Coinbase Super Bowl marketing stunt prompts debate over QR code security
Experts are torn over QR codes and whether the cyber security threat they theoretically present is actually enough to warrant genuine concern in real-world scenarios
Cryptocurrency trading platform Coinbase was downed by its own Super Bowl advert on Sunday after a huge influx of users flocked to the site after it used a QR code to direct onlookers to its free Bitcoin promotion.
Mimicking the classic DVD standby screen in which a logo bounced around a screen, Coinbase's own riff on the idea saw a code bounce around for 60 seconds and directed users to its site where it is currently offering $15 in Bitcoin to all newly registered accounts, with the offer expiring on 15 February.
However, a large number of individuals scanning the code led to a volume of traffic too heavy for the platform to handle, ultimately forcing its app offline.
"Coinbase just saw more traffic than we've ever encountered, but our teams pulled together and only had to throttle traffic for a few minutes," said Surojit Chatterjee, chief product officer at Coinbase via Twitter.
"We had over 20 million hits on our landing page in one minute," he added. "That was historic and unprecedented. We also saw engagement that was six times higher than our previous benchmarks."
There are fears around the technology regarding the hidden nature of the web service they conceal. Some experts believe they should not be trusted fully due to the potential for hijacking by cyber criminals.
"QR code technology is safe in itself, but as reliance on it grows, cyber criminals are taking note," said Anna Chung, principal researcher, Palo Alto Networks Unit 42 to IT Pro. "These codes could offer an entryway to potential cyber attacks because they don’t provide visibility into the webpage, application etc. behind them.
"Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more which provides cyber criminals with opportunities to insert themselves into the process."
Others feel the concern around the technology is overblown and the real-world threat to individuals in normal scenarios is relatively low.
"It's important not to get too carried away by the threat of QR codes," Chris Boyd, senior threat researcher at Malwarebytes told IT Pro. "Some examples exist of victims connecting scammers to their bank accounts via apps, and you can easily find explanations of how to create payloads tied to QR scanning.
"However, any encounter with a bogus code is likely going to involve steering people to phishing pages. Some phones display links in advance of visiting, and even if they don't, standard phishing caution advice applies."
EMA: The state of AIOps
The benefits of driving adoption of AIOpsFree Download
The conversation around the use of QR codes has become more pressing in recent years as industries such as hospitality resorted to using the technology to facilitate at-table ordering in outdoor dining scenarios, for example.
As recently as January 2022, the Federal Bureau of Investigation (FBI) issued a public service announcement alerting people to the dangers of scanning codes found in seemingly innocuous locations out in the world, and how these can be misused by cyber criminals.
The announcement followed reports a week earlier that QR codes had been appearing more often in Austin, Texas - specifically on parking machines - designed to direct drivers to a fake parking payment website.
"HTTPs isn't a guarantee that the site is legitimate because HTTPs certificates are freely available," said Boyd. "Any site reached from a code in the street or elsewhere should be verified with the company you assume you're dealing with before entering login or banking details."
Coinbase responded to the discussions taking place immediately after the advert's success saying security "is super important to us", pointing users to a direct link and warning them that if the link didn't come directly from the company, it could be a scam.
What 2023 will mean for the industry
What do most IT decision makers really think will be the important trends and challenges in the coming year?Free Download
2022 Magic quadrant for Security Information and Event Management (SIEM)
SIEM is evolving into a security platform with multiple features and deployment modelsFree Download
IDC MarketScape: Worldwide unified endpoint management services
2022 vendor assessmentFree Download
Magic quadrant for application performance monitoring and observability
Enabling continuous updating of diverse & dynamic application environmentsView Now