Story image

Malaysians urged to use caution when scanning QR codes

01 Feb 2018

As QR code readers are becoming popular in Malaysia through the likes of WeChatPay and Alipay eWallets, Quann Malaysia is warning that scammers have quickly caught up.

The company says that scammers have now started using fake quick response (QR) codes to steal both data and money from people.

QR codes are used across the web and in restaurants, advertisements, retail outlets and other locations to provide information about a business.

They are also being used in Malaysia’s online payment ecosystem for retail consumers, however Quann Malaysia general manager Ivan Wen says that attackers are quickly using QR codes for their own purposes.

“There’s a rising number of cases where criminals have been sticking their own codes over a business’ original one to steal the scanner’s data or access the scanner’s smartphone to tap into their bank account.”

Because it is often difficult to tell original and malicious QR codes apart, Wen warns that businesses should check to make sure malicious codes are not on their websites or merchandise.

Wen says that QR codes are a normal method of mobile payment in China’s Guangdong province, however one case involved the theft of approximately RM55 million through restaurant scams.

The People’s Bank of China has since started regulating QR code daily spending limits and it requires all payment vendors to gain a licence before offering QR payment facilities to customers.

“As more mobile payment platforms look to enter the Malaysian market, it is important that users and merchants both exercise the necessary precautions to ensure both parties do not lose money or data to similar scams,” Wen adds. 

In restaurants, QR codes are not regularly changed, allowing attackers to take control. Those codes can also be used to infect mobile devices with viruses that can allow criminals to steal money from a mobile wallet, or can infect the device with ransomware.

Scammers can also replace genuine QR codes with malicious ones that direct victims to malicious websites. If users enter personal information, it can be used as part of phishing emails laden with malware.

“The impact of mobile malware could be devastating as the hacker can access your private information as well as your phones camera to spy on you. We advise users to be cautious when scanning QR codes,” Wen says.

Although there is often no way to tell between a genuine and fake QR code, Quann offers the following tips:

· Before scanning a QR code, observe the collateral for any signs of tampering such as a sticker placed on a printed menu or pamphlet

· Look out for pixelated images and logo as well as spelling mistakes to identify fake collaterals 

· Use a secure QR code scanner that can flag malicious websites and show the actual URL before scanning the code 

· Do not key in any personal information after scanning a QR code 

· Be wary about scanning a code in public places, like transportation depots, bus stops or city centres even if it’s on a printed poster.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.