QR codes – uses and risks

The use of QR codes (Quick Response) has become more and more common in recent years. This autumn, QR-bills will even replace traditional payment slips. But QR codes can also be used to access the digital menu in restaurants, for example, or to easily surf websites or make TWINT payments. What is the reason for this success? Where are the codes used and what risks are associated with using them? 

The QR code was developed back in 1992 by Masahiro Hara, an engineer at the Japanese company Denso Wave. It was intended to enable the tracking of spare parts on the assembly lines at Toyota factories.

With the advent of smartphones, QR codes were initially used mainly in magazines and on billboards. The main advantage is that the URL for the advertised product or company no longer has to be entered manually.

What is the reason for this success?

QR codes are designed to be easy to use and inexpensive to produce. Creating a QR code does not require any special resources or technical knowledge. They can be generated on countless websites and the only "weakness" of QR codes is that they cannot be changed once they have been generated. This flaw has now been remedied by dynamic QR codes.

In addition to the classic QR codes (Figure 1, left), customised and creative QR codes are increasingly being generated. These are intended to attract attention and, above all, create an advertising effect.

Figure 1: QR code for https://www.ncsc.admin.ch: classic on the left and creative on the right.

Uses

QR codes are mostly used as a simplified way to enter internet addresses (URLs). The desired website can be called up with a simple scan, and there is no need to type it in. However, there are various other possible uses:

QR-bill 
The QR-bill is modernising Swiss payment transactions. The first QR-bills started to be used instead of the usual payment slips in mid-2020, and will replace them entirely in autumn 2022. The QR code contains all the information needed for easy, automatic and efficient payment.

Text messages and email
A QR code can contain a command that creates a ready-made text message with the recipient's phone number or an email complete with title, content and recipient's address. All that remains is to tap the send button.

GPS coordinates
A QR code can contain a command that sends your position data.

Website addresses
A QR code can contain an address for a website.

Calendar events
A QR code can trigger an event in your calendar and add or delete appointments.

Social media
QR codes can contain commands to automatically follow an Instagram or Twitter account.

WiFi networks
Information on a WiFi network, including the password, can be stored in a QR code.

App stores
A QR code can also contain a link to any app in any app store.

Dynamic QR codes
A short URL is embedded in dynamic QR codes that redirects users to the actual target website. The short URL remains the same but it is possible to change the redirection later so that it can be adapted to current needs.

What are the risks?

  • Since people cannot read the content of QR codes, it is impossible to know what is really behind the image before scanning it.
  • The information encoded in a QR code is not limited to web pages.
  • A QR code can also hide a link that leads to a malicious file, a malicious app or a dubious app store, for example.
  • Information on dubious WiFi hotspots can also be hidden behind a QR code.
  • It is easy for a fraudster to print out a fake QR code and paste it over an existing one or add a QR code if there is none;
  • However, with dynamic QR codes it is no longer possible to predict which pages they will ultimately lead to.

Recommendations

  • Use a reliable app that is recognised as secure to scan QR codes. The advantage of this is that your device will ask you to confirm the action before the code contained in the QR is executed. Both Apple and Android also allow the camera to recognise QR codes.
  • After scanning and before execution, most scanners will display the action to be performed or the page to be accessed. Check this information.
  • Never enter login credentials on a website that you have accessed via a QR code.
  • Before scanning a QR code, take a close look at it or touch it to see if it is not just a sticker that has been affixed to the original.
  • If you scan a QR code that contains something malicious, immediately notify the owner of the place (magazine, website, etc.) where you discovered it.

Last modification 10.03.2022

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/infos-fuer/infos-private/aktuelle-themen/qr-code-anwendungen-und-risiken.html