Diana has written this week’s “Wednesday Bit” on QR Codes.
Last week I became aware of a significant problem with QR codes, which are used by many organisations and individuals to direct people to their websites or sales pages. Such codes have been in use now for many years. (BizTechReports, 2024)
However, QR codes can also be used by authenticator apps in the multifactor authentication process and they therefore contain sensitive personal information. The codes can be stored in email, cloud storage and messaging apps used in the enrolment process.
Although the problem is not widely known yet, it could become a problem in the future as bad actors work out how to access the information contained in the millions of codes generated so far. For example, Google Authenticator has been supporting QR codes for 12 years.
Accessing the data could be as simple as leaning over somebody’s shoulder and photographing the QR code being used for authentication.
A fix has been developed which will require everybody to re-enrol using new secure codes. These codes would be dynamic and only sent to the authenticator app. Software vendors will have to develop and deploy this, but the cost to industry could be vast in terms of staff time.
Identifying all the users affected by this would be very diffcult, as there could potentially be hundreds of millions of these codes out “in the wild”.
As we become aware of the vendors developing the fix, we shall notify those of our clients using that software. Other companies like ours will be doing the same thing, but it is likely that some clients are using software of which we are unaware. Please arrange for us to conduct an audit of your systems and software so that we have an up-to-date understanding of your exposure to risk.
We can then help users to re-enrol using the secure fixes provided by the software vendors.
If we start identifying what users have used multifactor authentication for, we can start to quantify the issues within our client base.
Smart Thinking – we do the research so you don’t have to!
Diana Catton MBA – by line and other articles
References
BizTechReports. (2024). Silent Sector Advises IETF of Major Vulnerability Related to QR Codes Used to Enroll Two-Factor Authentication Processes — BizTechReports. https://www.biztechreports.com/news-archive/2024/9/26/silent-sector-advises-ietf-of-major-vulnerability-related-to-qr-codes-used-to-enroll-two-factor-authentication-processes
Further Reading
Scan It! – QR Codes – CyberAwake
Featured photo by Pixabay