IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Coinbase Super Bowl marketing stunt prompts debate over QR code security

Experts are torn over QR codes and whether the cyber security threat they theoretically present is actually enough to warrant genuine concern in real-world scenarios

Cryptocurrency trading platform Coinbase was downed by its own Super Bowl advert on Sunday after a huge influx of users flocked to the site after it used a QR code to direct onlookers to its free Bitcoin promotion.

Mimicking the classic DVD standby screen in which a logo bounced around a screen, Coinbase's own riff on the idea saw a code bounce around for 60 seconds and directed users to its site where it is currently offering $15 in Bitcoin to all newly registered accounts, with the offer expiring on 15 February.

However, a large number of individuals scanning the code led to a volume of traffic too heavy for the platform to handle, ultimately forcing its app offline. 

"Coinbase just saw more traffic than we've ever encountered, but our teams pulled together and only had to throttle traffic for a few minutes," said Surojit Chatterjee, chief product officer at Coinbase via Twitter.

"We had over 20 million hits on our landing page in one minute," he added. "That was historic and unprecedented. We also saw engagement that was six times higher than our previous benchmarks."

While considered a success at Coinbase, the incident sparked online discussions in the cyber security community around the implications involved with using QR codes.

There are fears around the technology regarding the hidden nature of the web service they conceal. Some experts believe they should not be trusted fully due to the potential for hijacking by cyber criminals.

"QR code technology is safe in itself, but as reliance on it grows, cyber criminals are taking note," said Anna Chung, principal researcher, Palo Alto Networks Unit 42 to IT Pro. "These codes could offer an entryway to potential cyber attacks because they don’t provide visibility into the webpage, application etc. behind them.

"Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more which provides cyber criminals with opportunities to insert themselves into the process."

Others feel the concern around the technology is overblown and the real-world threat to individuals in normal scenarios is relatively low. 

"It's important not to get too carried away by the threat of QR codes," Chris Boyd, senior threat researcher at Malwarebytes told IT Pro. "Some examples exist of victims connecting scammers to their bank accounts via apps, and you can easily find explanations of how to create payloads tied to QR scanning.

"However, any encounter with a bogus code is likely going to involve steering people to phishing pages. Some phones display links in advance of visiting, and even if they don't, standard phishing caution advice applies."

Related Resource

EMA: The state of AIOps

The benefits of driving adoption of AIOps

Whitepaper cover with image of a digital brain graphic held in the palm of a handFree Download

The conversation around the use of QR codes has become more pressing in recent years as industries such as hospitality resorted to using the technology to facilitate at-table ordering in outdoor dining scenarios, for example.

As recently as January 2022, the Federal Bureau of Investigation (FBI) issued a public service announcement alerting people to the dangers of scanning codes found in seemingly innocuous locations out in the world, and how these can be misused by cyber criminals.

The announcement followed reports a week earlier that QR codes had been appearing more often in Austin, Texas - specifically on parking machines - designed to direct drivers to a fake parking payment website.

"HTTPs isn't a guarantee that the site is legitimate because HTTPs certificates are freely available," said Boyd. "Any site reached from a code in the street or elsewhere should be verified with the company you assume you're dealing with before entering login or banking details."

Coinbase responded to the discussions taking place immediately after the advert's success saying security "is super important to us", pointing users to a direct link and warning them that if the link didn't come directly from the company, it could be a scam.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023