Crying wolf over QR codes? Coinbase’s Super Bowl ad sparks infosec debate

A Super Bowl ad last week from cryptocurrency platform Coinbase featured a bouncing QR code that ruffled feathers in the cybersecurity community. Some experts say the risks of scanning it may have been overblown.

The most controversial part of a Coinbase ad during Super Bowl LVI had nothing to do with cryptocurrency, at least in many infosec circles. Instead, it was the company’s decision to display a simple QR code that kicked off a furious Twitter debate that stretched into the week. The fear was that convincing curious Super Bowl viewers to scan mysterious QR codes could make them more likely to visit malicious web pages.

The complaints about Coinbase’s televised QR code make sense when viewed through the lens of security professionals who spend a not-insignificant amount of time trying to convince people not to visit unknown websites, open strange files or spill company secrets.

“I understand the frustration,” Kevin Haley, director of product management for security response at Broadcom Inc., told README in an email. “We’ve spent 20 years trying to teach people to think before they click a link in an email. And with limited success. Now we have something else to educate end-users on.

“But I don’t see QR codes going away, no matter how much security professionals dislike them,” Haley added.

Given that they’re here to stay, how much should average users worry that malicious hacker could use QR codes to compromise their accounts? Most QR codes are little more than dressed-up links: Just as you shouldn’t click a link from an unknown source, security experts warn against engaging with random QR codes.

“There’s always potential for mischief with something like this,” Jesse Varsalone, associate professor for computer networks and cybersecurity at the University of Maryland Global Campus, told README. “With anything that makes something this easy, there’s always some potential for bad things to happen.”

The FBI issued a warning about malicious QR codes in January. “Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic,” the bureau said. “However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.”

Trend Micro reported in February that cybercriminals have used QR codes to steal money from people looking to park their cars, convince folks to install counterfeit cryptocurrency wallets and compromise account credentials. Apps devoted to creating or scanning QR codes have also been used to spread malware.

Varsalone pointed out that some services allow people to access their accounts with little more than a QR code. He cited the Discord messaging platform, which lets users sign into new devices by scanning a QR code generated on a device they’ve already connected to their accounts.

“If my phone’s unlocked, or you have a way to unlock that phone, that QR code gives you power to get into my Discord and see all my correspondence,” he said. “You can log in without even knowing my username or my password.”

Clearly there is some truth to the idea that people shouldn’t blindly trust a QR code. But what about the Coinbase ad in question?

It wasn’t a random code affixed to a parking meter, taped over a restaurant menu or sent in an email. It was part of a Super Bowl commercial that, according to The Sporting News, cost Coinbase nearly $14 million to air and underwent many layers of careful vetting.

 

Would the potential risk of visiting a website advertised during the Super Bowl have been reduced if Coinbase had just shared a link instead? What if the company used a URL shortener to reduce “https://coinbase.com” to something like “coinba.se”? It might be easier to convince people to visit malicious pages using a shortened URL, since the full URL isn’t usually displayed until the website has already been loaded.

The same can’t be said of QR codes. Recent versions of iOS and Android both display the link to which a QR code points rather than automatically loading the page. This gives people multiple opportunities to recognize a malicious QR code before it dupes them into sharing their data, credentials or money.

The FBI and Trend Micro offered similar advice regarding malicious QR codes: People should verify the authenticity of a page loaded via QR code before entering personal information, avoid third-party QR code apps that might contain malware and install software from trusted sources rather than from an unknown website.

If that sounds familiar, well, it’s because it mirrors advice for avoiding phishing attempts or malicious software, regardless of the technology in question. Coinbase didn’t endanger the estimated 101.1 million people who watched Super Bowl LVI; it just annoyed or perplexed them with a technicolor QR code that led to a page that wouldn’t even load because it got so much traffic.

Should people be wary of malicious QR codes? Yes. They’ve been used in real-world scenarios to steal everything from Microsoft 365 credentials to cryptocurrency. But should people refrain from scanning QR codes altogether? Probably not. Skepticism is warranted; total avoidance is not. These are just graphical links — and those haven’t gone anywhere.

“We all have plenty to worry about today,” Haley said. “I’m not sure QR codes would make my top 10 list. I think it’s appropriate to be aware and cautious, but it’s not the end of the world. There are plenty of bigger risks out there.”