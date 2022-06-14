PETALING JAYA: Quick response (QR) codes are great for saving time and are sometimes the best way to share information. However, cybersecurity experts have warned users to be on high alert when the link prompts them to instal unauthorised apps on one’s mobile phones or key in personal data.

Cybersecurity company LGMS Bhd chairman and cybersecurity consultant Fong Choong Fook said the public must be careful when scanning a QR code in public places.

Whether outside a restaurant, building or at an ATM, these codes can be replaced by hackers.

“If the QR code shows you a menu or website, it can usually be trusted. You are okay as long as you do not key in personal information such as identification card numbers, home addresses, passwords or instal any apps from unauthorised links.

“Hackers and scammers can replace the QR code with a fake one. Our firm has done security testing at a bank where we placed fake promotional lucky draw codes in front of an ATM and we were able to successfully trick people into scanning the code. Our tests showed that the majority of ATM users gave out their usernames and passwords.”

He said this shows the bank the dangers of having QR codes at ATMs, and justifies their removal.

eSecurity and Privacy Channel and Cybersecurity Malaysia founder Assoc Prof Datuk Dr Husin Jazri said as long as the QR code is professionally designed and unique, it can represent the right attributes and fulfil its intended purpose.

“It should be properly tested before being put into operation so that the link correctly (directs) to the intended destination. Scammers or hackers can hijack a QR code indirectly by swapping the original one with a new one that redirects the link elsewhere.

“Users should always check whether the QR code takes them to the right destination before confirming or accepting QR code transactions,” he told theSun.

He added that it is the same as the “phishing technique” that is used by hackers or scammers to let the target believe that he is going to the right destination.

Agreeing with Husin, criminologist Shankar Durairaja said cybercriminals can exploit this technology through both physical and digital QR codes.

“Cybercriminals can direct users to malicious sites to steal their data, embedding malware to gain access to a victim’s device and redirect payments.

“Usually, scanning the fake QR code would lead victims to malicious sites that are designed to obtain a victim’s bank account details, credit card information or other personal data.”

However, Shankar said cybercriminals cannot access the data directly through the QR codes.

“These criminals can only access data when the users key it in on the fake websites linked to the malicious QR code.”