There’s a lot of interest around creating malicious QR codes for one simple reason – the user cannot easily see what the encoded link is. Here’s some basic advice for both consumers using QR codes and also for those companies creating them as part of marketing campaigns etc. For more detail on QR code security, see my earlier blog.
Tips for users of QR codes:
- Get a good QR reader – one that allows you to review a link after you’ve scanned it and doesn’t randomly execute malicious stuff (I use Zebra Crossing’s ZXing Barcode Scanner for Android)
- Be extremely careful, alert and wary when scanning a QR code, don’t just scan anything assuming it’ll be ok.
- Don’t allow a QR code to dial a number or send an SMS unless you are absolutely sure you know that the number is legitimate. Otherwise you may end up with a very large phonebill!
- If it looks too good to be true, it often is. If you’re handed a flyer or competition with a QR code, offering some fantastic offer think about whether it is legitimate or not – is it trying to just get your personal data or worse, trying to lure you into a security trap? A simple Google search is often enough to reveal scams.
- Don’t give away information needlessly – if a site asks you to connect to Facebook or your bank, does it really need this? (extremely unlikely!) Remember you can always close the site and walk away. You do not have to enter your details and I wouldn’t recommend that you do.
- Check to see if the QR code is physically the original if scanning a poster. Someone may have placed a sticker over the top of the original QR code to try and get you to download some malware or give away your details.
- Always check the URI (the link) to be sure it is going where you expected it to. Check the address bar at the top of the page. Is the website unusual? Have you been redirected to another site? If your scanner software on your phone has shown you the URI for the website, is it the same?
Tips for companies planning on using QR codes:
- Avoid link shortening services, these further confuse users as to who is providing the website – you probably don’t need the URI shortening anyway, you are using a QR code!
- Always display the URI you are linking to in plain text near to the QR code in order that the user can see what website it is supposed to be going to, or at least choose to manually enter it if they don’t want to use the QR code.
- Don’t use QR codes for anything that requires a user to divulge sensitive information such as credit card details. It’s irresponsible and customers won’t thank you for it.
- For shops, if possible, display your QR code behind a window or counter rather than ‘outside’ so that it is difficult / obvious if people are trying to tamper with it.
- Be conscious of defacement by people who may be opposed to your product or service. Remember, it only takes one code to be hijacked and reported in the press and your marketing campaign is wrecked. Think carefully about poster campaigns and where you place QR codes.
- For newspapers and magazines, consider triaging adverts using QR codes to check they’re ok in advance.
For more marketing tips, have a look at this blog from Stephen D Poe