Fake QR Codes Can Expose Your Phone to Hackers. Here’s How to Protect It
You’ve likely seen at least one QR code today. They’re found on product packaging, in restaurants, and at gas stations. They look like this:
QR stands for “quick response.” Scanning the code with your phone’s camera will typically open the phone’s browser and send you to a website, or even download an instant app, for tasks like renting an electric scooter or paying at a parking meter.
You’ll find QR codes at Mineta San Jose International Airport, too. With four lots, two garages, and 2,475 total spots, it’s easy to forget where you parked at SJC. But this airport QR code can help:
Visitors can scan the QR code when they park, and it saves their location for later. Keonnis Taylor, Public Information Manager for the airport, says you can trust SJC’s QR codes.
“We use a third-party manager to monitor and manage the QR code system there,” Taylor said.
But, as QR codes are popping up everywhere — for voter registration, touchless restaurant menus, and quick app access, cyber-security experts say we need to slow down.
“It’s just another way for a hacker to get to your device,” said Alex Mosher with phone security firm MobileIron.
Mountain View-based MobileIron just polled 2,100 phone users in the United States and United Kingdom. It found 40 percent had scanned a QR code in the past week, and 53 percent would like to see more QR codes. But, 71 percent admitted they couldn’t spot a malicious QR code.
“You don’t always know when you’re scanning a QR code if it’s taking you to a site that you can know and trust,” Mosher said. “A QR code that’s legitimate, and one that’s not, tend to look exactly the same.”
Mark Kraynak, a former tech executive who lives on the Peninsula, says he fell victim. He used a small business’ QR code as part of a contact-free equipment rental process.
“It asked for a credit card, and I thought maybe that was part of the payment, but it wasn’t,” Kraynak said.
A $40 charge from somewhere in Eastern Europe appeared, instead. Fortunately, his credit card company caught the con and reversed the bogus charge.
“I was like, ‘I can’t believe I did that,'” Kraynak told NBC Bay Area. “I register for alerts on all my accounts. I tell everyone around me to do the same.”
How is this happening? Mosher says typically, thieves are creating fraudulent QR codes that they just print and paste over a “real” one, and wait for you to scan. The malicious codes can take your credit card information, or even open your phone to hackers. So, you need to check for tampering before you scan.
“It is somewhat challenging to be able to identify that,” Mosher said. “You’re sort of just relying on your own luck to be assured that you’re scanning the right code.”
Back at SJC, there’s a low-tech backstop to ensure its QR codes are OK to use.
“We have staff in our terminals and on the buses even, who check the QR codes, to make sure that stickers haven’t been peeled off or altered, and that they have not been replaced,” Taylor said.
To protect your phone from potentially harmful, malicious QR codes, experts tell us you should avoid blindly scanning QR codes. Always consider the source. If you can, inspect the code itself, to see if anyone has tampered with it.
Mosher also recommends adding security software to your phone. It’s not a license to scan random codes, but it might help block attacks.
Finally, do what Kraynak did — set up alerts with your bank and credit cards. It’s another line of defense that can help protect you from a variety of scams and identity theft.