Safeguarding EV Charging from QR Code Phishing (Quishing)
With the rapid expansion of electric vehicle (EV) charging infrastructure, ensuring they provide both efficient, fast-charging capabilities and secure, trusted payment and interaction methods is critical.
However, while EV charging stations become ubiquitous, the use of QR codes at these stations introduces a new cybersecurity threat with broad implications: QR code phishing, also known as ‘quishing’.
In this article, we explore the dangers of quishing in EV charging stations, examine the available technological solutions to counter these risks, and consider solutions that enhance the safety of EV charging for users and operators alike.
Understanding QR code phishing
QR codes have become increasingly common across many sectors — reinvigorated since the COVID-19 pandemic required a significant amount of information to reach every member of the public. They offer a simple, fast, and touch-free way to access information, make payments, or authenticate users.
At EV charging stations, QR codes are often used for these exact purposes to provide a seamless experience for drivers charging and paying for electricity. However, this convenience comes with significant risks.
QR code phishing, or quishing, occurs when cybercriminals replace a legitimate QR code with a malicious one. Instead of directing users to the official charging payment platform, the fake QR code leads them to a phishing site to steal sensitive information, including login credentials, credit card details, or personal data. Once compromised, this data can be used for fraudulent activities, putting the user at risk of identity theft, financial loss, or more severe consequences.
The rise of quishing at EV charging stations undermines users' confidence and threatens the credibility of public EV infrastructure. With the global push for wider EV adoption, creating secure and trustworthy charging environments is essential to maintaining user trust and driving further uptake of electric vehicles.
Technological solutions to combat quishing
Fortunately, several advanced technologies offer viable alternatives to static QR codes, mitigating the risks of Quishing and ensuring safer interactions at EV charging stations. These technologies enhance security and provide additional user convenience and operational efficiency benefits.
> NFC technology
Near-field communication (NFC) technology presents a robust solution to the vulnerabilities posed by static QR codes. NFC allows for secure, contactless data exchange between a user’s smartphone and the EV charger. Unlike static QR codes, which can easily be replaced with malicious versions, NFC interactions occur digitally over short distances, making it far more challenging for attackers to intercept or tamper with the transaction process.
See how Avnet Silica is supporting the latest innovative EV solutions. From the forecourt to the cloud, we complement your skillset to get your EV charging requirements deployed faster, better and stronger.
SEE EV OVERVIEWHere are the advantages of NFC technology:
-
Security: NFC data exchanges are encrypted, protecting sensitive user information.
-
Ease of use: Users simply tap their NFC-enabled smartphone on the EV charger to complete the transaction securely and without the need to scan any visible code.
-
Future-proofing: As NFC technology is already widely used in mobile payments and other secure applications, integrating it into EV charging infrastructure would future-proof the system against evolving threats.
One potential challenge with NFC is retrofitting older EV charging stations to accommodate the technology. However, the long-term benefits of enhanced security and user confidence outweigh this cost.
> Dynamic digital codes
Another promising approach to preventing quishing is dynamic digital codes displayed directly on the EV chargers. Unlike static QR codes, which remain constant and can be copied or replaced, dynamic codes refresh periodically. Once a session is complete, the code becomes invalid, preventing its reuse by malicious actors.
These digital codes can be displayed on a screen embedded in the EV charger, offering a layer of security far more resistant to tampering than traditional QR stickers. As an added benefit, this approach can be integrated with smartphone apps, allowing users to scan the dynamic code and verify the transaction in real-time.
Here are the advantages of dynamic digital codes:
-
High security: By refreshing periodically, dynamic codes render phishing attempts futile once a session ends.
-
Tamper resistance: Because the code is displayed digitally and changes frequently, it cannot be easily manipulated.
-
Integration with apps: Combining dynamic codes with app-based verification can provide an additional layer of authentication, further enhancing security.
However, implementing dynamic digital codes does require investment in upgrading EV charging stations with durable, weather-resistant screens. While the cost of this upgrade is potentially significant, it is offset by the improved user security and long-term protection against phishing threats.
> Two-factor authentication (2FA)
Two-factor authentication (2FA) can be employed with NFC or dynamic digital codes for users who want maximum security. By adding a layer of verification beyond the code or NFC interaction, 2FA provides a robust defense against phishing attacks.
Regarding EV charging, 2FA can be integrated into the smartphone app to manage charging sessions. After scanning the code or tapping their phone via NFC, the user must enter a second form of authentication — such as an SMS code, fingerprint scan, or facial recognition — before the transaction can proceed. This multi-step verification ensures that even if a malicious actor successfully compromises the initial interaction, they can still not complete the transaction without the second factor.
Here are the advantages of 2FA:
-
Unmatched security: 2FA offers the highest level of protection against phishing by requiring two independent forms of authentication.
-
User familiarity: Many users are already accustomed to using 2FA for banking or other online transactions, making it a familiar and trusted security measure.
While 2FA significantly enhances security, it does add complexity to the user experience. Users may find the additional step time-consuming, and charging station operators must invest in the backend infrastructure required to support 2FA.
Comparative analysis of security solutions
It’s clear that each solution offers significant improvements in security over static QR codes, with varying ease of use and cost. For operators looking to balance security and convenience, NFC technology may be the best option due to its seamless user experience and robust security. While offering high security, dynamic digital codes come with higher implementation costs but may be ideal for high-traffic charging locations. 2FA, while providing the highest level of security, may be best reserved for sensitive environments where the absolute prevention of phishing is critical.
Avnet Silica is leading the charge in EV charging security
As one of the leading semiconductor technology and solutions providers, Avnet Silica is at the forefront of addressing the security challenges facing the EV charging sector. With expertise in cutting-edge technologies like digital authentication and NFC, Avnet Silica is uniquely positioned to provide insights and solutions that help operators implement secure charging systems.
Avnet Silica’s partnerships with leading manufacturers of EV charging hardware enable the seamless integration of advanced security solutions into new and existing infrastructure. By offering both technological expertise and practical solutions, Avnet Silica helps to ensure public EV charging stations remain safe, trusted, and user-friendly.
Working on an EV charging project?
Our experts bring insights that extend beyond the datasheet, availability and price. The combined experience contained within our network covers thousands of projects across different customers, markets, regions and technologies. We will pull together the right team from our collective expertise to focus on your application, providing valuable ideas and recommendations to improve your product and accelerate its journey from the initial concept out into the world.
