What is a QR code?
When Masahiro Hara, the chief engineer of Denso Wave, created the QR code in 1994, he probably didn’t realize how impactful his black-and-white invention would be. Back then, Hara created the two-dimensional matrix barcode to help label automotive parts. Today, many different entities, such as airports, restaurants, magazines, websites, marketers, warehouses, and factories, are using QR codes for various purposes.
The rise in popularity of QR codes can be linked to the rapidly increasing smartphone market penetration. In other words, QR codes are likely more prevalent because more people have QR code scanners in their pockets. Naturally, with a growing number of people scanning these barcodes on powerful devices that hold and access sensitive data, there has also been a rise in QR code scams.
Read this in-depth guide for more on:
- What is a QR code?
- How do QR codes work?
- How to use a QR code?
- Are QR codes safe?
QR code definition
A QR code is a kind of two-dimensional barcode that holds encoded data in a graphical black-and-white pattern. The data that a QR code stores can include URLs, email addresses, network details, WiFi passwords, serial numbers, etc.
So, what does QR stand for? Well, “QR” code is short for “Quick Response” code. And it lives up to its billing. The two-dimensional barcodes can store up to 4,296 alphanumeric or 7,089 numeric characters and can be read up to 10 times faster than a conventional barcode.
How do QR codes work?
QR codes work by encoding data into structured black-and-white square patterns for convenient access. When you create a QR code, you convert information, such as the registration number of a vehicle, into a unique QR pattern. This pattern can be decoded into its original format by a QR code reader.
While the shape, size, and efficiency of a QR code can vary by its type, most QR codes have the following elements in their patterns:
- Quiet Zone is the empty white space outside a QR code.
- Hinder pattern is the name for the three black squares in the corners.
- Alignment pattern is the small square near the bottom-right, allowing the QR code to be read from an angle.
- Timing pattern is a line that helps distinguish individual squares and allows damaged QR codes to be read.
- Version information identifies the version of the QR code.
- Data cells hold the encoded information, such as the URL.
Are QR codes safe?
While QR codes are generally safe, they can be manipulated by scammers because they all appear similar. A malicious QR code may lead you to a spoofed website designed to drop different malware types or steal your sensitive data, like your login credentials, credit card information, or money. In one incident, scammers were using fake parking meter QR codes to steal money through phishing websites.
How to check if a QR code is safe
It’s challenging to check if a QR code is safe because they all look nearly identical to the human eye. Instead, you must check a QR code for safety by the context of where it appears and the content it leads to. For example, if a QR code sends you to a URL, examine the link to ensure it's not a scam. QR codes usually use shortened URLs to save space, so you’ll need to wait for the full URL to appear.
Please also be mindful of the source of the code and watch out for signs of tampering. While codes on reputable websites or at businesses are usually safer, hackers can manipulate them too. Be wary of fraudulent schemes. For example, a QR code leading you to a Bitcoin ATM could be a scam.
Listen to your gut. Avoid QR codes that seem risky. Read the QR Code security best practices listed below for more information.
QR code security risks
Threat actors may use QR codes to gain access to your sensitive information, such as your name, address, or credit card information. Or they may use QR codes to dupe you into using a malicious payment portal for unauthorized payments.
Here are some of the biggest QR code security risks:
QRLjacking
QRJacking, short for Quick Response Code Login Jacking, is a type of attack where threat actors hijack a user session in order to manipulate all applications that use the “Login with QR code” feature into using the attacker’s QR code instead of the authentic one.
Quishing
Quishing, short for QR code phishing, is the process of using a QR code for a phishing attack. Threat actors may use a QR code to direct a user to a malicious website, like in this 3D secure update scam.
Baiting
Baiting is a type of social engineering attack where threat actors use bait to deceive their targets. In a QR code baiting attack, attackers can leave random malicious QR codes in public spaces to entice people into scanning them.
Cloning
Can QR codes be cloned? Yes, they can. Some threat actors clone legitimate QR codes to send users to phishing websites that capture sensitive information.
Scanner apps
While QR and barcode scanner apps are usually safe, some can be risky. For example, a barcode scanner app on Google Play infected 10 million users with one update in late 2020.
Malware
Attackers may link a QR code to a malicious website that uses drive-by downloads or malvertising to infect computers and devices with malware. Trojan password-stealers or keyloggers can help attackers commit identity theft or other crimes.
Read this list before scanning a QR code:
-
Take steps to boost your Internet security before creating or scanning QR codes.
-
Always use a reputable QR code generator when making a QR code. You can also password-protect your QR codes if they hold confidential information.
-
Always use a reputable QR code scanner to read QR codes.
-
Use anti-malware for Android to safeguard your mobile device from threat actors who use QR codes as an attack vector.
-
Use iOS security to shield your iPhone and iPad from scam websites and other threat vectors stemming from malicious QR codes.
-
Verify any QR code you see in a public space before scanning it. Likewise, ensure that any QR code you receive by email is authentic.
-
Avoid paying anyone through QR codes. There are many secure alternatives that are less susceptible to phishing attacks.
-
Some scanners automatically scan QR codes. Disable automatic QR code action to prevent your device from scanning malicious QR codes.
-
Configure permissions to avoid sharing private information or sensitive device features by default.
-
Store personalized QR codes, such as vaccination information or travel documents, in a secure folder.
What are QR codes used for?
QR codes were designed to help robots keep track of items like car parts. Modern factories use QR codes to track production, perform quality control, create workflows, and other productivity functions.
Businesses also use QR codes to engage with customers. Today, many organizations use QR codes to share:
-
Contacts
-
Apps.
-
Welcome messages.
-
URL links.
-
Business addresses.
-
Phone numbers.
-
Email addresses.
-
Directions.
-
Coupons.
-
Loyalty programs.
-
Menus.
-
Links to apps.
-
WiFi networks
-
Payment pages.
Why do hackers use QR codes?
As mentioned, it’s almost impossible for most people to tell one QR code apart from another visually. Threat actors can take advantage of this by replacing an authentic QR code with a malicious one or by strategically leaving malicious QR codes in public spaces. Cybercriminals can also deploy malicious QR codes in phishing attacks, clickjacking attacks, and website hacks.
By tricking victims with social engineering tactics into scanning malicious QR codes, threat actors can commit scams, financial crimes, or identity theft. No one is safe from QR code scams, including gamers, as some Final Fantasy 14 players found out.
Making QR codes: How to create a QR code safely
- Select a reputable QR code generator. Steer clear of suspicious QR code creation apps.
- Double-check your content before encoding. For example, check every character if you’re encoding a WiFi password for visitors to your establishment. Similarly, check the URL if you’re redirecting users to a website through a QR code.
- You may be able to customize your QR code’s color, frame, and shape, depending on your QR code generator. You can enjoy these options to personalize your QR code.
- Encrypt the QR code and add password protection if you’re encoding sensitive information.
- Create and test the QR code before distribution.
- Monitor your QR code to avoid security issues.
Scanning QR codes: How to scan a QR code safely
Take the precautions listed above when scanning for a QR code. As mentioned, QR scams are back in fashion and law enforcement is taking notice. For example, you may have read the FBI warning issued over QR codes.
It’s best practice to use a reputable app to scan QR codes for safety. Either use your device’s default camera app or a well-reviewed app from the official store will suffice.
You should also only scan QR codes from safe sources. Treat unknown links, emails, and websites with QR codes with caution. Use a scam blocker or web filter to shield your system from known scams and shield your device with security software.
Here is how to scan a QR code with an iPhone, iPad, or Android device:
-
Tap the camera app.
-
Tap Photo.
-
Ensure that you’re using the rear-facing camera.
-
Point your camera at the QR code.
-
Center the QR code on your screen.
-
Keep your device steady.
-
You should see the QR code activated on your device. For example, you may see a URL appear at the bottom of the QR code.
Static vs. Dynamic QR codes
Static QR codes can’t be modified after creation because the data in a static QR code is ingrained. They’re most suitable for fixed data such as network passwords or serial numbers. By contrast, Dynamic QR codes are more flexible because they direct users to a URL, which can be modified.
Understanding the different types of QR codes
-
QR Code Model 1 and 2: These are the most common types of QR codes you’ll see in the wild.
-
iQR Code: iQR codes are like regular QR codes but more efficient. An iQR code can encode more information in less space than a conventional QR code.
-
FrameQR: This is a type of QR code with a canvas area that offers more flexibility for images and letters.
-
Micro QR Code: It’s easier to print this kind of QR code on smaller surfaces. A typical application for this code is product packaging.
-
SQRC Code: The primary difference between this and regular QR codes is that it’s more secure.
4 major types of QR Code encoding
The four standardized modes of encoding for QR codes are as follows:
-
Numeric mode: Stores up to 7,089 characters and is used to encode digits.
-
Alphanumeric mode: Stores up to 4,296 characters. Expands numeric mode by supporting uppercase letters, spaces, and symbols.
-
Byte mode: Stores up to 2,953 characters. Expands alphanumeric mode by supporting lowercase letters.
-
Kanji/Kana: Stores up to 1,817 characters. Encodes characters in the Japanese format.
QR CODE FAQs
A QR code (quick response code) is a two-dimensional (2D) barcode used for easy information accessing through the digital camera on a smartphone or tablet - such as address, website or an app.
To generate a QR code you simply need to use a QR code generator - Adobe free QR Code generator is one example, but there are other multiple QR generating tools, including free and premium.