HIt’s a common scenario: You’re heading to a meeting in a new part of town. You’re running late, it’s raining, and there’s no parking spot in sight. Thankfully, there is street parking, so you park your car in an available spot. You pay for a few hours and rush off to your meeting. But the parking meter (of course) no longer accepts coins. It’s the 21st century, after all.
Don’t worry, you can pay by phone. There are notices posted all over the meter with instructions on how to pay using the app, which of course you haven’t downloaded yet. The rain is getting stronger and there’s no cell signal. You’re getting more and more agitated. And then you notice a Quick Response (QR) code on one side of the meter. It’s a nice (but incomprehensible) rectangle with lots of funny rectangles and spaces. Pooh! Just scan it and it will connect you instantly to a website. Scan and you’re done. That’s it. Relax.
Hmm, maybe. Or maybe not. Maybe you were in a hurry and didn’t look closely at the QR code. Was it part of the payment instructions issued by the local government? Or was it pasted on top of the official QR code? If it’s the latter, you’ve been duped.
Like David Birch’s sister. Birch is a noted expert on digital identity. Telling her story on her blogWhile visiting a friend, she parked her car in a public car park. “I went to look at the fare table and noticed a handy sign inviting drivers with smartphones to pay with a QR code. Scanning the code directed me to a seemingly plausible website. After giving my debit card details to what I thought was a legitimate parking company, I was fortunate to realise the website was a total scam and was able to notify my bank in time to block the transaction. But QR codes are fast becoming a favourite tool of criminals, and many other people are falling prey to these scams. One cybersecurity vendor said QR was used in one in five phishing attacks detected in the first weeks of the final quarter of last year.”
In the last few years, QR codes have become ubiquitous. For example, it is nearly impossible to board a plane without the code on your phone. Similarly, more and more train passengers now have QR codes instead of paper tickets. The COVID-19 pandemic has accelerated the spread of this technology, as has the need for contactless travel. Want to see the menu at a restaurant? Just scan the QR code.
This code is essentially a two-dimensional barcode, but it has the advantage of being able to convey a lot more information than a linear barcode, which means it’s really useful – and damn useful.
But they’re a security nightmare. Anyone can create one. Just go to a free online service and QR Code GeneratorEnter the URL you want to code and you’ll have a magic square that you can replicate on business cards, company stationery, websites, blogs, etc. Of course, these creative opportunities are also used by bad actors, particularly scammers looking for ways to direct you to malicious websites without publishing the dodgy URL in a prominent location.
Cybersecurity experts use the term “attack surface” to describe the target area for online criminals. The rapid adoption of QR codes means that the global attack surface has expanded by several orders of magnitude. In effect, the attack surface is now infinite.
This is probably why the Federal Trade Commission A consumer warning was recently issued It warns about the dangers of technology. Naturally, the warning also mentions parking scams, but with a focus on scams that are carried out through messaging systems. Examples include emails or text messages that contain a QR code with a plausible reason for wanting to scan it. Maybe your package couldn’t be delivered and you need to contact them to reschedule it. Or maybe there’s a problem with your account and you need to verify your personal details. Or maybe there’s suspicious activity on your bank account and you need to change your password. The key idea is to create a sense of urgency that the unfortunate victim feels when you turn on your computer or smartphone first thing in the morning. And so technology tricks us all.
What can be done? There’s not much that can really be done other than to instill a healthy skepticism in users about codes. Many smartphones let you preview the URL hidden in a particular code before scanning it. There is plenty of sensible consumer advice out there. YouTube etc.These tips include: Think before you scan. Don’t scan QR codes in emails or spam. Beware shortened URLs (Bitly, TinyURL, etc.) that hide your real address. Never give out your bank details to online services. And many more. Basically, it’s common sense.
After newsletter promotion
Oh, and let’s not forget the famous command of the late Intel CEO Andy Grove: In the digital world, Only the delusional survive.
What I’m Reading
Receive a letter
This is what Z looks like Here’s a really insightful essay about Gen Z by Timothy Burke from Substack.
Film Theory
Daniel Kipnis’s inspiring essay Areas of interest in Poland We discuss the Oscar-winning film directed by Jonathan Glazer.
War Report
Ukraine in dire straits Here’s some characteristically insightful reporting from Kyiv by Substack’s Timothy Garton Ash.
