QR code use grows in popularity but poses hidden risks:
The use of QR codes has risen during the pandemic as they offer a perfect solution to contactless interaction. But many employees are also using their mobile devices to scan QR codes for personal use, putting themselves and enterprise resources at risk.
A new study from security platform MobileIron shows that 84 percent of people have scanned a QR code before, with 32 percent having done so in the past week and 26 percent in the past month.
In the last six months, 38 percent of respondents say they have scanned a QR code at a restaurant, bar or café, 37 percent at a retailer and 32 percent on a consumer product. It's clear that codes are popular and 53 percent of respondents want to see them used more broadly in the future. 43 percent plan to use a QR code as a payment method in the near future and 40 percent of people would be willing to vote using a QR code received in the mail, if it was an option.
However, QR codes are a tempting attack route for hackers too as the mobile user interface prompts users to take immediate actions, while limiting the amount of information available before, for example, visiting a website.
Have any Soylentils done anything interesting with QR codes?
(Score: 4, Insightful) by Snotnose on Tuesday September 22 2020, @10:07PM (13 children)
If you think I'm going to point my phone to a random URL, or click a random link, you are crazy. Not happening.
I've always thought these QR codes were a security nightmare. Average person "oooh shiney", boom, phone compromised.
not me.
Relationship status: Available for curbside pickup.
(Score: 4, Interesting) by Rosco P. Coltrane on Tuesday September 22 2020, @10:21PM (6 children)
I don't know. The QR code scan app I use tells me it found a URL, shows the URL and I have to accept to get the browser to go there. Seems pretty safe to me, if you haven't been living under a rock and you know a legit-looking URL that point to a server that matches whichever venue you scanned the QR code in from a random .ru address.
(Score: 1, Interesting) by Anonymous Coward on Wednesday September 23 2020, @03:26AM (2 children)
Most people though, scan and have their device just defaulting to opening the link. For those checking links, Google are trying their level best to kill showing URLs and then you have komradsky making a fake site using cyrillic letters that look almost identical. QRs in the wild are a dangerous nightmare.
(Score: 4, Insightful) by Mykl on Wednesday September 23 2020, @04:02AM
A few QR stickers posted up in public places that link to Goatse should fix users' carelessness
(Score: 3, Informative) by hendrikboom on Thursday September 24 2020, @01:24AM
Some of those Cyrillic characters look identical, not just almost identical.
(Score: 2) by gringer on Wednesday September 23 2020, @03:29AM (2 children)
If your QR code app is showing the website title, it means it has visited the link. I've experimented with a barcode app I have on my phone and have noticed that I can create a link in a QR code that logs QR code use to my web server without any user authorisation (apart from using the app to look at the code).
Ask me about Sequencing DNA in front of Linus Torvalds [youtube.com]
(Score: 3, Informative) by Rosco P. Coltrane on Wednesday September 23 2020, @09:48AM (1 child)
It shows the URL, not the website's content. As in "This QR code has this URL encoded in it: tap here if you want to open it".
(Score: 2) by gringer on Sunday September 27 2020, @09:20AM
Good. Your app is different from mine then - as well as the URL, mine shows the title, which requires visiting the site to work out, which means that parameters encoded into the URL can be used for storing information about use of the QR code.
Ask me about Sequencing DNA in front of Linus Torvalds [youtube.com]
(Score: 2) by NateMich on Wednesday September 23 2020, @02:58AM (4 children)
It isn't really random if you're in a restaurant and it's taped to the table for you to get a menu and drink listing.
Or, you know, you could read the URL before you actually click on it.
(Score: 2) by mhajicek on Wednesday September 23 2020, @06:22AM (2 children)
Or, you know, they could just write out the web address so I wouldn't need a qr scanning app just to read it.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 2) by HiThere on Wednesday September 23 2020, @01:58PM (1 child)
Then you need to type in the address....well, first you need to copy it down somewhere so you don't lose it while you're typing it in (depends on application, of course). QR codes were designed to allow easy scanning to avoid the typing, which to me sure makes sense on a phone. (I find phone keyboards almost unusable.)
N.B.: I'm *not* claiming that they don't have all the defects mentioned. Just that offering the address isn't an adequate replacement. And personally I have never used them, so this is a be theoretical.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday September 24 2020, @05:56PM
OCR + URL format detection shouldn't be hard nowadays.
(Score: 1, Interesting) by Anonymous Coward on Wednesday September 23 2020, @11:54AM
The last QR app I tried opened URLs automatically, no prompt, no warning. There is a reason I uninstalled it shortly after that.
(Score: 2) by fakefuck39 on Thursday September 24 2020, @03:34AM
lol. clicking a random link is 100% safe. scanning any qr code is 100% safe. the average person is just fine. they auto-update their browser, and they don't download shit they don't trust and execute it. only the absolute dumbest 1% of people do that. how many of you are there buddy?
(Score: 3, Interesting) by krishnoid on Tuesday September 22 2020, @10:09PM
You can add in pictures and stuff [aaronparecki.com] if you want to make them more eye-catching.
(Score: 4, Insightful) by Anonymous Coward on Tuesday September 22 2020, @10:56PM (2 children)
It's not magic. Usually the string contains a URL. Sometimes it contains application-specific information. Most of the time they are perfectly safe, but you should treat them as you would any other random URL that went through a shortener.
A QR code isn't a payment method, or anything else. You can use them to exchange data. Software can do things with the data. The software, not the QR code, is the method of payment. Nobody would say they paid with their credit card number.
The trouble with QR codes is they aren't secret. People think they're secret, because they just look like noise to a human eye. But they aren't. Well, most people don't know what they do at all, but their meat-brain thinks "I don't understand it, so it must be secure." It's not.
Voting by QR code is pretty much the worst idea ever. Voting by mail basically depends on the uniqueness of the ballots and their special envelopes plus the human signature. None of these is any good on their own, but put together they add up to about as good as any other kind of voting system - security by the inconvenience of dealing with paper. QR codes have no security at all.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @08:34AM
found the alien.
(Score: 2) by DannyB on Wednesday September 23 2020, @02:25PM
Don't scan a QR code with a general purpose scanner.
Only scan a QR code using an app that expects a certain kind of QR code, from a source that you are expecting to receive a QR code from.
For example, let an Amazon app scan a QR code from Amazon. Let a Google app scan a QR code from Google.
If you think a fertilized egg is a child but an immigrant child is not, please don't pretend your concerns are religious
(Score: 1, Interesting) by Anonymous Coward on Tuesday September 22 2020, @11:01PM
I used QR codes to show that using DLP software to prevent data leakage is an hilarious waste of money, via one implementation of ThruGlassXfer [thruglassxfer.com]
(Score: 4, Interesting) by richtopia on Tuesday September 22 2020, @11:03PM (3 children)
I put a QR code on my business card which is a link to my resume. Also, I have a bunch of stickers with a very simple QR code that points to my contact information, along with my email in size 6 font. Those stickers go on my belongings, particularly shared articles and travel gear. It hasn't happened yet, but if I forget something in the airport or hotel I'm trying to make returning my laptop, phone, camera, etc easier.
With things like tools the QR code sticker is the same but identifies the tool as mine. If I share something like my pressure washer with my coworker, the highest risk is them forgetting about it and the code can help. It also helps with my work phone and laptop: these are the same for everyone, and when we used to go to the office I can quickly identify my stuff as phone with a sticker.
(Score: 2) by krishnoid on Tuesday September 22 2020, @11:11PM (2 children)
Along those lines, do you have a good recommendation for durable, environment-proof laser-printable sticker sheets? Or a similar solution?
(Score: 0) by Anonymous Coward on Tuesday September 22 2020, @11:22PM
Print on normal paper, then cover with clear adhesive tape?
(Score: 2) by richtopia on Wednesday September 23 2020, @04:19AM
Not really. I use my Brother QL800, which is a thermal printer. The name-brand media is superior to the 3rd party I used in the past, but it still is sensitive to UV light, chemicals, and will rub off on handled surfaces (something like a week lifetime when applied to my phone).
While I wouldn't say they are ready for severe applications, they are really fast to print and apply and are good for most domestic applications. As an experiment I left an example on my truck's dash (UV light testing). At one month, they were noticeably faded but still legible. I've used them to label most of my house: https://www.youtube.com/watch?v=Fak87QH_AhE [youtube.com]
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @12:34AM
QR code’s were designed by auto industry to make scanning a part / pallet faster. Use to be 4 1D scans to a single 2D scan.
I scan hundreds a day. Today I used it program 20 Android scanners with just 1 scan each. Then it upgraded the OS through 5 upgrades. Load 4 apk. Install carts and configured the WiFi. Yes it scanner took 20mins to upgrade, but that is just time sitting on a counter.
So what have you done meaningful with it?
(Score: 3, Funny) by Gaaark on Wednesday September 23 2020, @12:56AM
So THAT was her name?
Strange name, but WOW, she's REALLY into 'error correction'! :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Interesting) by JoeMerchant on Wednesday September 23 2020, @01:59AM (1 child)
You may know that you can scan a QR code that will configure your phone to connect to a WiFi access point.
Extend that one step: periodically randomize your access point's (concealed) SSID and password - now only people who have scanned the QR code since the randomization have access, and that access is relatively easy.
Extend that two steps: Activate a server on the access point's network with a randomized address:port/pagename and put up a QR code for that - again, only accessible to those who can see the QR code, but just a point and click to get into the service if your phone's camera can see the QR code display.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Thursday September 24 2020, @06:39PM
With 3 Kb data, you can do a lot of interesting things. Quickly use an external display with Miracast, access networked cameras, connect to a specific bluetooth device. Hardcopy for S/KEY passwords, OTPs, keypairs?
(Score: 3, Funny) by progo on Wednesday September 23 2020, @03:48AM (1 child)
Is this some Roman calendar with dangling days that aren't in a month?
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @12:00PM
More people answered the poll with "in the last week" than answered "in the last month". Poorly phrased, but that is how the numbers are grouped.
(Score: 2) by kazzie on Wednesday September 23 2020, @04:41AM (1 child)
I used QR codes to hack my 3DS [github.io], courtesy of a poorly written game.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @06:59PM
Mwahaha, that was you? Kudos and thanks!
(Score: 2) by Pslytely Psycho on Wednesday September 23 2020, @07:23AM
Came across this a few weeks ago, seems fitting to post it here.
https://hackaday.com/2020/08/17/fitting-snake-into-a-qr-code/ [hackaday.com]
Next up, malware that wipes your phone and sends all your data to the NSA!
Ok, not funny as they already likely have all that data anyway.......
Alex Jones lawyer inspires new TV series: CSI Moron Division.
(Score: 2) by KritonK on Wednesday September 23 2020, @10:28AM (1 child)
Speaking of doing interesting things with QR codes, I wonder if it is possible to create a QR code that decodes to an image that is the same as the QR code itself, similarly to programs [wikipedia.org] that print their source code when run.
(Score: 0) by Anonymous Coward on Wednesday September 23 2020, @12:03PM
Last I checked QR codes don't support turing complete macro expansion, so no.