The QR Code Conundrum: Navigating Convenience And Cyber Security In The Post-COVID Era

hello um so I'm Jack wise I'm a sock Analyst at strip o I got into cyber through a boot camp called caps lock um if you don't know that's a 4mth online boot camp um where it teaches you the very basics of how the Cyber industry works so why am I here I thought about this last year I came last year for the first time and I said I was going to do a talk this year um knowing that it's definitely at my comfort zone and now I'm here and these are the words that I thought of when I thought about doing a talk so I've seen people like Joe Wells talk about our young people and the safety of them

and Ryan Pullin talk about the infinite game and Ryan Pullin was to here when he was talking and now I work for so I should hopefully have done something right and that's where achieve comes from so the QR code conundrum is about how since covid there's been an uptake in the use of QR codes and how we need to mitigate the use of them and they're not going anywhere anytime soon they're super useful and we need to find a way of making them safer for us to use and go forward so they were created by a company called denzo wave who are Japanese also motive company and they were using barcodes on their car parts

to track them through the factory they're using up to five bar codes for one part and because none of these bar codes were these par car parts even were similar shape or size they're having difficulty scanning them and it was slowing them down so one of their Engineers was playing this game that I have no clue how it works um which resembles a QR code he thought of a storing information in a grid because our conventional barcode that we use in shops cannot store as much information and he took this back and a while later they created the QR code which we know to be the Quick Response Code and what did they do with this

information they made it free to use but sold the scanners so monopolizing the QR code industry for a very short period of time until we have the first smartphone who which could read a QR code and that was made by sharp and now we all have a QR code scan in our pocket we all know how to scan them and even our grandparents probably know how to scan them now since Co trying to get into anywhere without scanning the QR code is pretty much impossible so imagine going into a shop restaurant Cafe scanning a QR code sitting down never speaking to a human that's what we all do that's what I do I love it but

um it's our reality now but do we really think about what we're scanning what's behind that QR code is the QR code real yes there are sometimes a pine a bit of plastic or th the wall but I'm going to show you how quite quickly you can make a scam of your own and that is the car part scam so this is such an easy scam to make I've done it myself and I'm going to show you how to make one and don't throw anything at me for this but I used to be a car park in Warden and no that's that is actually quite fun um until people start throwing stuff at you um so car parking is quite

a weird sort of thing you're getting a service are you getting it you sort of getting it maybe you pay for it hope you get it and if you get a ticket it's a couple of weeks down the line so this can be great because by the time I've scanmed this car park I've moved on to the next one and do this a couple of times a day you got a career out of it so if anyone's looking to quit their job it's quite a good one so here is my car park question scam and I've done it start to end and I give myself one hour to do it I did this because of course I could

have spent weeks on it and it would have been perfect but I wanted an imperfect system that's going to work make me money but it's going to be it just needs to fall people that are in their daily life doing their daily things so I picked this this I'm I'm from Swindon and this is a car parking from Swindon it's quite popular it's the coin machines are always out of order which is a good thing for me they don't have card readers so it's ran by a company called Ringo and they advertised pay by mobile their QR codes with these very badly um maintained machines which is perfect for me so first I did my reconnaissance I've

gone to Ringo and replicated their business as much as I could took the fonts colors word in anything I could to try and replicate it and but I don't want to spend much money on this either I'm trying to make money spend money so I'm using the cheapest way possible and that is Wix it's quick it's easy it's simple we don't need this to be complicated and I only need the mobile site I'm not expecting someone to be carrying their laptop round with them probably some of us would but um in car par so going be on their mobile and it's going be quick and no one's really thinking if they're a rush so I bought a

generic domain for a pound and that was my total spend on the this little task and then linked it to this mobile site and this is the site that I built with the QR code that is now disconnected but did work and I did not go and put any QR codes anywhere because I'm not that brave um but as you can see it's it's okay it would fall of someone quite quickly if they're in a rush I think um it replicates is using their it's copyrighted their images and all the rest of it so I think that's that would work for now and imagine spending two four 6 weeks on this I think you can make it very good and

you'll be probably making in the hundreds by day one I would think if you did this in a few car Parks um and of course my QR codes will very Pro would be very promtly placed and no one's going to go looking for a QR another QR code if there's one right in front of you you're just going to scan they're not going to initially think it's it's a scam and recently we've seen the train company start to be peeling off the extra stickers and checking them how long's that going to last for a week who's going to actually listen to the management of checking QR codes on their walls every single day it's not

going to happen they're not paid enough to do it as well I wouldn't I'll do it for a couple of days probably if I was in that sort of role and then give up so we need to look towards mitigation strategies and this is not this is just a starter list this is ones I thought of on the Fly and these are ones that are being used today um so I've split them here into business and business are creating an app they're trying to make it so QR codes are not being used and that is one way but it's not going to be the other way cuz we we got to think it's not just c car Parks it's

job bads on the back of a van that could be harvesting your credentials anything like that and vans will be even better just jump in the car park you got 100 Vans stuck on so ql code on the back of each one and then you got everyone's Bank details and we can check for tamin again as I said is not going to be used and educating others about the scam but no one's going to check each time because it's like checking your car you have before each trip you menu I don't who jumps in the car and checks it all around checks all the tires and breaks and everything before they go out who's got the time for that it's again it's

just a Time matter um and then the best way I think I do it is independently finding these websites I don't scan QR codes even the sponsors out here I just don't trust the QR codes and if we can just independently find these things using things like location codes we independently putting into the app that may help um ultimately it is going to be the education the find it's not us that we targeting this at it's the people that are not so Savvy they don't know about the QR code scams and there's hundreds of stories online of there's over 120 people that scammed out of their bank accounts in 6 months so that's such a

huge amount of people and usually is people in their 40s to 70s sort of range that are not probably looking at this in their daily life why would they they' got other interests other jobs like that um but then there's that's when we're out and about what about when we're in the office how can we got apprentices we got Juniors we got anyone that's only they've just come into the company and I myself deal with Q codes 20 times a day when I'm working in client environments all this MFA through Microsoft but that can be it can be manipulated as well so this is a very high level overview of this tool called Square fish and what it

does is in an okay way it just copies our Microsoft authenticator so if you've seen a QR code like this I've used these a lot and they're pretty much part of my daily life um but they can be used maliciously with the help of square fish so it starts with a email like this and it doesn't start the actual authentication part which lasts 15 minutes until this is scanned so this is pretty good scam it can be set on your inbox and we're not starting for until this is until this is scanned and then we have once this is scanned it's going to be it's going to send a c a code that can be put in

either through this this link or through the QR code and then it's going to be constantly polling for the user authentication and we got 15 minutes for this to work and again send this out to 100 companies several times a day and this is going to work as much as as well as the QR code scam it's like any scam it's not going to work every time but it's going to give you a good amount of time which then once they've entered the code all looks pretty obviously it does look a bit off we know it looks off but again working in a rush it's going to work eventually and then we get a token

and with people that are smarter than me that know how to penetrate rtion test and I'm fully in defense and I've tried penetration testing but that's I'm not smart enough for that um it allows them to progress and do things like lateral movement and get into their system so the point of this is to think before you scan and it were a long way from safety with QR codes CO's only made that 100 times worse but if we can try and educate others and hopefully someone will not be scammed tomorrow and that is not a scam that is my L thank

[Applause] you any questions um noww redirection of course as well to um SC your code way you want to go it looks right but um you can become on the way yeah so there's hundred hundreds of possibilities that we could do with QR codes Lo of QR codes on univers at yeah i' I've seen hundreds I started to take pictures of every single one I seen to try and include in this presentation but by the end of the day I've seen too many I was like no this not going to work there's just one there's one for everything um it can be and it's not it's not going to end they're super useful at the end they

great uh it's not it's not a bash on QR codes because they they work really well so yeah we just need to try and there is companies that are out there that are trying to make apps for authentication and things but this needs to be built into your mobile into the camera because we're not going to go to another app when our camera just scans it's built into iOS now it's just we need to find easy ways we got any secure apps there's one being developed by I I spoke to a company I think Joe sent it to me a start in there you go that and that's the only one I've seen the name okay koala

also yeah so we need to try and these are are people going to download them are they going to use them but it's going to be obviously a lot harder to get them integrated into I don't know how it work myself right now but it's something I'm definitely invested in anything else what you think the future of few Cod is going to be I think they're going to keep on going bigger and better and it's it's just going to be this forever but we we just need to try and it's like when I'm working in the sock I can't stop people doing what they're doing people go to all these free gift websites and don't get free gifts and

then ask me why I've locked their computer down um it's just we're just going to be continuously defending it I think and it's again like so we need to find more tools more ways of trying to defend ourselves and others against using these in the corporate life and in our general life regarding the M scan does it work to you scan theode directly no no it um it has to be either it has to be scanned with a camera and or or click the link through the email for this to work um it's quite a basic Tool uh but it's on um GitHub all of it's on GitHub so you search Square fish and there's all it's

there's a lot on there to read it's quite interesting with the default when I scan a it brings up a bubble with the URL and I click it go to it so would that prevent that from happening because I'd scan it it would come up with a very shady do name and pretty much stop me like that possibly we have to see I don't use Android I've never used Android so that's a thing I've always been on iPhone so it's it' be interesting to see there' be a lot more testing testing how it works and seeing where we can go with it um but I think Android will be the first one to defend against it

unfortunately yes I think I can just add to it because as part of my disertation research I was also exploring the Q yeah uh how it works in Android the bubble essentially it just focuses on the uh like top level domain and the main actual domain like even with a free vix website you get like random digits vix SL so it just focuses on the first part and then just home itself the entire thing so if you can masquerade the URL to look genuine in the first maybe first or second uh subdomains and then just put anything after that it completely owns that so it defeats the purpose and you can easily bypass through it that

was one of the ways we kind of designed to mitigate again from the users to actually observe the URL and say this is not. yeah I think it's really quite easy to continue to scam with QR codes thank you the internet get yeah turn it all off we all be jobless very much