Why you shouldn’t scan them recklessly.
During a recent televised sporting event, a company spent a lot of money to run an advertisement that was nothing more than the display of QR code, not unlike the one displayed above.
Apparently, against all common sense and with no regard for security, millions of people used it.
Why? What did it mean? What are you supposed to do with it, and how does it relate to security?
They’re actually pretty cool.
But they can also be weaponized, and you’d never know.
Become a Patron of Ask Leo! and go ad-free!
QR codes are text encoded in a machine-readable format so scanners and smartphones can easily decode them. They’re most often used to encode webpage URLs. Since there’s no easy way to ensure they point to a non-malicious webpage, be skeptical and use them with caution.
QR: Quick Response
A QR (for Quick Response) code is nothing more than text encoded in a machine-readable way. Seriously, that’s it.
Here’s the previous paragraph encoded as a QR code:
Here’s the Gettysburg Address encoded as a QR code:
And at the top of the page is a QR code for the URL “https://askleo.com”.
Using a QR code
QR codes are intended to be scanned by apps on smartphones and other devices.
Depending on your phone, you may need to install a dedicated QR code scanning app, or it may already be built into your phone’s camera software.
Here’s the QR code at the top of the page, as “seen” by the camera in my Pixel smartphone:
I’ve circled the text decoded by my camera. The camera previews the beginning of the decoded text if it can sense that it’s looking at a QR code.
If I were to tap on the text circled in red above, it would open the web browser on my phone and take me to that URL.
And that’s the general idea. While there are other uses, the primary intent is that you point your phone’s camera at a QR code, let it decode what it sees, and then go to the URL encoded within.
But there’s a risk.
Why millions of people were wrong to scan
You can’t tell what a QR code contains before you scan it. Many scanning apps only display the first part of what they find, so even the “preview” above could be incomplete. Some don’t preview at all and simply go.
Blindly scanning and using a QR code is like clicking on a link you can’t see. You have no idea where it will take you.
You have no idea whether it’s legit or dangerous.
Hackers and scammers know this.
Now, the QR code displayed in that TV add is very likely legitimate,1 as are those I’ve shown above.
But you just don’t know.
Using QR codes safely
Be skeptical. Like any URL you click on, make sure you trust the source.
If you don’t — if you’re not sure — then don’t. Get to the information it purports to represent some other, safer, way.
Creating QR codes
Many browsers now have controls allowing you to make a QR code for the URL currently displayed in your browser.
In addition, there are several QR code generators available on the web and in various applications.
Scan this QR code:
and subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Although it did crash the servers at the target website because of the overwhelming volume.