COMMENT: Why We Need Immediate Regulation Over QR Codes
At the start of the pandemic and before State Governments in Australia got their own act together retailers and in particular restaurants delivered their own QR codes many were linked to commercial operations that basically collected data, now QR codes are a real danger.
The organisations behind many of the food and restaurant industry QR codes, are also providing restaurant booking systems for online operations, the big question now is how safe are none government QR codes, and whether we need regulation over QR code use, especially as many coffee shops and restaurants are now using QR code menus which were not in use prior to the COVID-19 pandemic.
At three restaurants in Byron Bay this year I was told that I had to log into a private QR code to get into the restaurant, I also had to provide contact details as well as use a QR code to access the menu.
A recent consumer sentiment study by MobileIron revealed that 64% S of respondents stated that a QR code makes life easier, despite a majority of people lacking security on their mobile devices, with 51% of respondents stating they do not have or do not know if they have security software installed on their mobile devices.
Mobile devices have become even more important and ingrained in everyone’s lives during the COVID-19 pandemic, and 47% of respondents have noticed an increase in QR code use in Australia.
At the same time, employees are using mobile devices – and in many cases, their own unsecured devices – more than ever before to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work from anywhere.
Many employees are also using their mobile devices to scan QR codes in their everyday lives, putting themselves and enterprise resources at risk.
The risks and privacy issues that can come with QR code for example with QR code menus, which many restaurants have adopted to replace paper menus amid the pandemic are now of concern to security experts.
Australians have most probably never thought about what’s between your food and the QR code menu you used to order at many restaurants or when a business is using a private log in as opposed to the Services NSW log in.
These ne QR code menus were hardly ever seen until 18 months ago.
That pandemic changed everything.
Shared menus were replaced with pointing your phone camera at a QR code.
It opens the restaurant’s website to display the menu both in the restaurant and in some cases online.
Other QR codes are linked to sophisticated systems that also take orders and charge customers.
Sounds great but it is riddled with potential problems especially if contact details have been provided.
What a lot of people don’t realise is that a QR code can be programmed to link to anything, and that’s where privacy concerns come in. As for restaurants, in many cases, the QR code you just shot is the start of a tracking journey which customers are not told about.
In many locations the QR tracking is provided by a third-party Company who also has access to the data.
These third-party businesses who in a lot of cases are selling restaurant booking systems, can track customers unknowingly with when, where and how frequently you scan.
QR code systems can activate cookies to track customer purchase history, capturing a name, phone number and credit cards linked to databases.
And in some cases that data is offered to other establishments and those being asked to scan had no idea it is.
Now attackers are capitalising on security gaps during the pandemic and increasingly targeting mobile devices with sophisticated attacks.
Mobile devices are appealing targets for hackers because the mobile user interface prompts users to take immediate actions, while limiting the amount of information available and a QR code is an easy way into a mobile phone.
Plus, users are often distracted when on their mobile devices, making them more likely to fall victim to attacks.
“Hackers are launching attacks across mobile threat vectors, including emails, text and SMS messages, instant messages, social media and other modes of communication,” said Alex Mosher, Global VP of Solutions, MobileIron.
“I expect we’ll soon see an onslaught of attacks via QR codes. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.”
The problem here is that the vast majority of the QR code systems lack any clear privacy controls for consumers to opt-out.
The use of QR codes is unlikely to slow down, even after people learn how their data can be manipulated. Customers simply enjoy the speed and ease of using QR codes. And after all the letters “QR” come from quick response.
My best advice here — don’t point your phone at a QR code that is not regulate or provide by a government especially QR codes that you don’t know who is behind it.
Like don’t go by the bus stop or at a railway station or an ad in a magazine and go, “Hey, there’s somebody giving 30 off – I’ll click it,” because that then just could go anywhere and somewhere really ugly.