QR Code Scanning - QR Code Dangers - Think Twice Before Scanning that Next QR Code - Malware - Phishing - Corporate Surveillance

Think Twice Before Scanning that Next QR Code

Being in the security industry can be downright depressing. Your neighborhood friendly system administrators and IT managers are probably questioning their lives at this very moment. As threats and threat actors become more sophisticated at an alarming rate, we still struggle with convincing everyday users to perform even the most basic security tasks. One of those tasks is inspecting links before you click on them. You can make a link appear as one URL, but point to a different one. For example, https://duckduckgo.com actually points to https://biggerinsights.com. When users don’t inspect links, this makes phishing and other attacks like shooting fish in a barrel.

After decades of effort, many users seem to be acknowledging that they should inspect links before clicking on them. That is until QR codes started becoming popular. The convenience and esoteric nature of QR codes is encouraging users to, once again, click on URLs without inspection. Admittedly, we’re not entirely sure why, but we are sure that it’s a problem. Here are a few of our hypotheses:

  1. Users may not be aware that the QR code is simply a URL encoded in a 2D grid. It’s possible that they see it as some sort of direct access to the intended resource, rather than just a more convenient URL.
  2. QR codes look cryptic, as opposed to plain-text, which may give average users a false impression of encryption or security.
  3. Because users can’t read the QR code, they may not be aware that software could/should show them the plain-text URL.

QR codes can be used to encode arbitrary text, but we’re going to focus on URLs in this post.

Cybersecurity - Malicious Code - Hacking

Malicious QR Codes

QR codes are becoming quite prevalent in public spaces – parking meters, restaurant menus, COVID testing facilities, etc. Coupled with the knowledge that many will scan a QR code without a moment’s thought, this is attracting criminal mischief. Of course, what’s to stop someone from placing their own QR code over a legitimate one in a public space? Further, how many people would go to that QR code’s URL before the scheme is discovered? Police in several US cities have warned residents of a scam involving QR codes criminals have attached to parking meters. In this particular scam, users are directed to a phishing website that steals payment details (e.g. credit card number).

QR code URLs can also contain JavaScript. The term “JavaScript” gives security professionals nightmares. Many security issues we see today, particularly in web-related applications, derive from JavaScript code (whether written poorly or maliciously). We’re not going to get into the weeds on this. However, be aware that the fact that QR codes can embed JavaScript introduces privacy and security risks.

QR Code - URL - Data Mining - Corporate Surveillance

"Legitimate" QR Codes

Even “legitimate” QR codes are not without risk. A large proportion of “legitimate” QR codes are really just data mining operations in disguise. When you go to a restaurant called Bigger Insights, with website biggerinsights.com for example, and scan their QR code to see the menu, wouldn’t you expect that to go to a URL such as “biggerinsights.com/menu”? You might end up at “biggerinsights.com/menu”, but where did you go beforehand? Most likely, you were first routed through a service that generates the QR code for the restaurant and harvests your data in the process. The QR provider may subsequently share or sell your data with others – not exactly something you bargained for when all you wanted to do was see a menu, right? Depending on the QR provider, quite a bit of information may be harvested:

  1. Device information
  2. Browser information
  3. Date and time
  4. Location
  5. etc.

This may seem harmless, but remember that, by going to a 3rd-party domain, that 3rd-party can collect any information that any other website could by visiting it. If the provider is using advanced fingerprinting techniques or is able to inspect your cookies or cache data, for example, this data may be enough to identify you, personally. If the provider doesn’t have this capability, they can outsource this by querying services that do. This further spreads your data around, which adds additional risk. There is a thriving ecosystem of entities that collect and sell fingerprinting information for just such a scenario. Although we aren’t sure on how common this practice is, be aware that it is very feasible.

Domain Ownership Changes

From time to time, website owners fail to renew their domain. Perhaps the domain was for a temporary purpose. Perhaps the owner was disillusioned to discover that people don’t want to read a quality blog, they just want to watch videos of cats and gamers giving crypto investing advice. In any event, domains change ownership, but QR codes may linger.

Let’s suppose you were a German man named Daniel Korell. You’ve just sat down for dinner, read the back of your Heinz ketchup bottle, and was enticed to scan the QR code on the back label. You whip out your spiPhone – excuse us – iPhone, and give that QR code a scan. You’re greeted, not with the ketchup-related promotion you were promised, but a porn site. If you thought this hypothetical example was oddly-specific, you’d be correct, because this is a true story. While humorous, it could have been his children who did this, or the domain could have been picked up by hackers and used to infect peoples’ devices.

This is one more reason to make sure you can inspect a QR link before you allow your device to visit it in the browser. This is also a cautionary tale for business owners in what can go wrong when you let go of a domain that still has links pointing to it.

Best Practices

For Users

QR Code - iOS - QR Code Dangers - URL Not Shown to User

Figure 1: QR code scan in iOS – why is the URL not shown?

Figure 2: QR Code URL inspection in GrapheneOS

How you should interact with QR codes will depend on what operating system you’re using. In general, if you must scan a QR code, it’s best to do this in airplane mode and with Wi-Fi disabled to be sure that you can inspect the link without unintentionally going to an undesired site. This is especially helpful in spiOS – excuse us – iOS, where we don’t see any direct way of inspecting a QR code’s URL. In this case, you would allow iOS to open the URL in your default browser. However, with no internet connection, your device won’t be able to connect, but you will be able to inspect the link.

In GrapheneOS, a mobile OS that actually respects your privacy and security, the URL is displayed to you as soon as the camera detects a QR code. As an added bonus, using this no-internet trick will also allow you to remove tracking and other unwanted code from the URL before executing it with the internet on.

If you inspect a URL and the domain doesn’t match what you expect, avoid it if you can. It’s uncommon that using a QR code is the only way to do something. So if you’re uncomfortable, try to find an alternative. At restaurants, for example, ask for a paper menu or go directly to their website. If their data-mining/spyware QR code is the only route, tell them to pound salt and take your business elsewhere.

For Business Owners

If you must use QR codes, have the integrity to make the underlying URL point directly to your website. Your customers deserve to be treated better than to allow some shady analytics company to harvest their data and violate their privacy. When it comes to privacy, ask yourself, “If I explained this to my customers, how would they feel?” If the answer is, “They would feel violated”, that’s a clear indication you’re doing something wrong, regardless of whether they’re aware of it.

In fairness, we’re of the impression that many business owners don’t realize that their QR codes route customers through 3rd-party domains. If you DuckDuckGo*  “QR code generator”, the top results will generate QR codes that route users through their domain. If you don’t know how to create your own QR code, reach out to us in the contact form at the bottom of the page.

*We don’t “Google it” here

Final Thoughts

QR codes are rather common and are gaining in popularity. However, don’t let their convenience lull you into sacrificing your privacy and security. Going to a link in a QR code without inspecting it is as dangerous as clicking on a link in an unsolicited email without inspecting it. It’s the same thing. Regardless of your OS, there should be a way to inspect a QR URL before going to the site. Do yourself and the world a favor and inspect all URLs rather than blindly trusting them.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top