crop cafe coworkers using app on smartphone at work

Before I go any further let me say one thing.  

If you are in Victoria, and are only scanning a QR code for COVID-19 Check-in and you are using the Services Victoria App to scan QR codes they are safe!  

Why?  Because the Services Victoria App will only acknowledge a valid Services Victoria QR Code.  Any other QR Code is seen as invalid and it will not accept it and will tell you so.

Having said that, let’s begin.

Are there risks associated with QR codes?

As explained in Part 1 of this series, a QR code is nothing more than a representation of some text.  This text can be a link to a website, an email address, a business card and many other things.  Of themselves QR codes are not a risk.  They simply provide you an easy way of obtaining some information.

But I heard QR Codes can be hacked.

The base technology around QR Codes has no (known) security flaw.  The actual codes can’t be hacked like a computer, they are just printed text encoded in a special way.

But of course that won’t stand in the way of malicious persons, they will find a way of using them, won’t they.

The issue for you and me is we can’t read a QR Code ourself, we have to accept it on face value and use a device to read it.  This is the issue.

QR Codes can be used maliciously

Anyone can create a QR Code, so hackers can too. A malicious actor could create a QR Code that point to malicious or fake websites.  Websites that open you to phishing, hacking, or malware.  Websites that may  capture your personal data such as login credentials or other personal information.

Malicious parties have been known to:

  • print posters or flyers with malicious QR codes and distribute them in public places
  • print stickers with malicious QR codes and place them over legitimate QR Codes

How to protect yourself

  • Make certain your device is kept up to date, apps and device operating system up to date
  • Test your device by scanning  a known valid code, if the device acts upon the code immediately without you giving it the OK, then check your settings.  You do not want your device to scan and open a webpage.  You want to be able to view the details then decide if you want it to go to that site.
  • Only scan QR codes from trusted and legitimate senders, such as governments, schools, legitimate businesses and organizations. Never scan a QR code from an unknown source.
  • After scanning look at the information displayed, is that where you think you should be going?
  • If scanning for a specific purpose and a special app is available for that purpose (example Services Victoria App for COVID-19 check-in) use the app.
  • Do not scan QR codes that look to be altered in any way,
  • Use a QR Scanner you know you can trust
    • A good QR Scanner app will have a preview ability. It will display the result so you can decide to action it
    • There are also QR Scanners that will pass the result via a security product to confirm its known safe
  • Treat a QR code like a suspicious link in an email, if it feels wrong, don’t scan it.

The security and privacy threats QR Codes pose are real.  But like everything today we have to be on our guard and take care.

Are QR Codes Safe? – QR Codes Part 3
Tagged on: