Know your data 34: think before you scan

Quick, when was the last time you scanned a QR code? How frequently do you scan QR codes?

Source: Wikipedia

In recent years, QR codes have become omnipresent. They have been accepted by the public as a source of convenience. It's an elegant concept which led to an inspired piece of engineering. The camera on our mobile phone detects the QR code image, it converts the image into numbers then to text. The text is in the form of a hyperlink (https://..) The phone then calls that web link, the server on the other side sends the contents, e.g. the menu of a restaurant. In the meantime, the server collects data such as the owner of the phone, the location of the phone, etc. Advertisers and third-party trackers can insert themselves into this process.

A QR code is just a two-dimensional bar code. Usually, what's being encoded into the two-dimensional bar code is a hyperlink.

So, scanning a QR code is equivalent to clicking on a hyperlink.

Remember what cybersecurity people say about unsolicited emails with hyperlinks? They say never to click on such hyperlinks unless we inspect carefully the link itself. Something that starts with "https://www.citibank.com/" might be legitimate but if it looks like "https://citibank.bankingcenter.info/", that might be a pretender, and clicking on it will open up a communication channel with a server operated by a scammer.

***

What are we doing when we scan a QR code using our cell phone? We're clicking on a hyperlink - sight unseen.

Because the text is scrambled as a two-dimensional bar code, we can't inspect the link. This convenient piece of engineering opens us up to the kinds of scams that cybersecurity people have warned us about.

This scam is super easy to pull off. The scammer just needs to post a QR code outside a restaurant, with the words "Scan me to see the menu". Alternatively, the scammer can print their own QR code and place it on top of a legitimate one.

Think before you scan.

***
Here's more from the FTC warning (link).