Coinbase Super Bowl marketing stunt prompts debate over QR code security

Smartphone scanning a QR code
(Image credit: Shutterstock)

Cryptocurrency trading platform Coinbase was downed by its own Super Bowl advert on Sunday after a huge influx of users flocked to the site after it used a QR code to direct onlookers to its free Bitcoin promotion.

Mimicking the classic DVD standby screen in which a logo bounced around a screen, Coinbase's own riff on the idea saw a code bounce around for 60 seconds and directed users to its site where it is currently offering $15 in Bitcoin to all newly registered accounts, with the offer expiring on 15 February.

However, a large number of individuals scanning the code led to a volume of traffic too heavy for the platform to handle, ultimately forcing its app offline.

"Coinbase just saw more traffic than we've ever encountered, but our teams pulled together and only had to throttle traffic for a few minutes," said Surojit Chatterjee, chief product officer at Coinbase via Twitter.

"We had over 20 million hits on our landing page in one minute," he added. "That was historic and unprecedented. We also saw engagement that was six times higher than our previous benchmarks."

While considered a success at Coinbase, the incident sparked online discussions in the cyber security community around the implications involved with using QR codes.

There are fears around the technology regarding the hidden nature of the web service they conceal. Some experts believe they should not be trusted fully due to the potential for hijacking by cyber criminals.

"QR code technology is safe in itself, but as reliance on it grows, cyber criminals are taking note," said Anna Chung, principal researcher, Palo Alto Networks Unit 42 to IT Pro. "These codes could offer an entryway to potential cyber attacks because they don’t provide visibility into the webpage, application etc. behind them.

"Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more which provides cyber criminals with opportunities to insert themselves into the process."

Others feel the concern around the technology is overblown and the real-world threat to individuals in normal scenarios is relatively low.

"It's important not to get too carried away by the threat of QR codes," Chris Boyd, senior threat researcher at Malwarebytes told IT Pro. "Some examples exist of victims connecting scammers to their bank accounts via apps, and you can easily find explanations of how to create payloads tied to QR scanning.

"However, any encounter with a bogus code is likely going to involve steering people to phishing pages. Some phones display links in advance of visiting, and even if they don't, standard phishing caution advice applies."


EMA: The state of AIOps

The benefits of driving adoption of AIOps


The conversation around the use of QR codes has become more pressing in recent years as industries such as hospitality resorted to using the technology to facilitate at-table ordering in outdoor dining scenarios, for example.

As recently as January 2022, the Federal Bureau of Investigation (FBI) issued a public service announcement alerting people to the dangers of scanning codes found in seemingly innocuous locations out in the world, and how these can be misused by cyber criminals.

The announcement followed reports a week earlier that QR codes had been appearing more often in Austin, Texas - specifically on parking machines - designed to direct drivers to a fake parking payment website.

"HTTPs isn't a guarantee that the site is legitimate because HTTPs certificates are freely available," said Boyd. "Any site reached from a code in the street or elsewhere should be verified with the company you assume you're dealing with before entering login or banking details."

Coinbase responded to the discussions taking place immediately after the advert's success saying security "is super important to us", pointing users to a direct link and warning them that if the link didn't come directly from the company, it could be a scam.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.