During the first half of the Super Bowl last month, cryptocurrency exchange company Coinbase bought a minute of ad space to broadcast an ad that was just a QR code on the screen, meandering diagonally around the screen like the famous Windows screensaver. Millions of people took out their smartphones and scanned the code and now cybersecurity professionals are publicly decrying the tactic.
The QR code isn’t new. It has been used by companies and other platforms for over a decade. It is effectively a barcode that can be scanned by a mobile application to bring users to content linked to the code. It looks secure enough, but in earnest, there is very little information that separates one QR code from another, and since they are relatively easy to generate they are used all over to engage users with product promotions, website links, etc. Your QR code reader will read a code in 8-bit blocks and take you to the information linked to the QR code.
While QR codes offer intriguing ways to store and access information, the risk they have is palpable. They can easily be swapped out for counterfeit codes, they can be hijacked by hackers, and can also be used by hackers to send malicious code to user devices. This means that while they may seem secure on the surface, they are actually not a good platform for end-user security. In fact, when they were developed, the creator did not envision all the possible security issues, stating publicly that they “...need security revamp.”
Since they are an intriguing way to get people to interact with a company's marketing material, they have been used liberally for quite a while. For the business that wants to utilize this technology it is prudent not to use them for user logins or financial transactions as they can be exploited to intercept information; meaning they can be used to steal credentials and provide threat actors means to access accounts and networks they have no business having access to.
One way to marginalize the risk to your organization from end-user QR code usage is to add it as a line item on your cybersecurity training platform. Your company probably already trains users about phishing (and if you don’t, you should start immediately), so adding in a bit about not using QR codes for work-specific tasks can be included without much fuss. Users have to know that sensitive, financial, or proprietary information should not be shared using QR code technology. Some talking points you should consider include:
The QR code can be beneficial in some circumstances but keeping them away from your business’ critical information is imperative. We should mention that there are encryption enabled QR codes called dynamic QR codes that offer a little more security, but as a best practice, eliminating QR codes from internal data sharing within your business is prudent.
If you would like more information about setting up security training that actually makes a difference for your business, give Kornerstone Technology Inc. a call today at 818-206-6383.
Comments