Have you ever been clickjacked?
The pandemic has normalised scanning
The global pandemic has triggered many changes in our day-to-day lives. Working from home, endless Zoom meetings, masks on public transport… all the way through to scanning those seemingly innocuous QR Codes before entering businesses, restaurants, bars – and now, even workplaces.
All these small changes, including scanning QR Codes, have become our new normal, and with ‘normal’ comes familiarity, complacency and even trust.
Understanding the limitations and risks of QR Codes
We scan them multiple times a day – usually without a second’s thought. In 2021 it seems like QR Codes, or “Quick Response Codes”, are everywhere and on everything.
QR Codes were designed for automation in secure environments. They’re perfect for quick links to a website and a bit of interactive fun, particularly in environments where trust and security are not key requirements.
Effectively just a large barcode, QR Codes are used to encode URLs and data amid a host of other experiences or content – which when used for legal purposes is highly effective.
Problems emerge however, when QR Codes are used by bad actors. The risks of QR Codes are poorly understood by businesses, policy makers and consumers.
The reason is QR Code technology uses a published, open source model – which means it’s freely available to anyone, not just authorised individuals. It also means that anyone can issue look-alike QR Codes on behalf of your business, not just you – which comes as a shock for many organisations.
All of this makes QR Codes a hacker’s dream! For counterfeiters and cyber criminals, QR Codes are a gift – as is the low level of risk perception in the community.
While QR codes have their place and are not going anywhere anytime soon, it’s critical to consider very carefully the circumstances in which they’re applied.
How easy is it for bad actors to create nefarious QR Codes?
Shockingly easy and quick. QR Code generators such as QRCode Monkey or MeQR are mostly free to use and easy to find with a simple Google search.
In minutes, anyone can generate a QR Code, point it to any website – legitimate or otherwise – and start substituting it for genuine Covid check-in signs, product packaging, competition entries or even official documents.
It really is as simple as that to direct an unsuspecting consumer to a fraudulent website that could be impersonating a government agency, brand or promotion, with the objective of stealing personal information, installing malware or simply passing a fake for a genuine product.
Often, the consumer (and brand) being clickjacked is none the wiser… until it’s too late.
Why isn’t anyone talking about this?!
They are, and they are some of the most respected names in cybersecurity, industry and government – but are we listening? Unfortunately, for most people and organisations, it won’t hit home until it happens to them.
There is increasing global commentary warning of the security risks and consequences to consumers, brands and policymakers around the ease with which QR Codes can be clickjacked.
Amongst the growing global chorus of warnings are respected media outlets, the United States Army, global technology experts, and Laava customers.
- Patrick Martin, of ABC News, reported that a South Australian man was arrested after allegedly placing fake QR Codes over official business Covid check-in codes in Adelaide. This highlights the ease with which anyone can generate fake QR Codes and substitute them for the real thing, and it’s happening right here in Australia.
- Ronna Weyland, reporting for the United States Army, highlights the rise in QR code scams.
“The Major Cybercrime Unit warns a basic scam could be perpetrated by printing malicious QR codes on labels and sticking the labels to various publicly accessible surfaces. The curious passerby scans the code and is directed to a malicious website allowing damaging code to be downloaded to their computer or smart phone.”
- Brian Foster, an InfoSec Insider for Threatpost, released an article in 2020 titled “QR Codes: A Sneaky Security Threat“. Mr Foster wrote:
Brian Foster, ThreatPost
- Australian premium fruit exporter Reid Fruits, fell victim to the ease by which anyone can create a malicious QR Code. It was a well-documented case of counterfeiting that was shared by Austrade:
“The QR-based technology was especially troubling for Reid Fruits, as counterfeiters simply created their own QR codes that linked to a fake authentication website (a technique known as ‘spoofing’ or ‘clickjacking’).”
We know that counterfeit situations like this not only cause revenue loss but also present significant risks to brand reputation. Tony Coad, Manager, Marketing and Sales, Reid Fruits was quoted as saying:
“If the counterfeit product is of an inferior quality – and they usually are – that can have a damaging long-term impact on our brand.”
So what can a malicious QR Code actually do? You’ll be astonished
It is happening more often than we realise. In this excellent blog post our partner Matthews Australasia, outlines what you need to know about the impact and cost of QR scams and alternative solutions.
Choose the right tool for the job
When trust and security is critical, you need to use next-generation technology – you need Laava Smart Fingerprints®. They’re the secure trust mark which is unique to each individual item, and can do 3 key things in a simple, cost effective and easy to produce marker:
- Authenticate products, documents and even NFTs. Learn more about our partner Vinsent in our blog post “Laava and Vinsent secure wine futures with NFT certification“.
- Digitally verify product claims and link to traceability information, to provide evidence of claims like ‘sustainable’ and ‘organic’ all the way through to ‘freedom from modern slavery’ – or even just ‘fresh’, ‘air freighted’ or ‘Made in Country X’.
- Connect and engage with consumers securely – for digital storytelling, promotions, competitions and rewards programs.
The upgrade from the QR Code
Laava’s Smart Fingerprints® are secure by design and prevent QR based scams, including clickjacking. How?
- Smart Fingerprints contain no encoded data or URLs that can be hacked or replicated – each one is a unique and secure randomised image.
- Each Smart Fingerprint is completely unique and issued securely by the Laava platform. Each product, document, experience or NFT has its very own Smart Fingerprint, which has been authorised by the brand owner or agency.
- Each Smart Fingerprint is scanned, matched and authenticated according to pre-defined business rules, by optically comparing the image to those within the Laava database. All of this occurs before any data is shown to the consumer.
All of these things contribute to a solution we think of as the “Trusted Last Mile” – the secure on-product trust mark the world has been looking for.
For more information on the differences between Laava Smart Fingerprints® and QR Codes, see our handy comparison table, Laava Smart Fingerprints® vs QR Codes.
“Laava Smart Fingerprints® are designed with two things in mind: to enable better experiences, trust and transparency for consumers, and to ensure safety and security for brands,” says Laava’s Joint CEO Gavin Ger.
Fast, easy, cost effective and globally scalable
The best part is that brands, partners and platforms can get started very easily with Laava, and can scale up to full production extremely cost-effectively.
The Laava Smart Fingerprints® can even be fully white labelled, so traceability platforms, blockchain partners and NFT platforms can all issue branded Laava Smart Fingerprints® and even redirect them where needed.
Want to know more? There’s a solution for every situation. Get in touch today.
“Better image recognition software will likely make QR obsolete in a decade.”
Masahiro Hara – The inventor of the QR code (2014)
Further media references on the risks of QR Codes
There are so many stories of fake QR codes leading to consumers being duped – some more worrying than others.
- ABC News: The QR code has turned COVID-19 check-ins into a golden opportunity for marketing and data companies
- The Age: Victoria’s QR codes badly made, developers say
- Brisbane Times: The good, bad and the ugly of our hyperconnected world
- US Army: Army CID Cautions Rise in QR Code Scams
- Cyberscoop: Army warns of QR code scams amid pandemic
- Digital Rights Watch: QR codes, privacy and security
- Fox Business: Restaurant menu QR codes and the risks to your privacy
To see more, follow Laava on LinkedIn, Instagram, Twitter, Facebook and Our blog.