR Codes:
http://www.socialquickstarter.com/content/93-introduction_to_qr_codes  
2. QR Codes Privacy and Security Risks:
http://www.msnbc.msn.com/id/45729377/ns/technology_and_science-security/t/how-qr-codes-hide-privacy-security-risks/     
3. Be Wary When Scanning QR Codes:
http://gcn.com/articles/2011/09/13/qr-code-vulnerabilities.aspx


Posted by at

10 comments:

  1. UnknownSeptember 15, 2013 at 2:34 PM

    Hi Quang,
    Thank you for commenting on my blog. Your input is appreciated!
    I enjoyed reading your blog regarding QR codes this week. It was particularly interesting to me that you focused on the downsides of scanning them. You brought up a good point in respect to our curiosity for those intriguing looking little squares. I would not have thought that scammers actually adhere their malicious codes over the top of seemingly innocent ones. Also, your tip to add a + to the shortened URL to preview the long version, is great! I will definitely be keeping your tips in minds. The only improvement suggestion that I have to offer, is to correct a few tiny grammatical errors. I look forward to reading more from you!

    ReplyDelete
    Replies
    1. UnknownSeptember 20, 2013 at 7:28 PM

      Thanks for visiting my blog Samantha. Since QR codes now are using vastly in very aspects of our life, my topic was supposed to focus on the down side of QR codes. It is no doubt that few people know what hidden contents of QR Codes contain under its decoded black-and-white square. Currently, scammers are using the QR codes to approach their victims because this kind of techniques seems to be new to everyone. They are all just like the very first of computer’s viruses from the late 80s and early 90s. So, everyone should be careful before scanning any QR code is a simple message from my blog topic this week.

      By the way, I have fixed some little grammatical errors as you mentioned. Proofread is a must for every writing. I am very appreciate for your comment.

      Delete
  2. vimal Kumar September 18, 2013 at 9:06 PM

    You have very well put in the security issue related to QR code. You have a provided very good hack to verify if the short URL redirected to correct link or not.The best way to deal with such security would be to select the app which would first list out the decoded information about the QR code and then redirect to the site eg: Norton Snap , this app first show the content before redirecting.

    ReplyDelete
    Replies
    1. UnknownSeptember 20, 2013 at 7:39 PM

      Hi Vimal, it is a very good point of you. All smart phone apps right now are to bring us directly to the website link that hidden under QR code regardless of users. In some cases, by loading a script (e.g. Java Script) from the directed webpages, we automatically get attacked without knowing what is really happened. Viewing the contents of QR Codes should be considered to every user since this is a new approaching that scammers are widely using now. Nothing is really safe if it is decoded like QR Codes.

      Delete
  3. AnonymousOctober 1, 2013 at 9:31 PM

    VERY cool QR code with the Spartan logo on it. I was very impressed by the length of your post and the links at the bottom. You did a really good job explaining malicious QR codes and how to see where the link will take you. The app I use is Scan, and you have to enable “ask before opening” because it is disabled by default. You did a great job, I look forward to seeing more.

    ReplyDelete
    Replies
    1. UnknownOctober 14, 2013 at 5:57 PM

      I am very glad that most mobile apps currently have the option "ask before opening". It will be much safer for users because the rate of being attacked by scanning malicious QR codes is growing. However, people should avoid scanning malicious QR codes for their safety. As QR codes are more popular today, all we should do is to explain to anyone around us about how QR code can be used to attack them.

      Again, I am really appreciated to your review.

      Delete
  4. Joshua WertheimOctober 12, 2013 at 1:18 AM

    Wow Quang. You make some excellent points. I had actually never even considered before that you can put a Wi-fi password into a QR code. That totally makes sense for a restaurant or other store where you don't just want anyone to have access. I like how you also touched on the idea that since most QR codes use shortened URLs, there remains a possibility that they can lead to some sort of malicious website or script. Safety is definitely still a concern when it comes to QR codes.

    Ian made a good point as well. Some QR readers actually will prompt the user to confirm whether they want a URL opened. So perhaps that allows people to confirm whether they feel the data is trustworthy.

    Nice post.

    ReplyDelete
    Replies
    1. UnknownOctober 14, 2013 at 6:06 PM

      Hi Joshua,

      First, I would like to thanks for visiting my blog.
      One of the most dangerous way to attack people via QR codes is using shortened URLs. Since we are not able to see the real URLs, we may get into the hackers' traps easily. I found out that most mobile app currently have the option "ask before opening". It will be useful in most cases because QR codes are now very popular. As smartphone is growing today, the chance of being attacked from scanning QR codes will grow too. So be careful everyone!

      Again, I really appreciated to your review. Please come back again for more coming posts.

      Delete
  5. MinhNguyenCS100WOctober 14, 2013 at 10:01 PM

    Hi Quang, your post is organized and interesting to read. As a student at SJSU, I never heard about QR code before. You explained clearly advantage and disadvantage of QR code. It is important that every marketer should have extensive knowledge about QR codes for superior execution of the campaign in order to get the incomparable result. Now we can send online SMS text messages to our customer and members at just a click. It is completely free to use and we can generate and track QR codes easily. I believe that QR code is a useful tool.

    ReplyDelete
  6. Uchiha ItachiJuly 28, 2014 at 7:39 PM

    That's really impressive, I think that I learned a lot from this post. This makes me wonder more about vb how to add library qr-code

    ReplyDelete

Subscribe to: Post Comments (Atom)