When QR Codes Killed the Curious Cat
Coinbase Global Inc., the largest U.S. cryptocurrency exchange company, is estimated to have exchanged $14 million for 60 seconds of airtime during the second quarter of the Super Bowl on February 13, 2022.[1] Their commercial, a tiny, color changing, square QR code that floated from corner to corner on your TV, in a fashion similar to the traditional computer screensavers or the bouncing DVD player logo standby screen, and ended in a retro blue screen typically found in home videos from the 90s and 80s-inspired, electronic background music, lit the internet with mixed reactions.[2] After scanning the QR code, viewers were redirected to a site where new users could sign up by February 15 and receive $15 in Bitcoin, and existing members were given a chance to win $3 million in prizes.[3] After those 60 seconds exceeded expectations and caused the website to crash, Coinbase informed via a tweet at 8:23pm that the site was restored approximately an hour after “throttl[ing] traffic for a few minutes.”[4] According to Bitcoin Magazine, the commercial got Coinbase “a whopping 20 million hits within just one minute of the ad airing.”[5] “Curiosity evidently got the better of the viewers who wanted to know what they were looking at for what seemed like an eternity.”[6]
QR (“Quick Response”) codes, are two-dimensional barcodes, usually in the form of a square, that provide quick access to data, and were first created in 1994 by Japanese company Denso Wave to track motor vehicle parts through the manufacturing process.[7] Although the technology has been around for decades, its use has been accelerated and in a broader scope due to its benefits as a touchless type of communication during a time of social distancing. Frequently, QR codes may appear as menus in restaurants, methods of payments, for check-in purposes in public spaces, to register for events, or even to identify pets.[8] QR codes are like barcodes that are scanned and subsequently decoded into a URL in a few taps on a smartphone. Scanning the barcode is usually harmless, but the resulting URL potentially leads to a phishing site or malware posing as an app.[9]
Because QR codes are safe in it of itself and due to the successful noise marketing Coinbase’s SuperBowl ad produced[10], security experts have voiced concerns of exploitation by scammers “circulating spoofed QR [C]odes that lead unsuspecting users to a look-alike website, which is actually malicious.”[11] “To put that another way, Coinbase is normalizing a potential security vulnerability.”[12] By running the commercial in front of millions, including unsophisticated consumers, it impresses on the public that scanning a QR code without context is acceptable. “If you didn’t point your smartphone camera at the screen, you would never know the ad was for Coinbase. There was nothing else in the ad to give you context that your TV hadn’t just gone bad.”[13]
“Humans are curious, by nature, and it’s hard to resist the temptation to scan the code to figure out what it’s about.”[14] One individual used a QR code to fashion a creative job application which led to his employment.[15] But as bad actors begin to taint the use of QR codes, other prospective employees may be out of luck in copying this method.
In Australia, a system built on QR codes during the pandemic has turned into an actual nightmare. Over 500,000 QR code check-in addresses were leaked in a “massive and dangerous data breach.”[16] The 566,318 leaked locations included domestic violence shelters, defense sites like a missile maintenance unit, prisons, and tunnel entry sites.[17] In another ploy, cybercriminals have been sneaking into application stores using a trojan horse strategy, appearing to be a QR code scanner but stealing confidential data like passwords, messages, online banking, and social network login credentials.[18]
Fraudulent QR codes, also known as “quishing” scams, have become the new type of phishing.[19] “Many individuals are not aware that QR codes are being spoofed by cybercriminals and woven with malware or malicious URLs in hopes of opening the door to sensitive data.”[20] In December 2021, it was first reported that several parking meters were discovered stickered with fake QR codes that, when scanned, would request credit card or bank information to pay for parking in San Antonio, Texas.[21] Since then, several similar schemes have been uncovered in other big cities in Texas and most recently, in Atlanta, Georgia.[22]
On January 18, 2022, the Federal Bureau of Investigation (FBI) released a public announcement, alerting the public to reconsider blindly scanning QR codes in case they turn out to, in actuality, be malicious.[23] Although there is no way of telling just by looking at a QR code whether it is a scam, unless there is clear evidence of tampering in the case of a physical QR code, there are ways for individuals to prevent falling for all attacks. Often, several prompts or clicks are required, requests for credentials or to download files to proceed, or previews of the URL link are provided by embedded QR code scanners on certain mobile phones. Such additional steps provide end users gap time to reconsider their decision before it is too late. End users “should always validate where the QR code is coming from and never scan a random QR code.”[24] If a URL is misspelled or the domain address is suspicious, end users may be better off avoiding the QR code and, rather, directly seeking out the original site.[25]
While QR codes provide legitimate convenience and are innocuous in nature, bad actors with malicious intent can tamper with QR codes to steal data, embed malware, and redirect payments.[26] As a best practice, end users should think twice before scanning a QR code and carefully inspect links to ensure they are the intended sites and appear authentic before proceeding.
Footnotes