We’ll kick off this discussion with a deceptively simple question:
Are QR codes safe?
Say it’s a Friday evening – you and your partner are exhausted from a long week of work, and to break up the home office monotony, you decide to spend a night out – revisiting an old favorite eatery.
Right from when you’re seated, you’ll notice something is missing compared to 2019 – no more quirky menus. Chances are, instead, that you’ve used your smartphone to place an order by scanning a QR code conveniently placed on your table – just like they are at millions of other food and beverage spots around the world.
Most of us don’t take this subtle change too seriously – many cite QR codes as a quicker, more convenient, and safer way to access information in various situations. They’ve even been cited as a new, revolutionary way to cut down on paper wastage.
So what’s the catch?
To better understand, let’s take a look at how this modern tech innovation works.
How QR codes were invented, and how they function
The humble QR code is a lot older than most of us think – while they may have only attained widespread popularity in the last decade, they’re actually over 25 years old!
Back in 1994, a chief engineer named Masahiro Hara at Japanese tech pioneer Denso Wave had a sudden epiphany while playing a game of Go during a lunch break.
Realizing that the shifting black-and-white patterns on the game board could also represent data, he solved a key problem for his company’s automotive industry clients – the management of thousands of different items within their inventories.
At the time, traditional barcodes were restrictive since they could handle only 20 characters of information. Hara’s new method – which would soon be named the ‘Quick Response’ or QR code – could hold 200 times more information and was a brilliant solution to inventory management problems.
The idea was simple and functioned across three key steps:
- Data would be encoded and represented across a square grid of black points against a white background.
- These would be read by imaging devices such as scanners or cameras and processed using a technique called Reed-Solomon error correction.
- Once correctly interpreted, the data would be extracted through a combination of horizontal and vertical patterns.
Hara’s invention was a hit. Not only was it possible to scan QR codes in any orientation – but they were also easy to print, inexpensive, and greatly streamlined supply chain management once they hit factory floors.
Today, QR codes are used for much more than just inventory management. They’re often used to let anyone with a smartphone camera seamlessly access web content, accept payment requests, scan advertisements for coupons, and even access important personal information – more on that in a bit.
How QR codes harvest our data
In the last 18 months, QR codes have multiplied by a factor that old Mr. Hara might have never expected. According to Juniper Research, the number of QR payment users in the US is expected to rise by a staggering 240% within five years, with similar figures popping up all over the world.
While this means that millions of people armed with smartphones are adopting the technology, QR data sharing isn’t a one-way street – the codes, or rather the companies behind them, are quietly listening in.
Like pretty much every corner of the world wide web, QR codes present an opportunity for businesses to track, target, and analyze their customers. When you scan a QR code, you also share critical information about yourself, such as:
- When the scan took place
- How often you scan the code
- Where the code was scanned
- What actions you took after accessing the code’s data (depending on the content you’re directed to and not accessible to the QR code generator)
- How much money you’ve spent, if the code is linked to a business (again, this information is not available to the QR code generator)
Unsurprisingly, the list of data points you can harvest from a single scan is disturbingly high – and has triggered concerns from security and privacy experts around the world.
Speaking to the New York Times, Jay Stanley a senior policy analyst at the American Civil Liberties Union, puts it across succinctly:
“People don’t understand that when you use a QR code, it inserts the entire apparatus of online tracking between you and your meal. Suddenly your offline activity of sitting down for a meal has become part of the online advertising empire.”
If experience serves, we’re not too far from seeing targeted ads as we enjoy our favorite burger. As corporations see clear ways to turn this captured data about our eating and spending habits to their benefit – we also see a serious uptick in QR code support from payment gateways.
Take Paypal, for instance, which has pushed QR code support for millions of small businesses, as well as major players like Nike and CVS.
While companies that create and manage restaurant QR codes claim not to sell personal information such as contact details and purchase history – tech privacy legislation across the world has lagged far behind the technologies themselves.
This means that while these companies may not necessarily sell our information to third parties, they can certainly share it – so perhaps the QR code revolution isn’t as squeaky clean as some may suggest.
How QR codes can be misused: the Europe green pass debate
Using QR codes responsibly is a deeply under-addressed topic – and one that has recently caught a great deal of attention as vaccination rates began to rise across the European mainland – and in particular, Italy.
Throughout 2020, news outlets worldwide kept a keen eye on the Italian peninsula – as Italy was one of the first countries to bear the brunt of the pandemic and its debilitating effects on the people and the economy. As the country’s healthcare system buckled, leading to a massive death toll and thousands of families grieving, governments across the European nations realized that drastic measures needed to be taken.
One such was the issue of the Covid Green Pass. So, what exactly is the Covid Green Pass?
Digital Green Certificate
According to a report from the European Union, on 17 March 2021, the European Commission introduced a proposal seeking regulation on a ‘digital green certificate.’ This was required to allow safe and free movement of EU citizens during the pandemic and the ensuing partial lockdowns. It was also accompanied by a proposal that covered third-country nationals legally staying or residing in the EU.
The digital green certificate would provide proof of vaccination, give test results of Covid-19, and information on the acquisition of antibodies. The certificate aimed to help restore free movement of people within the EU.
On 25 March 2021, the European Parliament decided to accelerate work on the commission proposal, and it was successfully rolled out in June 2021.
The Good, the Bad, and the Ugly on the Green Pass
Along with the rest of the EU, Italy has begun to issue ‘Covid Green Passes’ -the digital certificate that confirms the health status of people within the EU. Depending on different criteria, the pass gives its holder one of three statuses:
- Vaccinated against Covid-19
- Tested negative
- Recovered from Covid-19
As the world slowly begins to wake up from the catastrophe of 2020, making such a pass mandatory for entry to tourist attractions, restaurants, offices, and other public spaces is certainly a responsible move – although one little detail brought up a host of concerns that no one really saw coming.
Since QR codes have been used throughout the pandemic as an effective way of limiting contact -they were being used for everything from public health guideline links to medical payments, it only seemed natural that the Covid Green Pass would also carry a QR code.
The Green Pass also happens to carry a significant amount of personal information, increasing personal safety and privacy concerns.
According to Dr. Michael Veale, a lecturer in Digital Rights and Regulations from UCL’s Faculty of Laws, the data in the digital certificates will be easily prone to forgeries.
Within weeks of the measure taking off, concerned coders in Italy began to upload digital tools to check their Covid Green Passes – helping people discover what data the codes could leak.
Unfortunately, most people aren’t that careful – or simply aren’t digitally literate. Combine this with a global pandemic and a purely digital certification system, and you’ve got a recipe for disaster.
Eager to celebrate their vaccination status, several excited Italians took to social media – proudly displaying their Covid Green Passes (and QR codes) in videos and photos. According to the official specifications, the digital certificates these QR codes link to contain a great deal of sensitive information, such as your name, date of birth, vaccination status – and even the location where you chose to get vaccinated. In the hands of the wrong people, this could easily serve as a method to stalk and harass innocent victims – a problem so severe that the Italian Ministry of Health also released a statement urging people to keep their passes to themselves and share QR codes responsibly.
Digital vulnerability and the ministries of health
In Italy, this resulted in serious data vulnerability for millions of people – although the Health Minister, Roberto Speranza, at least stepped up to the challenge, as mentioned above.
Things were, however, a little less secure – albeit amusing, in Malaysia’s Ministry of Health.
Earlier this year, the Malaysian Minister for Health, Dr. Adham Baba, displayed a QR code on live TV. This was done as part of the live-stream event of Malaysia’s own digital certification program. As camerapersons zoomed in, and the video was uploaded across Malaysian social media, it came into the hands of a few curious individuals, who fancied themselves a peek under.
It did throw up a result – a SoundCloud page owned by a man in Cardiff, England, who worked in digital education (and uploaded electronic music) under the pseudonym ICT Evangelist. Not what anyone was expecting, to be sure.For some, this is just another bizarre tale in an already bizarre year – although it proves the point that Minister Baba’s Italian counterpart was trying to make; that if you upload your QR codes on social media – someone will try to access them, and potentially reveal sensitive information.
Further QR security risks
It isn’t all limited to irresponsibly sharing QR codes either. As almost 20 million people downloaded their green passes this summer, a quick black market sprung up. According to Italian news reports, several cybercriminals made a quick profit by creating fake passes. Quoting the Italian postal police statement:
Clearly, there’s a big market for the misuse of this technology, and without proper measures in place, people’s privacy and health could be at serious risk.
Scanning QR codes can also lead unaware users to malicious websites – few people, if any, check the exact address that a QR code is redirecting them towards, and quite a few have been victims of ‘qishing.’
This new spin on ‘phishing’ sends QR codes through emails to unsuspecting victims, who scan the content only to discover that their mobile phone has been compromised by hidden viruses or spyware.
How QR codes hampered cryptocurrency
Another technology that tagged along for the ride across the last decade was cryptocurrency – as blockchain tech began to sweep across the world, as did QR code usage.
However, it led to some rough times for a few unfortunate traders. As bitcoins themselves are comprised of data, they’re often embedded into QR codes for people to scan. This led to an upsurge of scammers crafting QR codes to pose as legitimate BTC exchanges.
How QR codes can increase security
After all of this information, the chances are that you’ve lost your faith in the QR code system. However, don’t be too quick to dismiss or write it off, though – aside from its spectacular ease-of-use and low cost, QR codes also offer a few ways to bolster digital security.
Here’s a couple of key techniques:
You’ll often find MFA or multi-factor authentication when conducting transactions over the internet, logging into highly secure environments, or even just as a super-secure way to lock your personal devices.
QR adds an extra level of security to MFA by including a QR code that your registered devices can scan. So, not only does it offer an encrypted login code – it also makes the process as simple as opening your phone camera.
Mobile payment systems
Let’s say that you owe a friend for dinner last night – when you next meet, QR codes could play a key role in helping you settle your transaction as safely and conveniently as possible.
Instead of having to send over long, complicated bank details, you can simply get your friend to scan a QR code displayed on your phone screen, generated by a mobile payment system.
In seconds, you can easily and safely receive and send money – without needing to share actual account information with the other party.
The need for QR code safety information
Naturally, QR codes are an amazing technology that streamlined business operations for thousands of companies and helped save lives and promote social distancing during the pandemic.
Like any technology, however, it can be misused when handled by malicious people.
The answer lies in educating ourselves about the risks of living in an increasingly digital world, understanding how the technology we use handles sensitive information, and in keeping ourselves alert and responsible as much as we can.
Read on for some crucial tips on QR code safety.
QR code security – top tips to keep your data safe
To help make this process easier, we’ve compiled a series of key tips to remember regarding your QR code usage. Stick to them, and your data will remain safe and uncompromised.
Make sure that your QR code hasn’t been tampered with
One of the most common ways QR codes are used maliciously is by overlapping legitimate codes with fake ones designed to redirect scanners to harmful websites.
Whenever you scan a printed QR code in public areas, make sure that the code hasn’t been tampered with or replaced with a sticker of an unlawful one instead. Also, pay attention to the design and alignment – if it feels off, you may want to think twice before scanning.
Only compatible with HTTPS
This layer of encrypted data means that the session between the web server and the browser on the mobile device you are using is encrypted. In simple terms, whenever you access a webpage that begins with https:// rather than http://, you’re accessing a much more secure network that protects you and the website from any eavesdroppers.
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with the Secure Socket Layer (SSL)/Transport Layer Security (TLS) protocol. TLS is an authentication and security protocol widely implemented in browsers and Web servers.
SSL works by using a public key to encrypt data transferred over the SSL connection, allowing you and your customers to communicate securely with the web server – without anyone else listening in.
Take the time to read your URLs
Yes, we know this sounds annoying – but hear us out for a second.
One of the most common ways data thieves steal information such as login details from people is by creating websites that masquerade as legitimate ones – often called phishing websites.
As QR codes are often used to direct users to login pages, make sure to read and verify exactly what the link is. A phishing page will generally not feature HTTPS protection and may contain an easily missable typo within the URL.
For example, many people have fallen prey to phishing scams on websites designed to look like Apple’s login page but are instead looking to harvest your password and login ID. If you ever come across something such as ‘appl-eserv.com’, it’s best to take a swift U-turn!
Beware of Link-Shorteners
Whenever you use your phone to scan a QR code, it will likely send you a popup displaying the web address the code is redirecting you towards. While these should ideally be easily understandable and secure links – you’ll also sometimes come across shortened links – generated on websites such as bit.ly and TinyURL.
While several companies use shortened links to streamline their digital footprint (and sometimes increase brand recognition), they can also be something of a security risk, as shortened URLs usually do not reveal anything about the actual website.
Again, if the link-shortener does feature HTTPS protection, it’s probably legitimate.
Keep an updated antivirus software on your phone
They say that prevention is the best cure – but what do you do when malware can be found in and around every corner of the internet?
It’s best to take your safety into your own hands and keep your smartphone protected – and it all starts with using a powerful, up-to-date antimalware system.
These will periodically scan your device, erase threats, and warn you of dangerous links and other vulnerabilities when set up correctly.
Be careful when asked for personal details
Often, a QR code may redirect you to a web page that asks for personal information – ranging from relatively innocuous email addresses to important bank passwords.
Naturally, stay alert and avoid giving away information carelessly – if a page asks you for something too important, it’s best to back away. Many companies and governments are switching to contactless forms – these create an additional layer of security to the process.
Keep these precautions in mind while facing a QR code, and you’re going to be well-guarded against possible mishaps.
How do QR companies uphold user security?
If you’re thinking of using QR codes to run your business more effectively, you’ll also need to provide strong security and privacy measures for your organization and clients.
A good QR code generator with a solid reputation and long history takes this into account – QRcodeKit.com, for example, uses the following protocols to keep any scanner’s data safe:
A detailed anti-cybercrime system
QRcodeKit.com uses a specialized system to detect harmful attacks, passive and active. Their security settings are in line with global, state-of-the-art corporate standards as well as governmental regulations.
They also have the support of several cybersecurity services such as PhishLabs, Phishing Protection API by Google, and Amazon Security Team, which help their team swiftly find and terminate malicious activities in the form of phishing, spam, pharming, or cross-site scripting.
Bulletproof statistics security
It is a well-known fact that all QR code generators harness data collection techniques – while this can be used by businesses to serve their customers better, hackers can also mine it.
A good QR code generator will keep its data under lock and key. In QRcodeKit.com’s case, we standardize GDPR compliance – the European standard, which enforces the most secure data protection in the world, with harsh penalties to deter any potential wrongdoer.
Transparency with data tracking
It’s also essential to establish a clear and transparent idea of the information that a generator’s QR codes will track. QRcodeKit.com is known to keep things straightforward on our webpage – listing the following tracking variables:
- When they were scanned.
- Where they were scanned.
- How many times they were scanned.
- What type of operating system scanned them.
- Age and gender of individuals who’ve scanned them (Only if your Google Privacy Settings are set to public, which you can change.)
As businesses rely more and more on data analytics, it’s important to never sacrifice customer safety for the sake of potentially profitable insights.
A 24/7 cybersecurity support team
Malicious elements on the internet don’t take days off. So, if you’ve ended up compromising your data or facing any other issue, you need to work as quickly as possible for the sake of damage control.
QRcodeKit.com offers a 24/7 support team trained to quickly respond and provide guidance to companies, governments, institutions, or individuals that report suspicious activity – if you end up in a digital security crisis, you need someone useful in your corner.
A robust backup system
In emergencies, such as a data breach, a QR code provider needs to maintain a foolproof system of backups.
In QRcodeKit.com’s case, this is done through a server mirroring setup – paired alongside hourly backups for absolute reliability. If you do come across any malicious websites, make sure to send QRcodeKit.com a report following these suspicious QR activity report instructions. QRcodeKit.com takes these issues seriously and immediately blacklists any websites proven to be harmful.
QR codes are the future; there’s no doubt about it. Given that governments and businesses both big and small across the globe are increasingly adopting QR codes, they’re already a daily occurrence for many of us.
However, alongside this large-scale use comes a massive need for secure and responsible QR code scanning. This is where a dependable QR code generator such as QRcodeKit.com comes in, offering years of expertise and a long list of trusted clients.