If you’ve been into a café, restaurant, public building or shop recently, you’ve probably been asked to scan a Quick Response code.
QR codes have been one of the few beneficiaries of the coronavirus pandemic, since these matrix-style barcodes now appear everywhere from museums to motorway service stations.
The principle is simple. Scan a QR code using an app or your phone’s camera, and it will perform a pre-determined instruction, such as loading a webpage or confirming e-ticket data.
Yet when we scan these monochrome graphics, we’re rarely thinking about security or confidentiality. And it turns out this could be a significant oversight.
Are QR codes safe by design?
The simple answer is no, they’re not.
A QR code can provide whatever information you want. It’s a form of binary data storage – each tiny square is either white or black, on or off, zero or one.
Typically presented in a square, with three box-in-box squares in its corners, a QR code resembles a pattern, but it’s actually a huge array of binary data units.
Each tiny black or blank (white) square contains a bit of information. When viewed as a whole, it provides basic instructions to the device which has scanned it.
This binary data is understood by digital devices like smartphones, but it’s not a language we can easily translate, let alone with our eyes.
The QR pattern could contain anything – including links to malware or compromised websites laced with viruses.
This is further aggravated by the fact scanning a QR code tends to display a link to an abbreviated URL, whose destination only becomes evident once you click on the link.
There’s no way to tell by looking at https://bit.ly/a1gasw8 where the URL would lead you.
Nor are QR codes safely used exclusively as website shortcuts.
Scanning one could trigger a call to a premium-rate phone line, send a text message to a mobile number registered half a world away, or even download an app onto your device.
It simply isn’t possible to visually identify what a code will do as it’s scanned.
So how do I stay safe?
First and foremost, avoid scanning any codes you don’t completely trust – including ones which have been stuck over existing signage.
It’s also advisable not to scan historic QR codes, which might have been repurposed from their original (genuine) function.
If you’re doing Test and Trace before settling down in your favourite café with a scone and a latte, a QR code displayed behind a Perspex screen will almost certainly be legitimate.
If someone walks up to you in a pub and asks you to pay for 200 knock-off cigarettes by scanning a QR code and entering your card details, it’ll almost certainly be illegitimate.
Use the same principles you’d apply to an unsolicited email. Is it likely to be authentic, and is there a valid reason for its arrival?
Smartphones are harder to hack than desktop computers, but unwittingly installing malware-laden apps or visiting compromised websites could offer open season to criminals.
Equally, you might end up incurring a sizeable bill if scanning a QR code triggers a call to a number in Belize which can’t be disconnected once it’s engaged.
Providing the person or organisation supplying the QR code is legitimate, it can’t be compromised or hacked – only the final destination may be problematic.