January 22, 2024 •Abdulmajeed AlAbdulhadi, Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM)
Have you ever wondered what those squares of dots or bars called "QR codes" are all about? You most likely have seen them posted on websites, printed on posters, used as mobile tickets, or on restaurant tables. How do these work, and are there risks you should be worried about? Let's find out.
QR code pointing to the SANS OUCH website.
QR code stands for "Quick-Response code" and is a machine-readable code usually consisting of a matrix of black and white squares (they can also come in other colors and contain background images). These squares can be easily created with QR code generators, and they're used to encode information such as website URLs, email contact information, or other types of data. Think of QR codes like bar codes but more versatile. Most mobile device cameras recognize and decode the information coded in a QR code. In other words, when you try to take a picture of a QR code with your device's camera, it will decode the QR code and ask you if you want to act on the information it contains, such as opening a link to a website.
QR codes can be difficult for people to easily interpret, which makes it easier for cyber attackers to encode information that could be malicious or cause harm. For example, a QR code could send you to a malicious website that attempts to harvest your personal information, like passwords or credit card numbers, or perhaps even try to install malware on your device.
In addition, QR codes can take additional steps, such as adding a contact to your contacts list or composing an email on your behalf. The QR code by itself is not the threat; however, the information or action it triggers can be.
For example, let's say you are in the city or perhaps in an airport, and there is a poster on a wall promoting a product that interests you. The poster has a QR code you can use to quickly get more information. What you don't realize is that someone has covered the poster's QR code with a sticker of a different QR code. When you look at the poster you trust it, not realizing that the QR code on the poster has been replaced by a criminal. When you scan the QR code to learn more about the product, you are directed to a website controlled by the criminal to start an attack.
QR codes are a convenient way to access all sorts of new information and capabilities. Taking a few simple steps can help you make the most of them, safely and securely.
Abdulmajeed AlAbdulhadi is an IT/OT systems consultant in Saudi Aramco with more than 27 years of experience. He is a Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) with a granted cybersecurity patent by the US patent office (10,693,906).
The views, information, or opinions expressed in this article are solely those of the author and do not necessarily represent the views of Citizens State Bank and its affiliates, and Citizens State Bank is not responsible for and does not verify the accuracy of any information contained in this article or items hyperlinked within. This is for informational purposes and is no way intended to provide legal advice.