When my son graduated from college, he and the classmates in his IT-related major had t-shirts made for the traditional graduation event. These being IT kids, they wanted to do something a little different than the boring, old t-shirts kids in other majors and groups had made, so they included a QR code on the back of the shirt. As they walked along campus and throughout town, other people would stop them so they could check out the QR code (it took you to photos from the event that were being live-streamed throughout the day).
I thought the QR code on the shirt was a stroke of genius and often think back to that whenever I see a QR code in an ad or the newspaper or, well, just about anywhere these days. People are curious about what that QR code might show, particularly if there is the chance of a coupon or some other perk hidden there. If I owned a business, I would definitely use QR codes as part of my customer outreach.
However, as much as I like to check out the QR codes I see, there is a part of me that is leery of doing so. It’s like clicking on a tiny URL link — you really don’t know what you are getting until you are there.
I was very interested, then, when I heard that GreenSQL's CTO David Maman did an experiment a few months ago that showed that even security experts are vulnerable to the temptation to “Scan for free stuff.” The population in general and certainly security experts are educated enough now that we don’t click on unknown links, and, yet, we don’t hesitate with the unknown QR code.
In an email to me, Maman explained his experiment. He created a poster that was hung at a security conference in London that featured a major security firm’s logo, a QR code and the tag line: “Just Scan to Win an iPad.”
And people did. Maman told me:
The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers. As I'm a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated …
According to William Jackson at Government Computer News, Maman decided to do his experiment because of an incident where a QR code took users to a link that was loaded with Android malware. What the experiment results proved is how human curiosity (not to mention the chance for free stuff) is a real security vulnerability. Although QR code-based malware isn’t a problem yet, we know the bad guys will take advantage of any avenue that is popular with users, especially if we are in a position where we react before we think. I wouldn’t be surprised if QR malware is added to all of the 2013 security concerns that will begin popping up soon.
Right now, there is no way to tell if a QR code is safe, so the best course of action is to think before you scan. Don’t scan anything until you have a good security package downloaded to your phone or tablet. And then, like you would before you click on a link, consider whether or not it is offered by a trusted source.
In other words, scanning the back of a t-shirt or a poster to win an iPad might be tempting, but remember you aren’t going to get innocent smiling faces every time.