Cybersecurity | March 16, 2022

Tech Answers: Are QR Codes Secure?

QR codes are back, baby! But is it a good idea for you to use them?  

Perhaps you’ve scanned the table at a restaurant to see the digital menu. Or maybe you caught the Coinbase commercial at the Super Bowl. No matter the reason, there’s no denying that QR code technology has reemerged in the 2020s in a big way.  

But while these nifty little click-free links are certainly helpful, as your go-to source for cybersecurity info the EMPIST team feels compelled to tell you that they may not always be safe.  

Here’s all that you need to know about QR codes & security.  

Understanding QR Codes 

Before we get into the nitty-gritty, let’s first go over a little primer on what a QR code actually is.  

Quick Response Codes were invented in 1994 by Masahiro Hara while working at Denso Wave, a subsidiary of Toyota. In essence, they were intended to be used as a new kind of barcode, allowing Denso Wave to accurately track car parts throughout the manufacturing process.  

You see, traditional barcodes are one-dimensional and can only be scanned from side to side, meaning manufacturing workers often struggled to get the right angle when scanning parts. Disappointed with these limitations, Hara set out to develop a 2D version of the same system that could be easily scanned from many angles and hold significantly more information.  

Inspired during a of game Go, the now ubiquitous black-and-white pattern was born.  

Of course, it would be years before Hara’s invention took off on a consumer-level worldwide, although they were adopted in Japan much earlier.  

How Do QR Codes Work? 

Unlike traditional barcodes, QR codes use what Hara calls position detection markers to allow them to be scanned from multiple angles. These are the little squares you’ll see in the corners of each code. 

When pointed at the code, any scanning-enabled device (such as your phone) uses the position detection markers to align itself and then reads to code, redirecting the user to their destination. Most modern smartphones can scan QR codes within the camera app. 

In addition to easing the scanning process, the 2D nature of the QR code also provides a larger space for data storage, leading to more complicated patterns, meaning significantly more information can be stored in each code than in traditional barcodes. This structure is even large enough to contain duplicates, so that even if a portion of the code is damaged users should still be able to use it.  

QR Code Application 

Unfortunately, QR codes spent decades on the back burner of the global technology stage before first picking up popularity in the mid-2000s with the proliferation of smartphone technology. And even then, many users hesitated to lean into using them.  

In fact, an article by INC. Magazine in 2012 surmised that 97% of consumers didn’t even really understand what a QR code was. As such, many culture reporters were quick to write off this handy innovation as more of a gimmick than anything else.  

Of course, this viewpoint started to shift – albeit slowly – as the 2010s moved on. In 2015, for example, Snapchat introduced the Snapcode: a QR code unique to each user so that they could quickly and easily share account info with new friends and contacts. Similar applications quickly followed suit, and as smartphones began integrating their camera apps with scanning technology. An article published by TechCrunch in the same year even went so far as to say that “Snapchat made QR codes cool again.”

The 2020s 

You don’t need us to tell you that the past few years have completely revolutionized our relationship to technology – QR codes included. The Covid-19 pandemic has consistently forced businesses and individuals alike to reevaluate the safety of their practices, leading to major changes in everything from how we order food to how we communicate.  

In an effort to reduce the spread of Covid-19, many organizations embraced QR codes as a simple yet effective way to share information touch-free. From 2018 to 2020, usage grew a whopping 96%, after all.  

Today, you can expect to find QR codes in restaurants, in the form of digital tickets, in doctor’s offices, in commercials, on public transportation, and just about anywhere else you can imagine. We’re willing to bet that you likely scan them on a near-daily basis. Even some Covid-19 vaccination records are accessed as QR codes.  

In this regard, there’s no denying that QR codes are now instrumental to how we function day-to-day. Which makes the question of their security all the more worrisome.  

QR Codes and Cybersecurity  

Luckily, QR codes cannot be ‘hacked’ in and of themselves – but that doesn’t mean you should be any less wary.  

Unlike hyperlinks and URLs, there’s no way for users to see where, exactly, a QR code might be leading them before they scan it. Anyone can create a QR code that leads just about anywhere, including cybercriminals, which means a code on an advertisement or at a restaurant could easily be tampered with and lead users to untrustworthy websites in order to steal personal information or install malware onto your device.  

The risk is so dire, in fact, that the FBI has recently warned that this very type of attack is on the rise.  

What’s more, QR codes also call into question the issue of data privacy. With them, manual processes like paying for your meal or purchasing a movie ticket are now largely digital ones. As such, every time you scan an organization is given access to data about you, your decisions, and your digital footprint.  

Secure Use 

Avoiding QR codes altogether is unlikely – but there are actions consumers can take to reduce their risk when interacting with them.  

The FBI recommends: 

  • Double-checking the URL once you’ve scanned a QR code to ensure that it matches your intended destination.  
  • Looking for alterations, coverups, and other suspicious changes to the physical aspects of each code before you scan.  
  • Practicing caution when inputting sensitive information after scanning a code.  
  • Never download an app from a QR code, opt for using the app store instead.  
  • Always verify validity before payment.  
  • And refraining from using a scanning app as they are less reliable than your phone’s camera app. 

If you’re concerned about the security of a given QR code, you can always ask the organization to provide you with the URL of the destination and enter it manually into your device as well.  

Keeping You Safe Since 2000 

The EMPIST team is committed to keeping your sensitive information safe from bad actors, whatever it takes.  

The fact of the matter is that cybercriminals are growing more and more creative each day. And they won’t stop at tampered QR codes in order to get at your data. Staying safe in today’s digital climate requires constant vigilance and continued education on what threats are out there.  

For more cybersecurity tips and tricks, you can read up on information from the EMPIST experts on our website, here. To get started building a more comprehensive cybersecurity solution, contact us online today