As QR code scanning increases, fraudsters seek to exploit it through “quishing”. Short for QR code phishing, quishing sees criminals attempt to insert themselves into the scanning process through fake links.
Co-founder and CTO Ravi Pratap Maddimsetty said Uniqode has been preparing for the QR code boom for years. A former open-source hacker, Pratap said quishing is simply phishing adapting to new technology.
Uniqode was founded in 2019 as the founders sought ways to connect the physical and digital worlds. With phones having Bluetooth, NFC, GPS and cameras, there are many connection points.
The QR code resurgence explained.
The company focuses on QR codes, which have made a resurgence of late. Pratap said Apple’s decision to make the camera a QR code reader by default removed the friction of having to download an app. That was the first step.
The COVID-19 pandemic knocked usage out of the park. The masses got used to scanning QR codes for many reasons.
Quishing follows a familiar pattern. When email became popular, criminals found success in getting victims to reveal personal information through phishing links. Texting links were an update the scam for cell phones.
“What we’re seeing with quishing is a natural extension of the channels that reach regular consumers,” Pratap said. “It started off with email, then went into short URLs and short links on Twitter. QR codes are a natural extension of that, because they are essentially short URLs.”
Uniqode ensures anyone using its technology who scans a QR code isn’t directed to a quishing site. Clients get a properly branded experience where scanned QR codes are run through risk APIs along with malware and phishing detectors.
“If we detect that you did something malicious, we’ll shut down that QR code immediately,” Pratap said. “We will prevent people from scanning; we won’t send people to that destination.”
Why financial institutions are prime quishing targets
Financial institutions are prime targets for several reasons, beginning with, as Dillinger supposedly said, because that’s where the money is. Beyond that, they rely on a wealth of physical materials, so QR code opportunities are abundant.
“Banks worry about this because login information and things like that are very sensitive,” Pratap said. “Someone could use a phishing website or web page to get access to someone’s login and password for their bank account.”
Credit scammers for their creativity. Pratap said a common method is to put QR codes on parking meters that encourage digital payments. However, instead of paying for your spot, you’re donating money to a criminal. High-traffic areas like malls and subway stations are other targets.
How Uniqode works
Companies can fall victim in common ways. Several departments may visit different online QR code generators, leaving the company disorganized. They come to Uniqode for a trusted, single system.
“If you’re using five or six different platforms, you have no way of knowing which QR code is in which product, and you don’t get consistency,” Pratap said. “You can’t guarantee security.
“When you sign up, we give you a dedicated account and a login. “You get a single user interface to generate your codes, along with tracking and analytics.”
Each client’s Uniqode QR codes use a customized domain name. Pratap likens it to the assurance of sending an email to a familiar domain.
If a client needs to change the destination, the QR codes can be easily edited.
Too often in tech, we see the latest wave take off before security catches up. It’s different with QR codes, as Pratap and his team have been prepared for this moment for six years.
“QR codes will keep growing, you will see them everywhere,” Pratap vowed. “It’s easy to say you don’t have to worry about this, but what happens very quickly is you can have chaos.”