Consumers with mobile phones accepted QR codes during the pandemic
to access menus and other information, becoming a more attractive tool for marketers. But with that attraction comes security risks.
QR codes made news this week after Coinbase Global, the
largest U.S. cryptocurrency exchange, made its Super Bowl debut with a QR code
ad so popular that it forced the company to throttle traffic to its site.
Tony Anscombe, global security evangelist & industry partnership ambassador at ESET, said people need to be
careful when scanning QR codes. He said the code on the television screen cannot be manipulated, but the website can be manipulated, especially if it goes down.
The biggest challenge, people
cannot see the URL until it’s too late.
About 83.4 million U.S. adult smartphone users will scan a QR code this year, rising to 42.6% by 2025, according to eMarketer. The
research firm estimates that after the spike in 2020, the number of smartphone QR code scanners in the U.S. will increase at a compound annual growth rate (CAGR) of 8.7% through 2025.
One of those too late circumstances occurred when Police warned drivers in December when using public parking spots after fraudulent QR codes were discovered on meters in San Antonio, Texas.
“People attempting to pay for parking using those QR codes may have been directed to a fraudulent website and submitted payment to a fraudulent vendor,” the police department tweeted.
Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance (NCA), believes
cybercriminals can exploit QR code, but similar to clicking on a blue link in a search-engine query, people need to consider the source.
A cybercriminal cannot redirect the path from
a QR code that appears in a TV ad if the URL in the code uses Hypertext Transfer Protocol Secure (HTTPS), used to secure communications running on a computer network, according to David Strauss,
co-founder and CTO of Pantheon, which works to secure technology and websites against cybersecurity threats.
There is some risk when using a redirection/analytics service, also known as a URL
shortener without HTTPS, but that risk is the same as using the shortened URL in any capacity, QR code or not.
Brian Klais, founder and CEO of app-linking company URLgenius, wrote in an email
to Inside Performance, that the recent Super Bowl Coinbase ad is confirmation QR codes can play a big role in engaging mobile consumers from the television.
“In the original ad, scanning
the QR shows "coinbase.com" in the camera and requires clicking to proceed to official site, but since consumers don't think twice about scanning QR codes from URL shorteners,
there is room for vulnerability from online replica videos, and more,” Klais wrote. “If Coinbase presented context in the ad that it was powered by them, it may have helped reduce that
threat, although that may have reduced their response rates as well.”