As the Covid-19 pandemic made people hesitant to touch most surfaces in early 2020, QR codes started popping up everywhere. They’ve become even more ubiquitous over the past year and a half, showing up on everything from restaurant menus to mobile check-ins to supermarket displays. And now, according to a report from the City of Austin, fraudulent QR codes have been found on more than two dozen parking pay stations across the city.
While this may be the first reported instance of attackers utilizing QR codes, the possibility of this kind of attack has concerned security experts for years.
“I’m only surprised that it has taken this long for someone to start doing something like this,” says Avast Senior Global Threat Communications Manager Christopher Budd. “Targeting the parking meters is actually a pretty smart thing to do, because a large number of people who are navigating to pay for parking don’t do it enough to know what the legitimate parking site would look like.”
Budd says that this attack will very likely lead to others like it. He points out that the attacker community is “kind of open source,” meaning they pay attention to what others are doing and build on it. Now that someone has finally utilized QR codes in this way, it’s important that every day people be more aware and more cautious than maybe they were previously.
“It makes sense to be wary of QR codes, in general, and it’s an extra reminder that you shouldn’t be paying for things or entering information on sites you access with a QR code,” Budd says. “Treat them as navigation aids to sites that you only read, like a restaurant menu. But don’t pay for anything on a link you access through a QR code and don’t ever download any apps."
Budd also emphasized that, while phones generally have better security than PCs, that’s only true if the phone’s operating system is up to date. An old OS may have security gaps that an attacker will exploit.
The irony of the malicious parking pay station QR codes, according to Austin Parking Enterprise Manager Jason Redfern on Fox 7 Austin, is that the city of Austin specifically chose not to use QR codes for parking because they were advised that the codes are not secure.
"At the end of the day, they did the right thing because the more legitimate organizations that set up legitimate QR codes for people to pay, the more people think that clicking a QR code to enter payment information is a safe thing,” Budd says. “So they are doing the right thing by not reinforcing that.”
The good news is that if you don’t want to give up the convenience — and cleanliness — of QR codes, you don’t have to. Just exercise caution by:
- Making sure your phone is up to date
- Not paying for anything via QR code
- Not downloading any apps from a QR code
- Not entering any information on a site you access through a QR code.
Use them as navigation tools — and nothing more — and you can stay safe from both biological and digital viruses.