Coinbase Won the Super Bowl of Marketing. America Failed the Super Bowl of Security

Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Coinbase made an estimated $14 million punt on the audience giving in to curiosity and scanning a QR code flashing across a TV screen - and it worked. The next day they reportedly went from 186th to 2nd on the App Store, with a surprising surge in users that seemingly brought down their web site. It was also a security nightmare.

Their approach was not that different from a scammer who sends an email or SMS asking you to click on a link to claim a reward. We’re all fortunate that this link went to a reputable company like Coinbase instead of inviting malware that would have infected America faster than Omicron. 

Where did we go wrong? Just as you shouldn’t click on a link in an email you weren't expecting, you shouldn’t scan a QR code without at least knowing what you expect to happen. It’s OK to scan a QR code when you see one - just be smart about who put it there, who is asking, and what you expect to happen next. Context always matters, and it especially matters in the realm of cybersecurity.

There's nothing wrong with scanning a QR code on your TV, so long as you can trust it. Viewers had no idea who or what the ad was for, until a Coinbase logo flashed for a few brief seconds at the end of the commercial. In this instance, we trusted both NBC and Coinbase to provide a secure interaction, but what if the QR code had been compromised? How do we know NBC did their diligence before broadcasting a QR code to the entire world?

QR codes themselves are still the best thing to come along since the domain name. Most other countries in the world use QR codes as a core part of everyday life - from shopping, to sharing contact information, to ordering in restaurants.  Businesses in the US made significant advances during the pandemic to embrace this easy-to-use technology out of necessity, with some calling it the greatest comeback of the decade. It’s no longer uncommon to have a QR code on a vaccination pass, in place of a restaurant menu, or on the back of an item in the grocery store. 

At Nametag, we’re big believers in the potential of QR codes. Last week we introduced a way to use QR codes to replace username and passwords when you sign in to websites and apps. When coupled with the security features of modern Android and Apple devices, QR codes finally allow us to upgrade our digital lives and replace passwords, for good.

The missing ingredient in online safety is identity: we’ve replaced the password with security that revolves around you, the user. We call it “Sign in with ID” using Multi-Factor Identity technology, and we believe it’s the next generation of online safety. Just as QR codes make it easy to order from the menu at a restaurant or to load the Coinbase site, they also make it easier to sign in online (and we’ve found ways to make it more secure too).

QR codes are here to stay; and fortunately for Coinbase, the extra 60 seconds of fame paid off handsomely. But the curiosity that fueled the Coinbase stint presents a risk to consumers. Don't leave yourself unprotected online; it's time to step-up security.

Secure your helpdesk against social engineering and impersonators.
Accept All Cookies