Silent Threats In The Squares We Trust

No photo availableCIO Africa authorByJoan Kaberia
8 min read
QR codes are not human-readable, meaning the encoded data remains a mystery until it's too late.
Photo by Dalle

What began as a niche solution for tracking inventory has since evolved into a versatile technology changing how businesses, governments, and consumers engage. They’re now everywhere—on menus, billboards, packages, and even payment platforms. QR codes have seamlessly integrated into our daily routines, offering instant access to information with a simple scan. But behind their unassuming appearance lies a potential threat.

It starts with a curious glance at a small, unassuming square on a screen, whether it’s on a billboard, a menu, or a magazine. You pull out your phone, give it a quick scan, and instantly, a world of information unfolds before you. No need for clunky brochures or long URLs. That tiny QR code seems to make everything easier. Yet, behind this seamless interaction, there’s a quiet reminder: every convenience carries its own hidden complexities. QR codes are everywhere, from advertisements to restaurant menus, even financial transactions. They offer speed and convenience, but with that simplicity comes a troubling vulnerability. QR codes are not human-readable, meaning the encoded data remains a mystery until it’s too late.

Let’s take a moment to revisit the origins of QR codes. Invented in 1994 by the Japanese company Denso Wave, a subsidiary of Toyota, QR codes were initially used to track automobile parts during assembly. Unlike traditional UPC barcodes (Universal Product Code) that could store only limited data, QR codes could hold much more information, making them ideal for a wide range of applications.

Fast forward to today, the widespread use of smartphones has made QR codes accessible to nearly everyone. From menus and promotional materials to product packaging, QR codes are now a common feature in our daily lives. However, this increased presence also brings a heightened risk of cyber threats. QR codes have become a ubiquitous feature of modern life, seamlessly embedded in everything from restaurant menus to marketing billboards, banking apps, and social media. Their convenience lies in their simplicity—scan and go. Yet, beneath this ease of use lurks a danger that few are prepared for: cyberattacks facilitated by QR code scans.

Despite the fact that QR code scams aren’t as frequently discussed as other cyber threats, they represent a growing risk that has already ensnared countless individuals. Many people don’t realise that one innocent scan can lead to data theft, financial loss, or even the full compromise of their devices.

Dr Bright Gameli Mawudor, a renowned cybersecurity researcher and blockchain intelligence expert, shed light on the threats this seemingly innocuous technology poses and how it’s being exploited, particularly in Africa and beyond. Mawudor pointed out that the greatest danger with QR codes lies in their ability to conceal malicious links. “Back in the day, somebody would trick you into clicking a suspicious link that you could at least see,” he explained. “Now, people don’t know what they’re scanning with QR codes. They’re essentially walking blindly into traps.”

QR codes have evolved into perfect tools for phishing attacks, where criminals disguise themselves as legitimate businesses to steal personal information. “You can have a QR code that redirects to a phishing page—a page that looks exactly like a trusted business but is designed to steal credentials,” Gameli added. He cited examples of fake QR codes purporting to offer delivery updates for companies like Jumia or Posta Kenya, which in reality capture sensitive details like passwords, usernames, or banking information.

They have also been linked to crypto scams, a trend growing globally. One particularly striking example he traced was a scam involving a fake video of Elon Musk, where AI was used to manipulate his lips, offering supposed crypto promotions through a QR code. “The video gained thousands of views before being taken down, and many had already fallen victim,” Mawudor revealed, highlighting how such scams can be devastating, especially given the increased trust people place in digital figures like Musk.

This digital convenience comes with a hidden asterisk. QR codes, by their nature, act as gateways to unseen destinations. A malicious actor could exploit this by replacing a legitimate QR code with a fraudulent one, leading users to phishing websites or malware traps. The threat extends beyond the digital realm as well. Imagine a fake QR code plastered over a legitimate one on a billboard, directing you to a malicious website that steals your credit card information.

In Nigeria, scammers have used QR codes to lure individuals into revealing their banking details, while in South Africa, QR code scans have led to the installation of harmful software. According to a survey on QR code security titled A Survey of Attacks and Challenges for Usable Security by Seeburger and Vidas, research has illuminated the role that human-computer interaction plays in QR code security. The problem lies in our inability to instantly distinguish between a trusted and untrusted QR code. Once scanned, many users fail to evaluate the legitimacy of the link or content, either because they are unaware of the risks or because convenience overrides caution. It’s a bit like seeing an unmarked door in a public space—you know there might be risks, but you push it open anyway, driven by curiosity and convenience. And therein lies the challenge. QR codes ask us to trust blindly, to make a leap without truly knowing what lies on the other side. Even after decoding the link, it is still difficult for users to determine the trustworthiness of the content.

This unassuming quality creates fertile ground for exploitation. Two primary attack vectors have been identified when it comes to QR code misuse: complete QR code replacement and subtle module modifications.

  1. Complete QR Code Replacement: An attacker prints a QR code containing malicious content, such as a phishing link, and sticks it over a legitimate one. The user scans the altered code, unknowingly exposing themselves to a potential cyberattack.
  2. Subtle Module Modification: This method is more complex but potentially more dangerous. By slightly altering specific modules (the tiny squares that make up a QR code), attackers can modify the destination URL without arousing suspicion.

The study by Seeburger et al. highlights the psychology behind QR code usage, particularly in urban spaces. Their research, which deployed QR code-based PlaceTagz around Melbourne, found that curiosity is the primary driver for users to interact with unfamiliar codes. The takeaway? We are drawn to QR codes not because we trust them, but because we’re intrigued by what lies behind them.

Think of it as sailing through unpredictable waters, a healthy dose of skepticism is your compass. Here are some guiding principles to keep in mind:

  • Scrutinise the source and be wary of QR codes found in random places or received from unknown senders. Trust is paramount.
  • Inspect before you scan because modern smartphones often allow you to preview the URL encoded in the QR code before you scan it. Take advantage of this feature to ensure it leads to a legitimate website.
  • Beware of the bait. If a QR code promises unbelievable deals or exclusive access, it’s probably too good to be true.
  • When in doubt, opt out. If a QR code seems suspicious, err on the side of caution and simply don’t scan it.

Mawudor calls for vigilance in our approach to cybersecurity. He reminds us to treat QR codes with caution, always verifying their sources. Basic security measures, such as using VPNs and antivirus software, act as our protective shield against lurking threats. Passwords, those crucial keys to our online presence, should be kept safe in trusted password managers rather than left to auto-fill features. And when a breach occurs, clearing our browser cache and cookies becomes essential, helping to erase any traces that could lead to further exploitation of our data.

As QR code technology continues to evolve, so too must our approach to security. Research by Katharina Krombholz et al., presented in their survey titled A Survey of Attacks and Challenges for Usable Security the importance of human-computer interaction in mitigating QR code threats. Developing user-friendly interfaces that allow for easy URL verification before scanning is a crucial step forward. Ultimately, the future of QR codes lies in striking a balance between convenience and security. By educating users, fostering responsible development practices, and embracing innovative security solutions, we can ensure that QR codes remain a powerful tool for good, propelling us towards a brighter and more connected digital tomorrow.

Mawudor’s advice is clear. “Treat QR codes like unknown links—don’t scan unless you’re certain of the source, and always double-check the destination URL after scanning. As QR codes continue to gain widespread use in banking, e-commerce, and other sectors, organizations must proactively strengthen cybersecurity measures, and users must adopt better digital hygiene.”

In Africa, where the adoption of digital platforms is expanding rapidly, he believes the potential for QR code-based scams is significant. “If we don’t act now to raise awareness and tighten security, we’ll be facing a much larger crisis in the near future,” he warned.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co