Sign in Subscribe
Cyber Security Tips

The Shocking Truth About Using QR Codes with Customers: Is Your Business at Risk?

Barry Kavanagh

3 min read
The Shocking Truth About Using QR Codes with Customers: Is Your Business at Risk?

‌‌In today's digital age, QR codes have become increasingly popular as a marketing tool for businesses to engage with their customers. QR codes are convenient and easy to use, making them an effective way to drive traffic to websites, promote products, and provide information to customers. However, QR codes also pose a significant cybersecurity risk, and businesses must take necessary measures to protect themselves and their customers.

What are QR codes?

QR codes are two-dimensional barcodes that can be scanned using a smartphone camera to access digital information such as websites, product information, or contact details.

QR code risks and how to mitigate them

One of the most significant cybersecurity threats associated with QR codes is the risk of malicious actors creating fake QR codes to redirect customers to phishing websites or install malware on their devices. After all, anyone can create one and place it pretty much anywhere to associate it with a brand. Cyber criminals can easily create fake QR codes that look legitimate, making it challenging for businesses to detect and prevent these attacks.

To protect themselves and their customers, businesses must implement necessary security controls to ensure that their QR codes are generated and managed securely. This includes using a trusted QR code generator (or third party service) that guarantees the authenticity and integrity of the codes, and only distributing codes through secure channels that are not publicly accessible. If your customers know you only publish QR codes from one place, they know which codes to trust.

In addition to using trusted QR code generators and services, businesses must also ensure that their websites and mobile applications have appropriate security measures in place. This includes using SSL encryption to protect customers' data in transit, implementing two-factor authentication for secure login, and regularly testing for vulnerabilities. On the third party side, they should be encrypting any data generated from scans (like IP address and location data) while it is in transit to their infrastructure. They should then be encrypting that data at rest and managing the keys appropriately. If not using a third party, these controls should be implemented by the business internally.

Privacy implications are another cosideration for businesses who wish to use QR codes with customers. To comply with GDPR, businesses should update their privacy policies to reflect their use of the data gathered by QR code campaigns as well as requesting consent for any cookies being used in the process. The Data Protection Officer should sign of on the data collection as well as complete a data protection impact assessment (DPIA) which can also include the recording of these data processing activities, this is a GDPR compliance obligation.

Finally, if using a third party platform to manage the QR codes, be sure the account is secured with a strong, unique password and enable multifactor authentication. Limit accounts to only those who need to generate them, two should be plenty (mostly to cover annual leave of the primary account). The account should also be integrated with your identity and access management system and active directory. This will ensure access to generating legitimate QR codes on behalf of the business is restricted to only those who are authorized to do so and there is a record of who did what. Remember, access to this account would give a cyber criminal (or a rogue insider) access to redirect your customers to a malicious site if they replace the URL for the QR codes already out in the world.‌‌

iphone, iphone x, ios, home screen, close up, pixels, retina, smartphone, icon, ios 14, icon, screen, phone, app, apps, bokeh, close focus, technology,

Conclusion

While QR codes are a useful marketing tool for businesses, they also pose a significant risk to cyber security. By following these recommendations, businesses can use QR codes safely and securely, without putting their customers' personal information at risk. Don't wait until it's too late - if your business is using QR codes, take action now to protect the business and your customers.

Share on LinkedIn

‌If you enjoyed this post, please consider supporting my work through the button below or becoming a free subscriber, it really helps, thank you!

If you're a business and would like to discuss consulting services, you can request a free consultation here: https://www.megabytesandme.com/services/

Thank you!