The Issues with QR Codes: Why Consumers Need to Think Critically


by Brandon Laur

What harm can QR codes pose? This is the question presented to a group of participants during Social Media Camp 2012 in Victoria, British Columbia. As a conference dedicated to social media it would be  unreasonable for the participants to not address current security concerns with social media. Social media security is a subject area where the average internet user  knows little about. It is much easier to believe in a “just-world” online, then to take a few moments to critically assess what is going on behind the user interface. So what is going on?

Communication online is becoming more open and more available and the end users are generally forced to go with the flow of new technologies, without second thought. So again what harm can result through the use of QR codes?

In contemporary society, people manoeuvre throughout daily life on autopilot. From a security standpoint, potential arises for the criminal element to exploit this predictable behaviour, more particularly the cyber criminal aims to exploit the lack of critical thinking. Examples of phishing and scamming websites are a popular  instance of how scammers rely on the conditioned response of the user to automatically populate user credentials, because the digital citizen is so accustomed to always logging on. From emails, blogs, websites, and social networks they forget to critically assess how and where before pressing the log on button to what or who this information is being monitored by.

The tinyurl, as the name describes is a shortened web link of its longer source. An example of such links looks much like this, this link actually leads to From the viewpoint of the attacker this provides the perfect opportunity to launch a phishing attack against the user who clicks on the link thinking it actually leads to their social network or online bank. These shortened links provides users the ease of access they insist of having.

Another issue internet users fail to recognize is the data created from just visiting a website. The internet is based on the rates technical devices are connecting to websites. It is in the best interest of the blogger and e-commerce business to collect information on their customers. These businesses collect  information on current users  when they connect to their website. Sometime the business model of companies online is purely based on collecting and trading information about customers.

A growing  trend of  social media tools is the  use of  QR (Quick Response) codes. This  tool functions much like a barcode in retail stores. Utilizing the camera of a smartphone, an internet Just-World Phenomenon: the belief that doing good deeds in life will result in good thing happening to oneself connection, and proper software to read the QR code, allows the user to connect onto a website. This connection via camera phone allows the smartphone user to quickly access the website without typing the URL. The risk comes from users not knowing what site QR codes will link to. Much like the tinyurl, a QR relies on the trust of the user to believe what is advertised with the code will convey what is expect when using such tools.

Malicious websites have the potential to inject dangerous code into a smartphone just by connecting to the website known as a “drive-by-download”.  Take for example  the cyber criminal who has printed off a variety of  QR codes linking to a malicious website  with the purpose of pasting these codes over legitimate QR codes emulating the genuine code in order to deceive consumers into compromising their devices.

The purpose of the following experiments is to exemplify how consumer expectation and  conditioning is dangerous. Two separate experiments were undertaken during the Social Media Camp 2012 in Victoria British Columbia. Each test was proposed as a learning tool for attendees at the conference. The first test was to determine the  number of  responses of attendees who interacted with seven posters spread throughout clear sightlines in the Victoria  Conference Center.

Each poster contained a QR code with the title of the  conference and follow-up information below it informing participants on how the technology works (see figure 1).

The second test involved business card sized printouts of a different QR Code linking to a website with the same information  as the website for the poster experiment. After users  connected online via the QR Code, they are then directed to a web page  with a skull and crossbones icon. Further information is provided; vaguely prompting the user about the potential insecurities of QR codes. After the user read the information provided, the user is also encouraged to attend a security talk at the conference that will provide further information to the security threats (see Figure 2).

Experiment one was in progress throughout the full two days the conference took place. The purpose of this strategy was to receive the most  participation of the attendees as possible. Experiment Two was directed towards a small subsection of the whole attending population.

The period of time the experiment took place was within a 90 minute presentation on social media security. Most user activity was active before the presentation as everyone was entering the lecture room, and as the presentation was beginning.  Each  method of the QR  websites were setup with an analytics tool to analyse the data user devices provide to internet services, unknowingly from the individual who use such services. Data from the conference can be viewed below (see Chart 1).

Although the data collected was not the initial purpose of the experiments. Examining the information gathered provides an interesting analysis of the majority of users who participated were IPhone users. Although the total attendee count is unknown and the number of handheld devices capable of utilizing such technology is also unknown. The result is that a total of 31 people would have potentially compromised their devices if the QR codes where indeed malicious. Regardless of the sample size  there is an issue with  accepting technology as it is without considering a “what if” scenario.

The purpose of utilizing QR codes during the social media conference was to demonstrate the insecurities of such technologies to the conference attendees. As the largest social media conference in Canada, this was the perfect setting to launch such experiments. If anything was learned from the experiments examined is that a substantial quantity of information relating to the user is given away when attending websites; furthermore, not knowing what the end user is accepting opens the  potential to compromise the users devices. Security is a  spectrum between  convenience and safety. It is up to the consumer to understand the degrees of the spectrum and place themselves accordingly to where they are comfortable, after they understand the risks involved.

Brandon Laur has written specifically to the Dangers of QR codes. This was based on an Internet and Social Media Safety Presentation that he, along with Personal Protection Systems, conducted at the “Social Media Camp 2012″ which is the largest event of its kind in North America.