How Secure are QR Codes for Mobile Banking?

While QR codes have been around for over twenty years, the proliferation of mobile devices with camera technologies has pushed their relevance in the marketing space to near ubiquity.  It is now quite easy to generate a QR code and incorporate it into a poster or print ad in a public space and capture “passive” interest and potential customers – it takes mere seconds to scan a code, follow a URL, and get engaged.  Here in the Financial Services practice, we’ve put together proof-of-concepts for our customers that generate codes linking to back-end systems offering iOS passes or other digital coupons – in a perfect world, scanning the code for such a “prize” is quite simple.  But where is the security?

By design, a QR code is machine readable.  A human has no way of discerning what URL or other piece of data is embedded in the code without scanning it – and to further complicate matters, URL shorteners are often used to obfuscate an address such as into more terse like http://sho.rt/url.  Again, I (as a QR scanner) don’t necessarily know whether that address leads where it should or to a phishing/malicious site.  We have been (or should be!) conditioned not to follow URL links we don’t know or cannot quickly verify – yet there is an assumption with QR codes to follow them blindly.

As a social experiment, I constructed two posters with QR codes and placed one in a prominent location in each of the Blackstone offices in Arlington.  The posters featured nothing besides a Blackstone logo and a QR code.  The QR codes were not linked to URLs hosted on a local network, so I used the URL shortening service to obscure the endpoint – and still had almost one-third of the denizens in a single office follow the link (enticing them to Engage!) without knowing what was waiting at the other end.  In this case it was nothing malicious, just a note thanking the visitor for their participation – but it could have been worse.

So how does a user protect themselves in this situation – or how can financial institutions provide security to their customers, letting their customers know to trust QR codes they provide?  The answer seems to lie in a first-party or “certified” QR scanner – such that my Bank embeds a scanner into the mobile banking app. The customer would then scan a bank provisioned QR code and let the user know it’s trusted by the Bank scanner.  Valid URLs could be verified by simply referencing a whitelist of safe URLs or through additional layers of security depending on the requirements of the Bank.  In any scenario, the scanner and mobile app could provide a thumbs up or down indicating that it’s safe to for the customer to continue by opening the link.  The cost of development time and possible licensing of QR recognition software would be a small price to pay if QR codes could be trusted more fully, as trust breeds adoption, and QR codes present a terrific opportunity for banks to increase engagement with customers using increasingly dynamic, context aware, and personalized content.

-Ryan Tighe (