QR codes are revolutionary, but come with distinct security risks

From mobile check-ins at hospitality venues to digital menus at your favorite restaurants, QR codes quickly took off as the world shifted to contactless with the arrival of COVID-19.

On my last trip before travel restrictions were implemented, I was sitting in an airport cafe and prompted to order my food via my mobile phone using a QR code on the table. While I was pleased to not have to grab my hand sanitizer and touch a menu, as a longtime veteran of the security market, I couldn’t help but wonder, “How secure is this?”

However, not unlike passwords and other conveniences, they come with their own set of security issues. Consumers are using the technology, yet they are painfully unaware of how insecure it is. Imagine trying to order and pay for a meal – only to unknowingly launch a chat session or update your contacts list. When used the wrong way, QR codes can expose users to malicious content, bad code and more.

One of the key considerations is responsibility. According to a recent MobileIron study, 71% of respondents could not distinguish between a legitimate and malicious QR code, whereas 67% of those surveyed were able to distinguish between a legitimate and malicious URL.

While some may interpret this data to mean stronger end user education is needed, relying on consumers to evaluate their own risk environments, reset their own data and more simply isn’t scalable. After all, the whole reason consumers are leveraging the technology is to make their lives easier – not more difficult. The onus must be on the organizations to ensure their technology is secure.

In order to protect their users, organizations must build strong authentication into their systems.

In other words, there should be no questions as to where consumers are being directed when they use QR codes to conduct transactions. The QR code should be wired into the system that it is sending consumers to, making the code itself nothing more than an end user convenience.

The easiest way to do so is to follow industry standards geared toward the establishment of strong authentication protocols. Take for example the FIDO Alliance. Though QR codes are relatively new and therefore not a part of the FIDO specifications, following these guidelines will provide organizations with a blueprint for success. More specifically, they will help organizations mitigate the risk of malicious code injection and maintain consumer convenience – all at a scale that will accommodate increased reliance on the technology.

By holding themselves accountable and following smart standards, organizations will be able to provide consumers with strong security and peace of mind the next time they swap those paper menus for a set of scannable squares on their phone.