Chris Goettl

QR Codes Bring Opportunities, Security Risks

As any technological innovation becomes popular, rest assured fraudsters will find a way to exploit it.

Now it’s QR codes getting some attention from criminals as the once dormant technology is gaining momentum. The reason, says Ivanti’s Chris Goettl, is their use in payment strategies as companies seek to make the purchase experience as seamless as possible. But with that ease comes risk and consumers must take steps to protect themselves.

Mr. Goettl is the senior director of product management for Ivanti’s endpoint security product lines. He said Ivanti employs a zero trust strategy across VPN and network address translation access technologies that are used for user identification and devices.

“For zero trust implementation to be successful, it’s not just access but also the context of users and the devices requesting that access that need to be to be successful,” Mr. Goettl began.

Because Ivanti uses those strategies they can better address problems like having a valid user request be denied when someone requests access. 

“We can solve those in advance of and make it so overall the implementation of zero trust is more successful and less costly,” Mr. Goettl said.

When practicing cyber hygiene at the device level, imagine having to create a security boundary around yourself every time you are somewhere new – that’s what zero trust is about, Mr. Goettl said. That need has increased dramatically due to the pandemic as life patterns abruptly changed, accelerating digitization by as much as seven years, he believes.

Such rapid change isn’t good for security as it takes time to adapt to behavioral changes and the criminal activities that emerge. This happens as our expectations for better and faster service keep getting higher, driven by the best digital experiences we have.

Nowhere is that competition more fierce than in retail, as companies seek to provide us with the most seamless checkout possible. That is what propelled the return of QR codes. Why use a traditional URL when a barcode scan is better?

“That’s one of many experiences people just expect to be easy and flawless and they don’t think about the ramifications of it,” Mr. Goettl said.

He likened it to credit card skimmers which fraudsters insert at gas station pumps and ATMs. Once you insert your card they have your financial information. QR code fraud is more insidious and harder to defend, as once you scan it can take you to all sorts of places. Whereas you may be able to detect an altered web address, you cannot do so with a QR code.

“The risk that’s happening in this transition to a more connected world where I should be able to do anything from anywhere is just opening up more ways for threat actors to try and expose our users to things,” Mr. Goettl said. “It all comes down to the all-mighty payment. If I can go and transact something and make it that much easier to get some commodity, a service, application or product, people start to jump on those things right away.”

The early QR code scams have been basic but effective. One in Russia saw thousands of people download a program which sent a series of six-dollar text messages from their account to a fraudster’s.

“Get enough people doing that and it’s lucrative. The attacker just sets up supply chain and presents a QR code…in enough places for critical mass,” Mr. Goettl explained.

Keep in mind the biggest goal of a scammer is to get your credentials, so their strategies will often get you to fill out a form. One increasingly popular method is to target places where people will give medical information such as pharmacies and medical practices. They count on you using similar user names and password which you employ elsewhere so they can try and steal from you elsewhere online. And they’re really good at finding you out there.

“As their popularity increases this is going to become more and more prevalent,” Mr. Goettl said.

There’s a few simple steps you can take to protect yourself, Mr. Goettl advised. Start with seeing if someone has actually taped a QR code over the original one on the poster or whatever you are scanning. Criminals use this tactic because it works. If the QR code takes you to a URL, check it carefully for any discrepancies. Use a credit card if you must and never a debit card as the former offers additional protection. There are also barcode scanners you can get for your device. If you run a business, Ivanti offers a corporate mobile defence product.

In this quest for better and faster we must occasionally slow down so we can take conscious steps to protect ourselves.

“Users need to be security conscious always and most of the world doesn’t want to deal with that,” Mr. Goettl noted. “Nothing you do digitally can ever be truly private. Everything you do, assume somebody is watching.”

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments