Every second, a phishing attack takes place. In fact, over 80% of cyber attacks are a result of stolen login credentials from attacks like phishing – mostly due to the relatively low cost and high success rate to execute these attacks. Unfortunately, this pattern will continue to grow as attackers become more sophisticated, utilizing tools such as large language models (LLM) and QR code-based phishing attacks.
In my previous post detailing the threats of QR code-based phishing attacks, I broke down what these attacks look like and security practices to help individuals stay safe. As QR codes continue being a threat to not just individuals, but businesses as well, organizations need to approach the concept of QR codes from two important lenses: how to safely use the technology internally, and how to be mindful of them as threats from outside the organization.
QR codes within authentication approaches
As the occurrence of phishing continues to rise, organizations have been encouraged to seek out passwordless, phishing-resistant multi-factor authentication (MFA) methods to stay secure. In their journey to passwordless, some organizations are examining the efficacy of QR codes as a factor for authentication workflows.
With QR code authentication, users would present a QR code on a phone or printed badge as part of the workflow. If you follow the standard of “something you have, something you know, and something you are,” then by themselves QR codes only meet the “something you have” requirement. They would need to be paired with a biometric check or a PIN to fulfill the 2/3 requirement.
However, an organization needs to consider how it will store this PIN/Biometric proof. Part of the goal of a passwordless model is to avoid keeping many different shared elements attached to user accounts. Storing the PIN or biometric proof data in conjunction with the encoded data in the QR code defeats this model.
At face value, it may appear that QR codes are more secure than passwords, since they cannot be read by the human eye but QR codes rely on security through obscurity – and security through obscurity is not true security. QR codes that are distributed to end users for authentication, especially those printed on badges that are visible, are akin to printing out user ID or passwords on those same badges.
While QR codes are difficult for humans to tell apart, they are static and easily photographed or decrypted by computers. The QR code standard provides data redundancy in most models, so blurry or partial photographs may be read by computers as easily as originals.
- Attacker-in-the-Middle
QR codes rely on the same legacy authentication practices as passwords. While a QR code may appear complex, it must be transmitted and validated on a server—making it susceptible to interception and theft by a third party listening in on the wire.
- Cloning
QR codes are easy and inexpensive to clone, requiring only the presence of a smartphone camera to copy and duplicate a QR code-based credential and use it to “spoof” access to systems and data.
While any form of MFA will offer better security than passwords, not all MFA is created equal. In most situations, QR codes act as a representation of a static value or shared secret. This means that as a MFA factor, they offer less security than SMS one-time passcodes (OTPs).
Though better than OTP, QR codes have shown to be very vulnerable to social engineering attacks like phishing – leading to account takeovers. In a study by Google, they found that OTP’s exhibited a penetration rate of 24% – meaning that when under targeted attack they only prevented takeover 76% of the time. The only way to ensure employees are truly secure from attacks is to ensure the use of phishing-resistant MFA tools like hardware security keys.
QR code-based identity documents and the threat of QR code attacks
In some instances, organizations and governments are considering the use of QR codes on an identity document, printed on badges, issued on a card, or displayed electronically on a device. This use of QR codes may place identities at risk of fraud and identity theft. In some instances, short lived QR code-based identity documents are acceptable – such as tickets to an event.
After performing identity proofing at an entrance, a QR code may be generated and encoded with needed seat or attendee information to be read by a disconnected device within the venue. This kind of disconnected reader model has been proposed to deal with connectivity issues within large sporting arenas. Organizations should consider the previously covered issues around susceptibility of replay attacks and the inherent risk of credential theft when evaluating this.
Leveraging the ubiquity of smartphones, organizations are increasingly leveraging QR codes in marketing and communications materials – including on products, in ads, for mobile ticketing, and even on business cards. By 2025, it is estimated that 99.5 million US smartphone users will scan a QR code.
Unfortunately, QR codes are also being leveraged by threat actors in a variety of ways to steal sensitive information or infect user devices with malware, including:
- Cloning
Threat actors clone an authentic QR code and redirect it to a malicious website or interaction.
- Poison the well
Threat actors replace an authentic QR code with a fake QR code, directing users to a malicious website or interaction.
- QR code phishing (quishing)
Threat actors use a QR code in a phishing email or text, otherwise known as “quishing.” September 2023 saw a 51% increase in these quishing attacks, compared to the cumulative figure for January through August 2023. In one example, enterprises were specifically targeted, including energy (29%), manufacturing (15%), insurance (9%) and financial services (6%), with a request to update Microsoft 365 account details. This attack has been successful in at least one incident leading to a network compromise.
Many of these attacks leverage brand trust, presenting fake websites designed to collect personal data or login credentials. They follow many of the well established social engineer tactics, such as offering access to a perceived benefit (e.g. loyalty club, contest) or by creating a sense of urgency (e.g. log in now to prevent your account from being locked.)
- Fake advertising
Threat actors will place QR codes in public areas such as the fronts of stores, bus stops or on advertisements with the hopes that people will scan them. In 2022, for example, Massachusetts State Police warned of a parking scam that used QR codes to steal bank account and credit card information.
Enterprise considerations for QR codes
Enterprises need to be aware of the growing risks associated with QR codes and their impact on cyber risk, consumer privacy and reputation. Threat actors are continually evolving their tactics. It’s up to organizations to stay informed and be aware of attacks as they grow in popularity.
- Replace single factor authentication with passkeys
Rather than migrating from one single-factor authentication (passwords) to another (QR codes), go passwordless with passkeys.
Passkeys are the answer to the question of “how do we migrate away from passwords.” Passkeys are a new term for FIDO2/WebAuthn credentials, a standard that is replacing passwords and phishable MFA logins with more secure passwordless experiences. Device-bound passkeys on modern FIDO security keys such as the YubiKey offer the highest security assurance and provide enterprises with trusted authentication factors and attestation abilities.
- Enable strong, phishing-resistant MFA across consumer accounts
To avoid poison-the-well type attacks that leverage QR codes printed on products or in marketing materials, ensure all consumer accounts have full passkey support. Passkeys can help protect your customers by confirming that they are only used on the sites they were originally created for. They cannot be used in replay attacks, since part of the check performed is bi-directional proofing (the passkey validates the origin of the request, and the site confirms cryptographic proof of the private key by the end user). Consumers can choose to use passkey management tools built into their existing devices, like Apple and Android phones or Windows and Mac computers, or leverage a hardware security key, like a Yubikey, based on their personal risk model.
- Educate employees about QR code phishing
Update training materials to ensure employees are aware of the use of QR codes as the latest ‘lure’ in phishing attacks. Choose authentication methods that build phishing resistant users, like passkey, and be sure to find ways to educate your users on how passkey protects their business accounts, and how they can leverage passkey to protect their personal accounts as well.
For more information on QR code-based phishing attacks and how to stay safe, check out our last blog post here. For more cybersecurity tips and best practices, check out our blog post featuring simple tips from Yubico’s security team on improving your security posture this year here.
