^^^If you're already there, it may be to late...

quote:

Originally posted by Flash-LB:
It's very simple. Don't put anything sensitive on your phone.

Yeah, that's all there is to it.

quote:

I'm not worried at all.

Foolish people usually aren't worried.

You appear to have not the first clue of the ways this stuff can bite you.

I have a tech background, but what do I know?

https://www.forbes.com/sites/f...you/?sh=40aa8ecb51d1

"I don’t scan QR codes, and neither should you, especially if you care about cybersecurity.

A QR code is a two-dimensional barcode that is readable by a smartphone with a camera or a mobile device with a similar type of visual scanning technology. It allows the encoded image to contain over 4,000 characters in a condensed, machine-readable format and was designed as a rapid method to consume static content based on a specific task. Once a program generates a static QR code (as opposed to a dynamic QR code that can change fields like a URL), that code cannot be modified to perform another function.

Surprisingly, that is not the source of cybersecurity risk, even for dynamic QR codes. The risk is in the content itself that has been generated and potentially displayed for an unsuspecting user to scan. Once they do, it can be the prelude to an attack.

To dive a little deeper, a QR code can contain the following risks:

Contact details: A QR code is similar to a virtual business card or VCD file that includes all your contact details such as phone number, email address and mailing information. This information is automatically stored in the device’s contact list when scanned. If the data is malicious, it could trigger an exploit on the device or place a rogue entry in your phone for your favorite airline or credit card.

Phone: Scanning a QR code automatically loads or starts a phone call to a predefined number. With all the recent robocall and SIM-jacking attacks, this is another method for a threat actor to access your phone and identity. You are basically calling someone you do not know and handing over your caller ID information.

SMS: Scanning a QR code initiates a text message with a predetermined contact by name, email address or phone number. The only thing the user needs to do is hit send, and you could potentially reveal yourself to a threat actor for SMS spam attacks or trigger the beginning of a SIM-jacking attack. A little social engineering is all it takes to convince the user to hit the send button

Text: Scanning a QR code reveals a small amount of text in the code. While this seems low risk, QR codes are not human-readable and unless you scan one, you have no idea that the contents are actually just a text message.

Email: Scanning a QR code stores a complete email message with the subject line and recipient. All that is required is to hit send, and this could be the beginning of any form of phishing or spear-phishing attack. The threat actor knows your email address because you validated it by hitting send to an unknown destination.

Location coordinates: Scanning a QR code automatically sends your location coordinates to a geolocation-enabled application. If you are concerned about your data and location privacy, why would you ever do this?

Website or URL: Scanning a QR code can automatically launch and redirect you to a website. The contents could contain malware, an exploit or other undesirable content.

Calendar event: Scanning a QR code automatically adds an event to the device’s calendar, with the option of a reminder. Outside of a vulnerability in the local calendar application, the contents may be unwanted in a business or personal calendar, and deleting a recurring meeting is an annoyance if it was improperly entered.

Social media profile: Scanning this type of QR code initiates a “follow” for a specific profile on sites such as Instagram or Twitter, using the scanner’s personal profile. Depending on the social media platform, the account being followed may have access to your personal information and be aware that you are following them.

Wi-Fi network: This QR code stores Wi-Fi credentials for automatic network connection and authentication. If you consider all the threats of open Wi-Fi networks and even closed networks that use WPA2, the introduction of an unknown or insecure network to your preferred list is just a bad idea.

App store: Scanning links to a page directly on an app store can make an application simple to download. While this is convenient, the listing could be malicious (especially on Android devices) or could be a spoofed page using an embedded URL to trick you into loading an unsanctioned malicious application. Your best bet is to always navigate to an application yourself and not rely on a hotlink.

Finally, let's address dynamic QR codes. These codes are generated once, but the data stored on them can be edited at any later date. They can include password protection and embedded analytics so creators can track how they are used. Dynamic QR codes can even add simple logic such as device-based redirection to have different behaviors for Apple iOS devices versus Google or Android. For example, based on the device, they can be redirected to the appropriate app store or music library. That alone allows a threat actor to target device and application exploits to specific assets to ensure a higher rate of success.

If you are ever out and about and see a QR code on a wall, building, computer screen or even a business card, do not scan it. A threat actor can easily paste their malicious QR code on top of a real one and create their own copies, and based on appearance, you have no idea if the contents are safe or malicious. To that end, I never scan QR codes, and neither should you."

It's important to consider the viewpoint of the businesses as well. Anytime there's a menu change it costs time and money to reprint and restock everything vs making the changes on the digital copy. In addition the majority of diners are OK with scanning QR codes and the younger generations actually prefer it. The servers don't have to collect menus and if you're a glutton like me sometimes I want to order more and I can just pull up the menu without having to flag a server down and wait for them to bring me a physical one. It is also helpful when I want to order takeout and I already have the PDF saved on my phone.

I like a physical menu as much as anyone here and for any restaurant that is focused on the dining experience it's an absolute must. I've yet to goto a restaurant that doesn't offer a physical menu if I don't want to scan a QR code.

As for security I have semi sensitive data on my phones and zero issues.

I'm old school . No QR codes . No self checkout . When I go to a drive thru Teller at the Bank there had better be real person on the other side of the glass and not a Video monitor . For everybody that embraces this technology , I'm happy for you . I'm not judging but I don't need it .

QR codes have a place, they do work, can provide access to all kinds of good things, instructions, directions, menus.

Interesting they were developed to track production in Japan, basically a better bar code as you could get more information and the QR could direct your device to more information.


Like any tech, it can be used to deceive, you just have to be careful what you're using it for.

But to simply think that all QR codes are safe isn't smart, just as presuming clicking on any link in a post, email, text is safe.

quote:

Originally posted by parabellum:
I've never scanned one and I'm not going to scan any. If I go to a restaurant that wants me to scan QR codes or pull up their menu on my phone, too bad. I have no phone. I need a physical menu, or I'll go somewhere else.

Do you really know what's going on in the background when you scan these things? No, you do not. For all you know, you're giving the Chinese access to your data.

This 100%!!
I hate places that have them as the menu. I refuse to use them and so far every place has been able to provide me a physical menu.

quote:

Originally posted by Flash-LB:
There's nothing on my phone that anyone can do anything at all with.

Then you absolutely have no idea all the information about you that your phone is constantly collecting.

Mark of the beast…

To be clear, this thread is about using your smart phone to scan a QR code, not about having a QR code displayed on your smart phone that gets scanned like a boarding pass, ticket, or to claim a discount. That doesn’t carry the risk because phone is sending data (the QR code) out, not taking data in.

For those who think not having sensitive data on your phone is the answer, you might not understand the question.


Lets use the menu QR on the table as an hypothetical example:

Using a picture of the menu QR code that I took earlier I can create and print a similarly sized QR code of my own with a clear piece of laminate sized to cover the entire sticker on the table. In seconds i can overlay my QR code over the real QR code and nobody is going to notice it.

When you scan my QR code, you get taken to a website I created that looks half-assed official and has a big button in the center labeled MENU. When you click the menu button it redirects you to the actual website that has the menu and you figure out what you are going to order.

What you don't know is that when you clicked on the menu button you also allowed a little subroutine into your phone that changes some settings and gathers some information.

Got your phone hooked up to your car's entertainment system? Now I know what kind of car you drive. Got the on-star type of service on your car with the app? Now I can find your car, unlock it and start it. I can follow you home without leaving my keyboard. I will know when your car is away from your house and more importantly, know when it is heading back to the house.

Got a map app on your phone? Now I can track your location. You think that you have location services turned off but when you clicked on the menu button the program you let in turned location services on and told your phone to send data bundles every 24 hours to me. Now I know that you leave for work around 5:00 am everyday and since you drive a Cadillac Escalade its a good bet that if I need some cash at 5 in the morning I know where to find it.

You are smart so you log out every time you access facebook, e-mail, on-line banking, or amazon, from your phone. But that same program you told your phone to run now remembers your account credentials and sends them to me.


You can think there is no risk to scanning QR codes. You would be wrong, but you can think it. Just like CC skimmers, Any technology can and will be perverted by someone. The more beneficial the technology can be, the more likely someone will figure a way to use it to take advantage of people who are using it. I use my CC regularly and have never had my data skimmed, but skimmers being found at gas stations are regularly reported in the news. At least my CC company will cover any loss from criminal activity.


ETA: and in this example, if I chose to pass on using your info because you don't look like the return would be worth the time, you may never know it.

Golly jeez wiz Para, I don't even have a cell phone, thought I was the only one let out of all the important stuff.

quote:

Originally posted by SpinZone:

What you don't know is that when you clicked on the menu button you also allowed a little subroutine into your phone that changes some settings and gathers some information.

Aren't permissions to access device functionality like you described tied to the OS and would require an actual user authorization vs. auto executing without user permission at the root/OS level? In addition don't web browsers operate in virtual sandboxes designed specifically to prevent exactly this from happening?

quote:

Originally posted by Ed Fowler:
Golly jeez wiz Para, I don't even have a cell phone, thought I was the only one let out of all the important stuff.

That's freedom. We really did a number on ourselves when we embraced cellphones. If the technology had stopped in, say, 2005, before the advent of smartphones, we would be better off. There is real value in being able to call emergency services from the roadside, or send a text message or two but with smartphones, it's gotten out of hand. Anyone under the age of 30 or so simply cannot imagine life without their electronic pacifier.

I recently forgot my cell phone when I went to work. Some of my younger co workers could not believe I wasn't going home immediately to get it... I told them that somehow I made it the first 33 years of my life without a cell phone, so no, I wasn't going to go get it.

quote:

Originally posted by parabellum:

quote:

Originally posted by Ed Fowler:
Golly jeez wiz Para, I don't even have a cell phone, thought I was the only one let out of all the important stuff.

That's freedom. We really did a number on ourselves when we embraced cellphones. If the technology had stopped in, say, 2005, before the advent of smartphones, we would be better off. There is real value in being able to call emergency services from the roadside, or send a text message or two but with smartphones, it's gotten out of hand. Anyone under the age of 30 or so simply cannot imagine life without their electronic pacifier.

Phones like the Blackberry were designed for end users. Modern smartphones are designed for big data. Our data. This is why Blackberry never had a chance once the iPhone was released.
It WILL become mandatory to conduct day to day business at some point.

Everyone remembers when Walmart rolled out the self checkouts. Soon after that, only 1 or 2 backed up lanes were available with real humans manning the registers. Either wait in line for 30 to 45 minutes to checkout with your gallon of Ice Cream or use the self checkout.

We have a local Sonic that does a ton of business. We've noticed half of the ordering screens are out of service most of the time. This is because people are using the Sonic App..

^^^^^^^^^^^^^^^^
Yeah Sonic and Walmart two places I avoid. The high end restaurants still have waiters and I rather doubt that will change. The local hardware stores do fine with a register. Not all things will change. The flying cars have not arrived yet.

quote:

Originally posted by parabellum:

quote:

Originally posted by Ed Fowler:
Golly jeez wiz Para, I don't even have a cell phone, thought I was the only one let out of all the important stuff.

That's freedom. We really did a number on ourselves when we embraced cellphones. If the technology had stopped in, say, 2005, before the advent of smartphones, we would be better off. There is real value in being able to call emergency services from the roadside, or send a text message or two but with smartphones, it's gotten out of hand. Anyone under the age of 30 or so simply cannot imagine life without their electronic pacifier.

I agree about the pernicious nature of our modern smart phones. I have sons that are just under 30 and my youngest was the first generation to have an iPhone w access to everything.

That being said, he is quite aware of the situation and understands what it’s done to his generation. I bet he has more comments on this than we do.

They didn’t create this mess. We did. Same for the damn goober schools.

I remember driving a friends car one day, had a cell phone in it, he was a realtor, asked me not to use it as it was super expensive, used it anyway as I was picking up a date that evening and anything to show off! I think it had a rotary dial.

Similar to this



Cell phones did open up communications, killed the payphone industry, we all thought how great this access was, little did we know how intrusive it would be.

Imagine it's all similar to how radio changed our access to world information and advertising, then TV, Internet, Cell Phones. The same old stuff just in a different package.

Easy to eliminate, just get a flip phone and inexpensive non data plan phone and bobs'yer uncle.

quote:

Originally posted by Hildur:

quote:

Originally posted by SpinZone:

What you don't know is that when you clicked on the menu button you also allowed a little subroutine into your phone that changes some settings and gathers some information.

Aren't permissions to access device functionality like you described tied to the OS and would require an actual user authorization vs. auto executing without user permission at the root/OS level? In addition don't web browsers operate in virtual sandboxes designed specifically to prevent exactly this from happening?

Yes and No.
Apple does a better job at sandboxing then android does but the idea behind the sandbox is to keep one app from accessing another app's data. Malicious software running off of the phone's OS doesn’t have that constraint.

The way the malware is written determines what if any prompts you see or don't see. The pop ups you see and the permissions you accept are only there because the app store policies require the app developer to write them in to the app in oeder for the app to be listed in the app store. The "Menu" button in my example should really say "go ahead and install this software". Don't confuse apps and malware.

Google "malware in text messages" and you will find examples of the current trend by scammers of installing malware on your phone by getting you to click on links in text messages. The text link started out as simple phishing but has evolved into malware.

quote:

Originally posted by ZSMICHAEL:
^^^^^^^^^^^^^^^^
Yeah Sonic and Walmart two places I avoid. The high end restaurants still have waiters and I rather doubt that will change. The local hardware stores do fine with a register. Not all things will change. The flying cars have not arrived yet.

I don't look for the high end restaurants to change much either, at least for a while. Maybe paying/tipping with your smart phone instead of a CC. To be honest, I really wouldn't care some much about using smart phones for many day to day transactions if I trusted these Tech Companies. I don't. A local Gym opened recently in the closest small town in my area. They require users to use their app. for entrance. A sign on the door says "Anyone entering without using the app. will have their membership terminated".

A few months ago, I went to a Red Med for Blood Pressure meds. after my NP retired. They refused to see me unless I filled out the paperwork online with my smart phone using the link they texted to me. Needless to say, I walked out.

I refuse to use one at a restaurant, and servers are always annoyed. Oh well.