Last night during the Super Bowl, cryptocurrency company Coinbase ran an ad that featured a QR code bouncing around the screen. That’s it. No actors, no voice over, just some retro 8-bit Pong-like motion. Scan the code and you were given a link to the Coinbase site…which apparently crashed under the load.
It took all of a few minutes before a friend in the cybersecurity space got on a private email list and railed about the security implications associated with presenting a QR code to, well, a large chunk of the American citizenry. I don’t know if you’ve met most people, but they’re not very security conscious. Probably even less so after a few adult beverages.
Was he right to raise this as an issue?
The resistance we often face in security is in large part because of the lens through which we view the world. That seems obvious to the point of stupidity, but it needs to be declared up front because there is no such thing as a “security business.” Even security companies are not in the security business, they’re just in business.
In the context of security, no, people should not scan random QR codes. What does that mean in practical terms? Well, scanning the QR code at the restaurant or bar you’re visiting so you can view the menu is probably fine. Yes, nothing stops someone from planning a malicious code onto a placard that looks like it belongs to the restaurant . . . except the fact that it would be replaced as soon as it was clear it wasn’t working. Also, why go through the trouble to compromise the device of a rando?
But is the risk the same for a Super Bowl ad? No, no it is not. At $14m a pop for that ad’s placement, the odds of that code being malicious is zero . . . unless that $14m is the down payment on the world’s largest ransomware attack against gridiron football fans. One estimated to bring in orders of magnitude more than $14m. You know: if the adversary in question was a Bond Villain.
But back to the point of context: the purpose of an advertisement is to pique interest and get viewers to act (scan the code, open up an account). Malice – depending on your personal view of the wisdom of cryptocurrency as a form of investment – doesn’t enter into the equation. This isn’t a threat, its commerce.
This same thinking applies to every business and every business process. The goal is efficiency and effectiveness. Sometimes that may increase risk. That doesn’t make the process bad, it just becomes another thing to be managed and mitigated.
If you do this stuff for a living, by all means take the time and effort to assess the threat and calculate the risk. But don’t forget to put everything into the proper context. It will save you a lot of grief, build good will with the people who think you’re an overhead drag, and help you envision solutions that will work in the real world, not the notional one where people place security over revenue.