QR Code Scams: The Hidden Threats Behind a Simple Scan

Imagine paying for your morning coffee with a simple scan of your smartphone. Yet behind this seemingly harmless gesture lies an invisible trap. In 2024, several significant incidents of fraud involving QR codes were reported, including cases where legitimate QR codes were replaced with fake ones in public spaces, siphoning thousands of bank accounts within minutes.

QR codes (Quick Response), once symbols of innovation across various sectors, are now central to serious security concerns. Increasingly used in mobile payment and authentication applications, these digital squares, as innocent as they may seem, have become potential vectors for sophisticated attacks. Behind their apparent simplicity lie vulnerabilities that could compromise user trust and expose millions of sensitive data. In an industry where security is paramount, the myth of the infallible QR code erodes, and the consequences could be devastating. This article explores the hidden risks of this ubiquitous technology and questions the true security of modern digital transactions.

When Innovation Becomes a Weapon: The Hidden Dangers of QR Codes

Les codes QR, bien qu’extrêmement pratiques, présentent plusieurs vulnérabilités qui peuvent être exploitées par des hackers, menaçant ainsi la sécurité des utilisateurs. Ces derniers doivent être prudents lorsqu’ils scannent des codes QR, en particulier dans des environnements non surveillés.  

Angel Grant, vice-président de la sécurité pour la société F5, spécialisée dans la sécurité multi-cloud, a expliqué que les codes QR ont été sur le radar des escrocs depuis le tout début : « Whenever a new technology or a new offering comes out, cybercriminals look for ways to manipulate it. So we’ve seen criminals targeting QR codes pretty much from when they were originally put out ».

Voici un aperçu des principaux risques associés à l’utilisation des codes QR :

While QR codes are incredibly convenient, they present several vulnerabilities that hackers can exploit, threatening user security. Users must exercise caution when scanning QR codes, especially in unsupervised environments.Angel Grant, Vice President of Security at F5, a company specializing in multi-cloud security, noted that cybercriminals have targeted QR codes from the beginning: “Whenever a new technology or a new offering comes out, cybercriminals look for ways to manipulate it. So we’ve seen criminals targeting QR codes pretty much from when they were originally put out.”

Here’s an overview of the primary risks associated with QR code usage:

• QR Code Substitution: In environments where users scan QR codes for payments or services, it is relatively easy for a hacker to replace a legitimate QR code with a malicious one. In November 2023, a 71-year-old woman fell victim to QR code fraud at Thornaby station in Teesside, losing £13,000. Scammers had placed a fake QR code over a legitimate one on a parking sign. After scanning the code and entering her card details on a fraudulent website, her transaction was initially blocked by the bank. However, the fraudsters posed as bank employees and convinced her to take out a £7,500 loan. They then altered her banking details, ordered new cards, and created an online account, prompting TransPennine Express to remove all QR codes from its parking lots. The victim stated: “I can’t believe I fell for it. I’ve had so many sleepless nights and spent hours and hours speaking to my bank and credit card company trying to sort it all out.”

• Redirection to Malicious Websites: Have you ever landed on a suspicious website after scanning a QR code? That’s exactly what scammers want. QR codes can hide URLs redirecting users to malicious websites, which may attempt to download spyware or collect sensitive personal information. ING Bank, headquartered in the Netherlands, allows its customers to authenticate via QR codes for online services. Cybercriminals exploited this by disseminating fake QR codes resembling those used by the bank, gaining access to victim’s bank accounts, and transferring funds. ING subsequently withdrew from the online banking market in France and closed its clients’ accounts.

• Compromising Two-Factor Authentication (2FA): Your think you’re safe with two-factor authentication? Think again. Even these systems can be bypassed if you scan the wrong QR code. In 2023, attackers manipulated QR codes used in the Discord app for 2FA login. Malicious QR codes allowed attackers to capture usernames and passwords, gaining unauthorized access to user accounts.

• Malicious Data Injections: QR codes can also be used to inject malicious data. Cofense, a phishing detection company, uncovered a major QR code phishing campaign targeting Microsoft credentials at a large U.S.-based energy company. Hackers used QR codes to deceive users into compromising their Microsoft credentials. Over 1,000 emails containing malicious QR codes were sent, with a 29% increase in such attacks.

Static vs. Dynamic QR Codes

There are two main categories of QR codes: static QR codes and dynamic QR codes. Although both technologies are widely used, they present distinct vulnerabilities that require special attention.

Static QR Codes: Simple but Risky

Static QR codes are permanent codes that, once generated, cannot be edited. They contain a single URL or a small amount of information, which remains unchanged. Their simplicity makes them easy to use, but this is also their greatest weakness. This rigidity, while limiting the possibilities for manipulation after creation, offers little flexibility if an update or change is required, which is a major drawback in dynamic environments. Once static code has been created, it is extremely vulnerable to substitution. Attacks via static QR codes often involve the creation of malicious code or its substitution in physical environments such as posters, parking signs or printed documents.

Dynamic QR Codes: Flexibility and Threats

Unlike static QR codes, dynamic QR codes contain a URL that redirects to a server that can be reprogrammed to redirect the user to a new destination, or the content to which they are linked can be modified even after they have been created. This offers incredible flexibility, especially for marketing campaigns or payment systems, where content can be updated without the need to generate new code. However, this flexibility comes at a cost. It makes dynamic codes more vulnerable to attack, as a hacker who manages to take control of the server can modify the destination without altering the appearance of the QR code itself.

While static QR codes are simple but vulnerable to physical substitution, dynamic QR codes, while more flexible, require robust security measures to prevent malicious modification. For companies and users alike, it’s crucial to understand these differences and adopt best practices to minimize the risks associated with using QR codes. Both static and dynamic QR codes require robust security measures to mitigate their respective vulnerabilities.

Qshing: The Invisible Trap Behind Every Scan

“Qshing” is a term you should know. It combines “QR code” and “phishing” to describe a cyberattack technique that exploits QR codes to trick users and gain access to sensitive information on their devices. This is done by redirecting users to fake login pages that resemble legitimate services. Believing they are entering their credentials on a genuine page; users unwittingly provide their login details to attackers. Harmony Email by Check Point reported a staggering 587% increase in Qshing attacks. Researchers noted thousands of QR code-related attacks occurring each month. Jeremy Fuchs, a cybersecurity researcher/analyst at Check Point, explained that hackers lure users with QR codes and redirect them to websites collecting credentials. In the UK and Europe, around 86.66% of smartphone users have scanned a QR code at least once in their lives, and 36.40% have scanned a code at least once a week.

The different stages of a Qshing attack consist of:

1. Creating a Malicious QR Code: The hacker generates a QR code that redirects users to a phishing site or downloads malware
2. Distributing the QR Code: The malicious QR code is placed in public spaces, embedded in emails, or printed on physical materials like posters or flyers.
3. Victim Scanning the QR Code: The user scans the QR code, thinking they are accessing a legitimate resource or performing a secure transaction.
4. Redirection and Compromise: Once scanned, the QR code redirects the user to a phishing site designed to look authentic, where they are prompted to enter personal or login information. Alternatively, the QR code may trigger a malware download that compromises the user’s device.

Qshing can therefore entail several risks for users and organizations, including theft of personal information and automatic download of spyware. In mobile payment situations, Qshing can redirect financial transactions to fraudulent accounts, exposing users to financial loss. These attacks can seriously erode users’ confidence in using QR codes for transactions and access to online services.

Read more: QR Phishing: The Scam That’s Sneaking Up Behind You

Beyond QR Codes: iBeacon, the New Banking Security Frontier

In a world increasingly focused on speed and commodity, QR codes have become a cornerstone of mobile payments. However, behind the simplicity of these transactions lie alarming security flaws. Enter iBeacon technology: an innovative, more secure alternative that offers enhanced protection and a seamless user experience, potentially representing the future of mobile transactions.

The Limits and Risks of QR Codes

Banks must seriously consider new alternatives to meet growing security, and trust demands in mobile transactions. Here are the primary limitations and risks associated with QR codes in payment applications:

• Phishing: Scams that trick users into revealing sensitive information such as account credentials and passwords.

• Fraud: Both users and merchants can suffer significant financial losses before realizing they’ve fallen victim to fraud.

• Man-in-the-Middle (MitM) Attacks: Communications between the user and the server can be intercepted and altered by attackers, compromising transaction security.

• Recovery Efforts: Once a security breach is exploited, banks must invest considerable time and resources to recover losses, investigate fraud, and restore user trust. This diverts focus from innovation and service improvement.

Banking scam in Germany :

In December 2021, mobile banking users in Germany were targeted by a sophisticated scam using QR codes. Cybercriminals sent emails posing as two major German banks, including official logos and messages consistent with previous bank communications. These emails contained QR codes that redirected users to malicious sites, where they were prompted to enter their banking credentials. This campaign skilfully avoided the usual phishing methods that create a sense of urgency, making the attack all the more difficult to detect.

iBeacon technology, a secure alternative

iBeacon uses Bluetooth Low Energy (BLE) signals and Near Field Communication (NFC) to create secure, personalized connections between the user and the banking application. This approach significantly reduces the risk of data interception and manipulation, while delivering a seamless, contactless user experience.

Why Banks Should Adopt iBeacon Technology:

• Enhanced Security: iBeacons emit encrypted signals that are difficult for attackers to intercept or forge, drastically reducing the risk of fraud and phishing.

• Multi-Factor Authentication (MFA): Transactions via iBeacon can be paired with MFA methods, adding an extra layer of security by verifying the user’s identity before completing a transaction.

• Ease of Use and Trust: Both users and banks can trust a system where transactions are secured by cutting-edge technologies. This improves the user experience and fosters long-term customer loyalty.
• Innovation and Efficiency: By adopting technologies like iBeacon, banks can focus on innovation rather than managing security breaches. This allows for the development of new features and enhanced customer services.

By integrating iBeacon technology, banks can not only bolster the security of their services but also position themselves as leaders in technological innovation, meeting the expectations of a clientele increasingly concerned with data privacy.

Case Studies

Various technologies are being adopted to meet users’ needs for security and maximum convenience. However, not all solutions are equal in terms of protection against digital threats. To illustrate this, let’s compare some striking case studies from Tunisia, Switzerland and France, where technological choices have led to contrasting results in terms of transaction security.

Tunisia – MS-Solutions: Although cyber threats remain relatively insignificant in Tunisia in terms of impact, they are nevertheless present in the minds of users. Solutions do exist to enhance transaction security, and financial institutions are making every effort to update them regularly, while anticipating necessary developments. Tunisian banks, thanks to MS-Solutions, have adopted mobile payment solutions that prioritize security above and beyond techno-trends. By choosing to avoid vulnerable technologies such as QR codes, these institutions have been able to strengthen the protection of their transactions against fraud and malfunctions. This proactive approach demonstrates a clear vision of financial security, avoiding the pitfalls associated with popular but risky tools.

Switzerland – Twint: In Switzerland, Twint has established itself as the most popular mobile payment application, with 590 million transactions, 72% of which involve payments at store checkouts. This popularity, however, has highlighted significant security vulnerabilities. The Twint payment system relies on telephone numbers to carry out transactions. Users have been exposed to fraud risks and unofficial transactions, highlighting the shortcomings of this technology. In 2023, in the canton of Vaud alone, the cantonal police recorded more than 900 Twint-related payment scams, for a total loss of almost 700,000 Swiss francs. To counter these threats, Twint has teamed up with NetGuardians, a Swiss fintech specializing in fraud prevention. NetGuardians uses technologies based on artificial intelligence and behavioral analysis to monitor all Twint transactions in real time, thereby considerably reducing the risk of fraud.

Read more : Week 28: TWINT – isolated cases of phishing and fraud

Banks and financial institutions must be visionary, adopting technologies that offer robust security and improved user experiences. By embracing alternatives like iBeacon for mobile transactions, they can not only protect their customers from fraud but also focus on innovation and continuous service improvement.

Banks that have trusted us with technologies like iBeacon now enjoy greater peace of mind. They no longer face the complications of QR code-related security breaches and can provide their customers with secure and reliable payment experiences. Adopting advanced, secure technologies is essential for building a future where mobile transactions are not only convenient but also safe and trustworthy.