An Overview of QR Code Security
QR Code security has been a highly debated issue across the globe. Nonetheless, it’s important to note that QR Code technology itself has no security issues. The security risks come into play only when hackers connect malicious software or websites to a certain QR Code. Despite this fact, there are also cases where QR Codes have added additional security measures to technology processes.
Table of contents
- Are QR Codes secure?
- Can QR Codes be hacked?
- Potential QR Code security issues
- Malicious software
- Harmful websites
- Tips on increasing QR Code security
- Check for signs of tampering
- Verify the company and the given URL
- Be wary of bit.ly links
- Avoid providing personal information if directed to another website
- Use security applications on mobile devices
- How QR Code technology enhances security
- Two-factor authentication
- Bank transactions
- What personal information does QR Code tracking collect?
- Time and number of scans
- Operating system
- QR Codes and GDPR
Are QR Codes secure?
The short answer is yes, QR Codes are secure. Static QR Codes are machine-readable and the content inside them cannot be changed once generated. The content inside a Dynamic QR Code, however, can be changed, but you would need access to the user account that created them in the first place.
Can QR Codes be hacked?
The actual QR Codes themselves can’t be hacked. This is because they are built using a square matrix with pixelated dots so these dots would have to be changed in order to be “hacked.” QR Code technology is not a security risk alone. The security issues arise from the information connected to the QR Code.
Potential QR Code security issues
There are some associated security risks with scanning QR Codes if they don’t come from a trusted sender. There are three types of security risks related to QR Codes, but keep in mind that these security risks have nothing to do with the technology of QR Codes themselves.
Phishing is a common way that hackers break into websites. Usually, they start by sending a fake login page for the website via email. An unsuspecting person may find this email quite convincing as they can include company logos and similar graphics styles so it does look like a real company. Once this login information is sent, this allows the attacker easy access to the website.
Where this comes into play with QR Codes is during the scanning process. Ads for websites often contain QR Codes that direct users to a specific landing page. What can happen is that the link created for this website has been redirected to a new website with security issues. The key is that the website looks professional and like a real company so that users feel comfortable with providing personal information. Particularly on mobile, most users also don’t take the time to check if the URL looks strange.
The digital sphere is not the only space this happens. Hackers can also place print QR Codes in public places so that people scanning them end up entering a type of login information. It can be especially dangerous if this login is for websites such as online banking or other sensitive data. Though this type of scam is limited in scope, case studies have shown that it is nonetheless effective.
The security risk related to malicious software comes with downloads, many of which are directed at Android users due to open-source software. Known as a “drive-by download attack”, the process involves sending a user to a specific website which automatically forces a download to take place without any user action. Even just being on the website is enough for the download to occur. In the case of mobile, this takes place with hidden apps that infect the device by stealing information or sending messages to premium numbers. They can even collect and sell personal data.
Hackers use QR Codes to aid in this process because they use the Code to direct users to a website that begins this download process. Again, users are not often checking the URL to see if it looks strange and the website may also look completely normal.
The third type of security risk again involves dangerous websites. Not only can these websites download malicious software and steal user information, but they can also do things like activating the camera, accessing browser data, sending spam emails or using the device to perform further attacks on other users. The tricky part is that the user doesn’t see any of this. It’s all done invisibly in the background.
Tips on increasing QR Code security
So how can users avoid these malicious attacks? We’ve put together some safety tips when scanning QR Codes.
Check for signs of tampering
Particularly when scanning QR Codes from print materials in public places, it’s possible that the original QR Code has been replaced with a sticker of the dangerous one. Double-check that the QR Code on the material looks original and fits with the design.
Verify the company and the given URL
This is one of the most important points that all QR Code users should double-check. Before even scanning, think: Does this company look legitimate? Does the design look professional? Does the QR Code match? If this all checks out, once you’ve scanned the QR Code and are redirected to a website, use the same company verification process. Furthermore, it’s extremely important to check the URL and see if it’s composed in a strange manner or differs from the website graphics, or if it has two different names.
Be wary of bit.ly links
When scanning a QR Code, a notification pops up so you can view the URL that’s inside the QR Code. If a bit.ly URL appears, be wary when clicking on it as it’s not as secure. Bit.ly is a free URL shortening service used by a lot of major companies. But did you know that you have the power to view detailed statistics on any bit.ly links by just adding a + sign at the end of the shortened URL? For example, this blog article outlines how to do this exactly, and the result reveals a full click statistics as shown in the image below.
UPDATE: When this article went live in January 2020, bit.ly still allow click statistics to be viewed publicly using the method above. Fast forward to April 2020, bit.ly has since upgraded their security to only allow logged-in users to access their own click statistics using the same shortcut.
Avoid providing personal information if directed to another website
If this particular website you are directed to be asked for any personal information, do not enter anything like login information, passwords or credit card details. Many marketing campaigns may ask for your name and email or to make direct purchases, so in these cases, you have to decide for yourself whether or not it feels secure. Regardless of the context, if something seems fishy, don’t do it.
Use security applications on mobile devices
Anti-virus and anti-malware software should be a staple on any phone, the same as many people have long been using for desktops. Security software can help to stop drive-by download attacks and give notifications for strange URLs. Furthermore, it’s also possible to disable the “open website automatically” function of a cell phone so that when a QR Code captures the URL, you aren’t automatically sent there and have a chance to view the URL first.
How QR Code technology enhances security
QR Code technology has an unfortunate association with security issues, but on the contrary, there are instances where QR Codes actually increase security measures. Here are two examples.
For online profiles that contain sensitive private and financial information, many institutions have implemented two-factor authentication. This adds an extra step after you’ve put in your login information by showing a QR Code that must be scanned by your cell phone, in which the website recognizes that you are the real user.
Banks, in particular, have found the use of QR Code technology. QR Codes function well for online banking processes in general, including two-factor authentication login, accessing certain sections of the profile with especially sensitive data as well as confirming bank transfers. Deutsche Bank, one of the leading banks in Europe, even has a particular app known as a photoTAN. This app provides users with a photoTAN QR Code that should be scanned to confirm each bank transaction by providing a set of numbers to enter for each individual bank transfer.
What personal information does QR Code tracking collect?
The purpose of QR Code tracking is so that marketers can better optimize marketing campaigns. If you’re curious about what types of information QR Code tracking collects with the QR Code generator software, it encompasses three points: location, time, and operating system of the device used to make the scan. No personally identifiable information is collected and this data is only visible privately by the user who created the Codes.
QR Code tracking gathers user data for both city and country locations. This does not include specific locations within a city.
Time and number of scans
Total scans, unique scans, and how many scans occur over a certain time period are also tracked with QR Code Generator software.
The operating system of the device used is also provided in the QR Code tracking details, but there is no further information about the user.
QR Codes and GDPR
For users that create QR Codes using QR Code Generator software, only those who have access to the QR Codes can scan them. This means whoever they are sent to or wherever they are marketed means that users can view and scan them. It is possible to create further security measures for the access to linked content from QR Codes, but QR Code Generator has no influence on this. QR Code Generator also does not share your QR Codes or any connected information to third parties.