ALTHOUGH they have been around for almost 30 years, Quick Response (QR) codes are only just beginning to be widely used.
In supermarkets they have started to replace bar codes on grocery items.
Governments have used them in the current COVID-19 crisis for contact tracing during the pandemic.
Everybody uses them.
For example, parking meters in a big American city used legitimate QR codes which patched motorists through to a website where they could pay the parking fee. Scammers stuck a label with a malicious QR code over the top of the legitimate code, and as a result motorists paid the scammers. This scam was only uncovered once motorists started receiving fines for not paying parking fees.
But apart from being used in scams, a QR code can contain malicious data in the form of a website address that can extract a lot more information than needed from your phone.
On a mobile phone, the app reading a QR code may override the user’s web browser permissions. In this way, a QR code can enable and stream information from the phone’s microphone, camera and GPS to a remote server.
These feeds can be analysed for sensitive data such as passwords, files, emails, SMS or IM messages.
All these actions can occur in the background while the user sees only the app opening a seemingly harmless web page.
For the security of your personal information and the safety of your device, you should adopt the same cautious approach to QR codes as you probably already take to suspicious email messages.
If it doesn’t look legitimate or you don’t know or trust the source, don’t scan it. However, there’s nothing to fear from QR codes used by businesses and services which you do trust.
Advertisers, governments, businesses and any organisation or individual with a message to communicate can place their QR codes in public spaces where they can be scanned easily by potential customers, directing them to websites where they can purchase or find information almost instantly.
It’s a much faster and more effective way of capturing people’s attention than providing a website address or phone number that needs to be remembered or written down.