How to use QR codes properly

By Jordi Serra Ruiz, researcher of the IN3’s KISON group

QR codes already existed well before the COVID-19 pandemic hit, but they were much less commonplace. They were sometimes used in museums or leaflets so that anyone wanting additional information could obtain it simply by scanning them.

But do we really understand what a QR code is?

In 1994 an engineer working at the company DENSO Wave, a supplier of components for Toyota cars – and in fact a subsidiary of Toyota – wanted to improve the labelling system used for the boxes of components to be distributed to the various parts of the factory. They had previously been using the barcode system we are all familiar with, under which a number can be encoded in a set of vertical bars of various thicknesses, producing a number that, when checked against a database, tells you which product it is or, in this case, where the box should be taken. Barcodes are still very widely used for all supermarket products. They are read by a scanner, which checks which product the code corresponds to and adds it to the items in your shopping.

This person was Masahiro Hara, and he named them Quick Response codes, as they provide very quick access to their content. He thought hard about how to improve on barcodes which, in addition to being quite limited, required access to a database in order to establish what they meant. One day, while playing the traditional Japanese game GO (the similarity can be appreciated in Figure 1), he realized that he could use these black and white dots to encode information in two dimensions instead of one as in the case of barcodes.

_{Figure 1 Japanese GO game (Wikipedia)}

Hara then designed a method to encode any phrase in ASCII, and from there to the binary system so it could be represented by black and white dots. Basically, the data (letters and numbers) to be included are gradually encoded by filling in the image from the bottom and working upwards until you reach the top of the QR code.

The QR code thus contains a set of characters that can be decoded by a device based on the image obtained. An example of this could be a URL, an internet address. For example, you can see the QR code containing the UOC’s address in Figure 2.

_{Figure 2. https://www.uoc.edu}

Potential security issues with QR codes

The pandemic has resulted in the widespread use of these codes by establishments, particularly restaurants, where they can be used to avoid touching paper menus. Many restaurants have even stuck them to their tables. Museums now use them to provide instructions for each room, tours and other purposes, and even to make calls or provide information on how to connect to a public Wi-Fi.

But what are their possible pitfalls? The fact that QR codes replace characters with an image that is not directly readable by humans means that we need a device to convert that image to characters and, if this goes straight to the URL or downloads the file in question, we can end up with a security issue on our hands.

That’s why devices must be properly configured not to open links directly, so we can check in advance the internet address hidden in the QR code or the information encoded within it.

A cybercriminal could stick a piece of paper on top of the genuine QR on a restaurant’s outdoor tables with a QR code leading users to a malicious URL. Users scanning the QR code will think it is exactly what the establishment has provided and will access it without a second thought.

Or you could find a QR code at an ATM, pretending to be a link to the bank’s application for you to log into.

You could even find a QR code that makes the scanning device call a telephone number directly by encoding it directly as “call-to:”. This could be used by a cybercriminal to make you call a premium-rate number.

A fake online ticket website could also be created, taking advantage of a concert or event being held in your town or city. All the criminal needs to do is produce a QR code and stick it on the official poster for the event, leading people to believe that it is the official code and that you can buy tickets at the best price if you use the code as fast as possible before the offer runs out. When people click and enter, they will probably buy fake tickets using their credit card, thus providing the cybercriminals with their credit card details.

There is also the possible added problem that, instead of showing the URL, the QR code uses a shortened URL so that, instead of seeing the whole address, you can only see a shorter one and you can’t be sure where it points to. Examples of shortened URLs are Twitter and LinkedIn addresses. If you cannot see where the link is pointing to, your best bet is always to be suspicious and check that the QR code is legitimate and is exactly the same as the one provided by the establishment. There are websites that convert shortened URLs back to real ones, so you can see where the URL hidden in a QR code with a shortened address really points to.

The most important advice is to use common sense and not trust any QR codes unless they are very clearly the real ones placed by an establishment for use.