It's called quishing when a criminal gets you on the hook via a QR code and you hand over per...
It's called quishing when a criminal gets you on the hook via a QR code and you hand over personal information such as credit card details, passwords and your home address.
There are many hooks in our everyday environment today.
QR codes are found in hotels, gas stations, museums, restaurants, medical centers and many other places you trust. It takes a second for a criminal to cover a QR code with his own sticker. How would you tell the difference?
Via the fake QR code you are guided through a flow that feels like what you expect. It's just controlled by someone with nefarious intent.
The German magazine Auto Motor Sport reported earlier this week about how this affects gas stations. https://per.ax/autoqr
Imagine scanning a QR code at a charging station to start charging your electric car. You enter your credit card details and press start. But the charging doesn’t start. Because you just gave your card details to a criminal who put their own QR code sticker on the charging station.
A clever criminal will perhaps display an error message on the web page and redirect you to the real supplier, enabling you to start charging for real. In which case you may not even notice that money is being covertly withdrawn from your account until much later… or blame the charging supplier who is completely unaware…
But of course it doesn't just affect charging stations. It can happen anywhere.
Queuing systems at sampling locations increasingly rely on QR codes here in Sweden. Let's say a criminal covers this code with their own. You will arrive at a page that asks if you want to join the queue or pay the patient fee of 50 kronor in advance. You may know that you do not have to pay a patient fee. But does everyone know that? Maybe some will bite and pay.
If you join the queue, you will be directed to the correct queue. So not much to react to. And if you have paid the 50 kronor, you will then also be led to the correct queue.
The fake QR code can therefore go undetected for a long time.
As a company, do you know if someone perhaps has already covered your code and is quietly using it to create intermediate flows that steal personal data, or money? Do you have routines to check this? In some places, fake QR codes may live on year in and year out. Like a dripping data leak.
QR codes are in many cases a really, really bad idea from a security and privacy perspective. And it can be a real setback for your brand if people are duped on your premises. Or on your products.
So, do you encourage people to scan, or do you warn?
If I see a QR code in everyday life, I also see many ways to intercept and abuse it.
How did this vulnerability appear just about everywhere? It's as if QR codes have completely gone under the radar of security departments.
I will restructure this post for my blog/newsletter later, but didn't want to wait with my warning, after seeing the clear example from charging stations.