Restaurants have them on tables, hotels offer them to show their services and museums use them to give instructions in the rooms or reveal the secrets of their works. The QR codes They are fashionable, more so following the pandemic, but are they safe? What can users do to avoid scams?
A QR code is a type of scannable barcode that is designed to be instantly read and interpreted by a digital device. They have been around since 1994 and one can store up to 4,296 alphanumeric characters.
The ones that are commonly used usually contain fewer characters, which allows easy decoding with a smartphone camera.
In the 1990s, an engineer from the company Denso Wave, a supplier of components for Toyota, wanted to improve the labeling system for the boxes of materials that were distributed by the factory, according to the Open University of Catalonia (UOC). in eastern Spain.
Masahiro Hara created a new system that went beyond barcodes that he called “quick response.” One day, while playing the typical Japanese game Go, he figured out how to use those black and white dots to encode information in two dimensions instead of one, as was done with barcodes.
Although these squares have been around since 1994, they didn’t become a “truly household name” until the COVID era. Today, cybersecurity company ESET describes, they can be seen everywhere and are used for everything from displaying restaurant menus to facilitating contactless transactions.
Versatility, a double-edged sword
The text strings that are encoded in a QR can contain various data and the codes can be used to open websites, download a file, add a contact, connect to Wi-Fi and even make payments. Its versatility can be a double-edged sword.
Their widespread use has drawn the attention of scammers, who can use them for malicious purposes.
Just as attackers can use malicious ads and other techniques to direct victims to fraudulent sites, they can do the same with QRs. For example, they might easily manipulate the QR to trick the user into downloading a malicious PDF file or a rogue mobile app, according to ESET.
Also, criminals might modify a QR of a financial transaction with their own data and receive payments in their account, and they might paste a code, generated to point to a malicious URL, on top of a good QR that is on a concert poster.
The key, common sense
For this reason, the experts consulted agree, above all, we must have common sense and distrust what we do not see clearly.
Jordi Serra, professor of Computer Science, Multimedia and Telecommunications Studies at the UOC, recommends configuring the devices so that they do not open the links directly -the latest operating systems already do so-, in order to be able to see what URL you are going to click on first.
You have to make sure not to enter personal data or that we are not downloading a file, for example.
“At first glance it is very difficult to know if a QR is malicious or not. Perhaps the first recommendation is to know where it is”, summarizes Fabián Torres, from Sicpa: “if it is inside an official building or in a restaurant we can assume that it is probably not malicious”.
On the contrary, “if it is on the street in a place where anyone can place it (lamppost, facade, pole) we should already start taking precautions, especially if it is accompanied by tremendously attractive and unusual as inciting us to capture it”.
In addition to the location, take all the usual device protection precautions: passwords, latest versions of the operating system and applications, anti-malware, antivirus, etc.
“Every day we see manipulated QR codes”; An example is the case of PCR tests. “And the truth is that you don’t have to do any engineering or go to the deep internet to manipulate or alter these codes, on the internet you can find how to change them,” says Torres.
However, there are “impossible to tamper or forge” QRs that combine innovative technology – for example, mathematical cryptographic algorithms and blockchain. “Our Certus solution is used successfully all over the world for COVID certificates, university degrees or certification of public and official documents”, says the Sicpa expert.
