Growth of QR codes raises need for security awareness
Whenever a technology moves into the payments or financial data ecosystem, it alerts fraudsters to probe it more intensely — and ultimately, figure out a way to use it as an attack vector.
With QR codes' increasing popularity and use in a growing contactless payments market, the potential fraud dangers have come into focus.
"QR codes have had known vulnerabilities for years, but it hasn’t received a ton of attention in North America because the use of QR at the point of sale is still relatively nascent," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "The most common attack vector is if the QR is just a static sticker that the customer has to scan — this is vulnerable to crime rings superimposing their own sticker that leads the customer to a site that either downloads malware to the device or phishes sensitive data."
QR code use has exploded in China through the mobile payment methods of Alipay and WeChat Pay. The technology is also the foundation of the interoperability that Brazil is seeking in its Brazil Instant Payment System, or PIX. QR codes make it far easier for digital wallets to integrate with the faster payment rails.
"People are using QR codes and not being aware of how powerful they are," said Phil Dunkelberger, CEO of Nok Nok Labs, a security vendor at the foundation of the Faster Identity Online (FIDO) Alliance that has sought to eliminate static passwords and other security weaknesses in online, mobile and physical settings.
"QR codes can launch chat sessions, they can update your contact list, and a lot of other things related to onboarding," Dunkelberger said. "Used in the wrong way, they can expose users to some malicious intent or bad code or other things."
The recent surge in contactless has made security vendors shift attention to QR code vulnerabilities, especially when users are encouraged to provide payment card information as part of the process.
"There's a great notice within the industry about QR codes in that they go beyond just a browser hijack or someone trying to rip you off when ordering something in a contactless manner," Dunkelberger added. "It creates a new attack surface for hackers to look at, and payments vendors need to be aware of that when putting QR code systems out there."
Because the use of QR codes to infiltrate networks or systems holding payments data is an increasing threat, the scenario has to be considered similar to email phishing, Dunkelberger notes.
San Jose, Calif.-based Nok Nok Labs was one of the original founders of the FIDO Alliance consortium in 2013 and ultimately helped establish the FIDO protocols that are becoming increasingly common for mobile device and browser security.
In addition to pushing biometric authentication as a way to replace static passwords, FIDO Alliance two years ago worked with the World Wide Web Consortium, or W3C, to deliver Web Authentication, a new standard that allows approved FIDO methods to operate through browsers. In that setting, use of biometric authentication through a user device would allow secure entrance onto websites for shopping or making payments.
Now it's a matter of determining how all of the FIDO security protocols, machine learning and other security layers can best be used to assure QR code use is safe at the back end of the process — when user information is being obtained for enrollments or payments.
"It really goes back to what the attack vector people are coming up with," Dunkelberger said. "QR is 'quick response,' so much like a phishing attack, the fraudsters don't care about you as a user. They want an entry level into a system in order to plant malware into a bigger system with more valuable data and information."
Ultimately, the security message is that QR codes need to be looked at in a more security-oriented manner than during its initial introduction a decade ago. Their ease of use translates to potential ease of fraud.
Aite's Conroy saw that premise in action firsthand at a security summit years ago.
"There was a QR code that people had to scan in order to get enrolled for a chance to win some sort of prize," Conroy said. "Even with those in attendance at the event having a higher security IQ, a bunch of people fell for it — and were notified later that if the vendor had been a bad actor, they would all now have malware on their device. It was a clever marketing ploy."