A jumble of squares in a grid is what the consumer sees when looking at QR codes. The simplicity makes them attractive to scammers who embed them with URLs containing custom malware or direct the user to a phishing site. But QR codes serve another purpose beyond facilitating consumer transactions. They turn analogue transactions into digital ones as part of the broader tracking apparatus of commercial surveillance.

1. Introduction

The quick response (QR) code is a two dimensional cousin of the barcode. It was developed by the Japanese company Denso Wave, a Toyota subsidiary, to label automobile parts. A QR code consists of black squares in a square grid on a white background that can be read by a digital device such as a camera. Whereas a barcode is a machine readable image, a QR code contains data for a locator, an identifier and for web tracking. The data stored in a QR code can include URLs, phone numbers or up to 4,000 characters of text. A QR code can house more data than a barcode because it is read in two directions – top to bottom and left to right. There are four versions of QR codes: (a) the numeric mode with up to 7,089 characters; (b) the alphanumeric mode with up to 4,296 characters; (c) the byte mode that stores up to 2,953 characters; and, (d) the kanji mode, the original mode developed by Denso Wave, that only stores 1,817 characters. They are used for a wide variety of commercial and governmental purposes, and have maintained their popularity in restaurants, bars, parking kiosks and retail outlets so customers can open online menus or make online payments. The increased use of QR codes during the COVID-19 pandemic, and the trust put in them by an unsuspecting public, have made them a handy tool for scammers.

2. The Dangers of QR Codes

In an article titled How attackers exploit QR codes and how to mitigate the risk posted to CSO Online on September 5, 2023, Chris Sherman at Forrester Research told tech journalist Bob Violino that the element of surprise makes QR code security threats particularly problematic. (here and here) “I’m not aware of any direct attacks to QR codes, but there have been plenty of examples of attackers utilizing their own QR codes in the course of attacks,” Mr. Sherman said. “The main issue is that QR codes can initiate several actions on the user’s device, such as opening a website, adding a contact, or composing an email, but the user often has no idea what will happen when they scan the code.” A common attack involves placing a malicious QR code in public, sometimes covering up a legitimate QR code, and when unsuspecting users scan the code they are sent to a malicious web page that hosts an exploit kit. This can lead to further compromise of the device or possibly a spoofed login page to steal user credentials.

Quishing is the term used for phishing attempts that use QR codes. “Attackers like QR codes because they can direct unsuspecting victims to a malicious website or trick them into downloading malware and do it in a way that is less detectable than other phishing methods,” according to Mr. Violino. Although quishing emails appear similar to phishing emails, the main difference, of course, is the inclusion of a QR code. “[Q]uishing emails are often disguised as multifactor authentication notifications from popular brands such as Microsoft or DocuSign,” Mr. Violino continued. “The attacker hopes to trick the victim into thinking their session has expired and they must authenticate again. Using the QR code sends the victim to a fake web page that asks for account and credential information.”

On February 11, 2022, the Canadian Centre for Cyber Security (CCCS) published a paper titled Security Considerations for QR Codes as part of its awareness series. (here) The CCCS is part of Communications Security Establishment (CSE) and promotes itself as “the single unified source of expert advice, guidance, services and support on cyber security for Canadians.” (here) The CSE is Canada’s national cryptologic agency that provides the Government of Canada with information technology security and foreign signals intelligence. (here) The CCCS paper identified the following three types of user activities associated with QR codes:

1. Consuming is the most common activity. Users scan a QR code in order to read or review something like a restaurant menu or other documents.
2. Sharing is becoming a common practice. Users present their 2D code to have their information verified (e.g. airline boarding pass, lottery tickets, or proof of vaccination).
3. Generating is not as common but may occur if an application requires a code to perform an action, such as pairing a smart watch to a smart phone.

When a QR code is scanned, the decoded text can trigger actions such as opening a website, downloading an app, joining a Wi-Fi network, verifying information, creating a contact, sending an email or message and dialing a phone number. Although the Canadian public appears to believe that QR codes do not gather personal information, that is not what the CCCS paper said. A QR code can execute an action – such as opening a fillable PDF or online form – that prompts the user to enter personal information. When this information has been entered, scanning the QR code will display the stored information on the device. Some online forms also create a QR code once completed. The CCCS cautioned that, by scanning a QR code, the user could be susceptible to the following risks:

• The user’s online activity can be tracked by websites using cookies. The user’s data can be collected and used for marketing purposes without the user’s consent.
• Metadata can be collected associated with the user such as the type of device used to scan the code, the user’s IP address, location data and the information entered while on the site.
• The user’s financial data may be exposed such as a credit card number used to purchase goods or services on the website.

The CCCS also cautioned that the actions performed by a QR code can pose risks such as “allowing threat actors to leverage QR codes to infect devices with malware, steal personal information, or conduct phishing scams.”

More recently, in a post to Ars Technica titled The growing abuse of QR codes in malware and payment scams prompts FTC warning published on December 11, 2023, security editor Dan Goodin discussed a new warning issued by the U.S. Federal Trade Commission that was released about two years after the FBI issued a similar advisory. (here, here and here) Mr. Goodin condensed the guidance from both agencies on how to guard against scams as follows:

• After scanning a QR code, ensure that it leads to the official URL of the site or service that provided the code. As is the case with traditional phishing scams, malicious domain names may be almost identical to the intended one, except for a single misplaced letter.
• Enter login credentials, payment card information, or other sensitive data only after ensuring that the site opened by the QR code passes a close inspection.
• Before scanning a QR code presented on a menu, parking garage, vendor, or charity, ensure that it hasn’t been tampered with. Carefully look for stickers placed on top of the original code.
• Be highly suspicious of any QR codes embedded into the body of an email. There are rarely legitimate reasons for benign emails from legitimate sites or services to use a QR code instead of a link.
• Don’t install stand-alone QR code scanners on a phone without good reason and then only after first carefully scrutinizing the developer. Phones already have a built-in scanner available through the camera app that will be more trustworthy.

In an older piece titled I Don’t Scan QR Codes, And Neither Should You published by Forbes on June 1, 2020, tech security expert Morey Haber listed eleven risks inherent in QR codes. Here are three of them:

1. Phone: Scanning a QR code automatically loads or starts a phone call to a predefined number. With all the recent robocall and SIM-jacking attacks, this is another method for a threat actor to access your phone and identity. You are basically calling someone you do not know and handing over your caller ID information.
2. SMS: Scanning a QR code initiates a text message with a predetermined contact by name, email address or phone number. The only thing the user needs to do is hit send, and you could potentially reveal yourself to a threat actor for SMS spam attacks or trigger the beginning of a SIM-jacking attack. A little social engineering is all it takes to convince the user to hit the send button.
3. Location Coordinates: Scanning a QR code automatically sends your location coordinates to a geolocation-enabled application. If you are concerned about your data and location privacy, why would you ever do this? (here)

If you are concerned about protecting your privacy and the security of your devices (particularly your smartphone which is the device you are most likely to use to scan a QR code) here are four of the recommendations by the Canadian Centre for Cyber Security taken from the paper I discussed. Use private browsing mode on your device and consider using a browser with anti-tracking features. Be suspicious and carefully verify the website URL if a password or login information is requested after scanning a QR code. Check the browser settings to disable cookies and storage of site data. And provide the minimum amount of personal information requested when completing online forms.

3. Conclusion

What, then, is the core privacy implication of QR codes? Well, think about this the next time you are tempted by one. If that stylish leather jacket you’re holding in your favourite designer store has a QR code on the tag, you can probably scan it to read more details on the brand’s website. Give it a try if you haven’t already. Then put the jacket back and go about your browsing. The next time you visit the site, it will remember you, and the jacket might be waiting in your shopping cart with a discount. That is an example of how QR codes have “emerged as an effective way to collect first-party data” discussed by tech journalist Tatum Hunter in an article titled QR codes are a privacy problem – but not for the reasons you’ve heard published in The Washington Post edition of October 7, 2021. (here) The QR codes themselves do not violate your privacy – but the websites they open may and the calls by privacy hawks have been long and loud for more transparency in the collection and storage of first-party consumer data. Eric Rescorla, former chief technology officer at Firefox, told Ms. Hunter the real privacy issue is the “broader tracking apparatus” the codes are part of. QR codes are not a “trapdoor into some scary underground world of tracking and surveillance,” he said. “You already live in that world.”