Quick-response (QR) codes have been around since the mid-1990s, packing 200 times more information within their configurations than regular barcodes. With the pandemic, this 30-year old technology is experiencing a revival as demand has gone up for contact tracing, as well as touchless payments, menus, check-ins, and other transactions. In fact, QR code usage grew by 96% between 2018 and 2020.

Of course, many users question whether or not QR codes are safe. QR code technology, in itself, is secure and cannot be hacked. The problem lies with the destination, which could be dangerous depending on who created the code and what their intentions are. Malicious actors can tape over legitimate QR codes, for instance, so it’s important to provide users assurance on where the QR code came from and where it leads.

How QR Codes Pose Cybersecurity Threats

In our recent article on cashless societies we discussed how cashless disbursement through mobile payments, pay-wave enabled cards, identity-linked cards, and other technologies can help eliminate fraud in financial systems and government services. QR codes are likewise an effective tool for cashless, touchless functions that eliminate inefficiencies.

Businesses could quickly deploy unique black-and-white square signatures that connect to mobile payment apps for fund transfers, and organizations can streamline processes by having people use their own smartphones to complete necessary steps online. For instance, Walmart’s self-checkout model combines barcode scanners with the Walmart Pay App, so consumers can easily scan and bag their own purchases at self-service kiosks.

From there, shoppers can opt to scan the QR code and pay using their smartphone. QR code payments tie into a larger strategy, as it is linked up with the Capital One Walmart Rewards card, allowing customers to save 5% on purchases. Plus, Walmart includes QR codes as touch points throughout their stores. If you scan a QR code in the pet department to find additional product options, you will also see pop-ups about Walmart’s pet insurance products or have dog kibble delivered to your door as part of their omnichannel marketing strategy.

Unfortunately, this innovation has been preyed on by cybercriminals. Reports of fake QR codes for theft have become more common, with cybercriminals trying to steal financial information through visual clones of authentic QR code stickers.

Once scanned, the code will direct victims to malicious sites to steal data, intercept payment information, or even hijack payments outright. Since many QR codes don’t provide enough visibility into the webpage or application behind them, it’s easy for cybercriminals to insert themselves as real web pages, app stores, or payment portals. They can also hack into a business’s website and replace the QR code with their own — and it would be very hard to spot the swapped code. This problem isn’t exclusive to individuals; businesses with remote workforces using company devices could compromise entire IT networks by scanning a fraudulent QR code.

One way to mitigate this problem is for organizations and individuals alike to upgrade their cybersecurity and educate themselves on potential cyber threats. A think-before-you-scan campaign for QR codes could be one part of an organization’s cybersecurity approach. Moreover, it would be smart to consider that QR does not necessarily work for every use-case.

The downside to QR is that it’s not totally frictionless for users to take out their phones, scan the code on their camera, and then manually click the link to a website. This takes the power out of what could be a more immersive experience. Alternative technologies like geofencing may be more effective for location-based purposes. Once the geofencing service comes in contact with a mobile device at a virtual boundary, it can trigger pre-programmed actions. Contact tracing, footfall tracking, and payments can be safer and more effective, as it automatically connects users with the service.


The Role of AI in Cybersecurity Forensics

Cybersecurity is predominantly managed using human expertise. Modern computer forensic experts work with law enforcement agencies to retrieve information from computers to help solve cybercrimes. These investigators have a strong working knowledge of computers, as well as methods to secure information technology systems. Despite the analytical and investigative skills of these professionals, however, there is a shortage of skilled cyber workers in the field.

Even as many training opportunities and courses become widely available, there are not enough people to keep up with advancements in technology. The pace at which cyber threats develop has far outstripped the security industry’s capacity. It’s now necessary to leverage artificial intelligence to take on assignments that are too labor-intensive for analysts.

Artificial intelligence can reduce false positives in data and signals. By applying machine learning capabilities, we’d have a much easier time filtering through cases and minimizing human errors. For instance, an AI barcode scanner can be utilized to detect malicious QR code links with accuracy. Instead of allowing users to fall prey to indistinguishable redirected pages, AI scanners can automatically and regularly check whether or not a QR code is legitimate.

AI models can also be used to detect patterns in suspicious digital activities, thereby preventing cyber criminality to a certain degree. By leveraging machine learning tactics, AI programs can learn how legitimate interactions occur with QR, so they can spot any anomalies or unusual behavior. An AI-powered automated system analysis can likewise be programmed for continuous monitoring, in case of attempted intrusions. This would prevent websites from getting hacked and QR codes getting replaced.

Harnessing AI will allow analysts to be more productive, even with fewer resources and limited time. Organizations should also continue integrating cybersecurity into modern tools and processes, so we can better protect consumers from malicious actors. 


Written and Submitted by Eloise Abram