IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Coinbase Super Bowl marketing stunt prompts debate over QR code security

Experts are torn over QR codes and whether the cyber security threat they theoretically present is actually enough to warrant genuine concern in real-world scenarios

Cryptocurrency trading platform Coinbase was downed by its own Super Bowl advert on Sunday after a huge influx of users flocked to the site after it used a QR code to direct onlookers to its free Bitcoin promotion.

Mimicking the classic DVD standby screen in which a logo bounced around a screen, Coinbase's own riff on the idea saw a code bounce around for 60 seconds and directed users to its site where it is currently offering $15 in Bitcoin to all newly registered accounts, with the offer expiring on 15 February.

However, a large number of individuals scanning the code led to a volume of traffic too heavy for the platform to handle, ultimately forcing its app offline. 

"Coinbase just saw more traffic than we've ever encountered, but our teams pulled together and only had to throttle traffic for a few minutes," said Surojit Chatterjee, chief product officer at Coinbase via Twitter.

"We had over 20 million hits on our landing page in one minute," he added. "That was historic and unprecedented. We also saw engagement that was six times higher than our previous benchmarks."

While considered a success at Coinbase, the incident sparked online discussions in the cyber security community around the implications involved with using QR codes.

There are fears around the technology regarding the hidden nature of the web service they conceal. Some experts believe they should not be trusted fully due to the potential for hijacking by cyber criminals.

"QR code technology is safe in itself, but as reliance on it grows, cyber criminals are taking note," said Anna Chung, principal researcher, Palo Alto Networks Unit 42 to IT Pro. "These codes could offer an entryway to potential cyber attacks because they don’t provide visibility into the webpage, application etc. behind them.

"Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more which provides cyber criminals with opportunities to insert themselves into the process."

Others feel the concern around the technology is overblown and the real-world threat to individuals in normal scenarios is relatively low. 

"It's important not to get too carried away by the threat of QR codes," Chris Boyd, senior threat researcher at Malwarebytes told IT Pro. "Some examples exist of victims connecting scammers to their bank accounts via apps, and you can easily find explanations of how to create payloads tied to QR scanning.

"However, any encounter with a bogus code is likely going to involve steering people to phishing pages. Some phones display links in advance of visiting, and even if they don't, standard phishing caution advice applies."

Related Resource

EMA: The state of AIOps

The benefits of driving adoption of AIOps

Whitepaper cover with image of a digital brain graphic held in the palm of a handFree Download

The conversation around the use of QR codes has become more pressing in recent years as industries such as hospitality resorted to using the technology to facilitate at-table ordering in outdoor dining scenarios, for example.

As recently as January 2022, the Federal Bureau of Investigation (FBI) issued a public service announcement alerting people to the dangers of scanning codes found in seemingly innocuous locations out in the world, and how these can be misused by cyber criminals.

The announcement followed reports a week earlier that QR codes had been appearing more often in Austin, Texas - specifically on parking machines - designed to direct drivers to a fake parking payment website.

"HTTPs isn't a guarantee that the site is legitimate because HTTPs certificates are freely available," said Boyd. "Any site reached from a code in the street or elsewhere should be verified with the company you assume you're dealing with before entering login or banking details."

Coinbase responded to the discussions taking place immediately after the advert's success saying security "is super important to us", pointing users to a direct link and warning them that if the link didn't come directly from the company, it could be a scam.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022