QR Codes … “Quick Response” or “Quite Risky” ?
9th October 2020
The NHS “Test and Trace” app has seen significant number of people embracing QR codes as they scan and register at different entertainment, hospitality and catering venues around the country. QR codes are a square containing non-readable combinations of black and white dots, and you will need a smartphone to either photograph the code or use an app to decipher what message it holds. It is this blind trust that we have in QR codes that has started to worry the information security community – how can we be sure that the URL we are being directed to is genuine and honest? However, with a few sensible precautions, we can all reduce the possibility of unexpected things happening.
The first is to only use a reputable QR scanning tool (or your smartphone’s camera directly) which will show you in readable form the URL (https://etc) that you are about to visit. That way you can determine whether this link looks to be genuine before taking the next step of visiting the website. Check carefully though, as scammers can easily place false QR codes that result in a URL that may be just one character different from an authentic website (exchanging a O for a 0 or a l for a 1 for example) which may result in you being taken to an unexpected destination under their control. Does it start with https:// with a certificate which is recorded to the organisation you would expect? Secondly, does the QR code you are about to scan look authentic, or has it been tampered with by a sticker over the top? Finally, exercise caution if the QR code provides you with a link to a URL “shortening service” – for example starting with t.co, is.gd, bit.ly etc. These provide an easy means for scammers to conceal their malicious website, which is just waiting for an opportunity to send you some nice malware, so ensure that your device can expand these shortened codes before you commit to visit the website.
InfoSaaS recommends that awareness and use of QR codes is considered for inclusion in personnel information security training and/or clear communications, especially at this time when the NHS app is driving up their adoption. Does your organisation allow its personnel to download any apps onto corporate devices, or do they need prior approval of the business?
For clarity, the NHS “Test and Trace” QR codes will simply register your device as being in a specific location at a specific time, and retain it for the minimum period to allow for citizen tracing in the event of a positive COVID-19 test result from a person you may have been in close proximity to. This simple scan, which takes a matter of seconds, does not require you to enter any additional information, or visit separate websites. If the code you scan does either of these things, it is not genuine and you should proceed no further.