How safe are QR codes?

by Lorraine Williamson
QR code

QR codes have been around for a while, but since the pandemic, more of us have been using them. And furthermore, we have been using them a lot more often.

Simply by scanning a QR code, we can gain access to menus, concert tickets, flight tickets, and video games. You can also see pages on websites and much more.  It is a simple method to enable us to view wider information just by using our mobile phones. You can even find them projected on buildings, in the sky by drones as an entrance to augmented reality, as a payment method or even on mountain trails to consult trekking routes.

However, these can compromise our security. You want to know why? Keep reading.

Increased use of QR codes

Currently the use of QR codes has spread massively. This is evidenced by a survey conducted by Bluebite. It shows there has been a 96% increase in the scope of QR codes and 94% in the number of interactions carried out on them, such as scanning it.

In addition, a survey carried out by the Mobileiron company in Europe and the UK states that 86.66% of people who use smartphones have scanned a QR code at least once in their life. Furthermore, 36.40% scan one or more codes a week.

What is a QR code?

But do we know what a QR code is? QR are translated literally stands for ‘quick response’. These boxes with black spots or technically known as two-dimensional barcodes, made up of a matrix of black and white dots, serve to store information and make it more accessible to users.

It is important to note that there are two types of QR codes: static and dynamic. The static ones are called quick response codes and they cannot be edited, that is, their information cannot be changed once they have been generated. The dynamic ones are called immediate response codes and they allow to be edited. Therefore, they allow to modify and change the information to which they redirect without having to reprint or create the QR code.

Easy access

Any smartphone or tablet camera can scan these codes and therefore, directly access a web page or download an application. This has made everything much easier, meaning you no longer need to type a URL into your phone’s browser to access it!

In addition to the above, QR codes are useful;

  • as a method of accessing a web page, downloading applications or accessing different types of resources, such as, for example, restaurant menus, tourist information, video game stores, etc
  • to know minute-by-minute information on purchases made on the Internet
  • as a way to connect to a Wi-Fi network or to know information about it
  • to use services such as WhatsApp Web, thanks to the provided QR code. Just by scanning the code we can access our conversations through the computer and use it as if we were using the application from the mobile
  • for obtaining information on the food products that we consume in supermarkets
  • to set up additional protection methods on our accounts. For example, to configure double authentication mobile applications, such as Google Authenticator or Microsoft Authenticator
  • as a form of payment through mobile
  • to generate loyalty cards for supermarkets and stores. Instead of carrying all the cards in the wallet, it is possible to show a QR code from the applications of these services that hides information about the customer’s data
  • for access to entertainment areas, such as concerts, museums, movies
  • to access transport systems such as planes, subways or trains

However, not everything is perfect when we talk about QR codes, why? What risks can be involved in scanning a simple code with the mobile camera?

ASSSA - health insurance in Spain

Do you have questions?

Here are some questions you may want to think about;

  •  do you know in advance to which web page a QR code redirects you?
  •  if the answer is no, have you considered if there is any possibility that this website is not what you expect to find? (Violent content, paedophile, drugs, weapons, etc.)?
  •  what if the QR code leads us to download an app that promises to have functionality, but subscribes you to premium SMS services?
  • what if the app is capable of exploiting security flaws in the operating system to steal your private information?
  • could it infect your device and makes you lose all the information you keep on it? Passwords, photos, videos, documents, etc?

Take precautions

As you can see, the problem is not in the scanning the QR code, but in what is hidden behind it. However, these issues should not prevent you from using them. But you do need to take extreme precautions to avoid problems.

For example, if you come across a poster, leaflet or any other marketing material that invites you to scan a QR code, be careful. In this situation, you do not know who the people or entities that have generated it are; if they are who they really say they are; if they are impersonating any person, entity or service; if the destination website to which the QR redirects is harmless or, on the contrary, tries to deceive us to infect our devices or that we provide some type of personal or bank data under any excuse.

Example of a scam

To give you an example, imagine you are walking, and you are given a ticket:

At first glance, the offer displayed seems very attractive. Just by scanning the code you can get a free hamburger and even a prize or a discount. How easy is that? However, after scanning the code, a message appears on the screen to request confirmation as to whether we really want to access the URL that hides the QR code. It is at this moment when you must seriously question if you really want to install an app or visit a certain page.

How do you access a QR code?

Accessing the information contained in a QR code is easy. You simply use your phone camera and focus on the code. Almost all current mobile phones on the market, both Android and iOS, have a tool automatically installed on the camera that allows you to scan the codes.

Malicious URL

Through a specific application, after scanning the QR, a tab opens where, before entering the URL. At this point, you are able to see the full link.

Obviously, if someone wants you to install a malicious app, they won’t call it “APKMaliciosa.apk” or “ThisIsAFraudulentApplication”; on the contrary, attempt to give the link or a name that does not make you suspicious, for example, “FreeBurgerApp.apk”.

So, how can you know if what you are going to visit or install does not expose you to any risk? Here are some recommendations that you can apply

  • if at first glance, the URL seems suspicious, do not access it
  • ensure the website you are going to access always complies with protection and safe browsing standards, such as, for example, that it has https
  • make use of link analyzers, such as VirusTotal and URLVoid. In this way, before opening the web we can verify that it is not a social engineering attack such as Qrishing, known as phishing or smishing of QR codes
  • you can also use apps, such as Kaspersky QR Scanner, available on Android and iOS. These carry out a series of security checks before activating the QR code on your smartphone
  • do not provide any private data or password to web pages that you have accessed through a QR code
  • if you access bank pages or online stores where you are asked to enter your bank card data, do it from the full URL or through its own application

You may also like