I came across this video this morning. It’s a prank where little placards with QR codes for ‘Today’s Specials’ are distributed on tables by the prankster at a Cheesecake Factory. The codes do NOT link to the restaurant’s specials of the day. The ‘Over 18?’ title is because the content is mildly NSFW but probably wouldn’t get anyone fired.
The QR codes link to clips of hippos pooping which is enormously comical to my inner 11 year old self. Hippos are particularly interesting in this regard.
OK, with those artistic QR codes, I can see some real potential for social engineering/hacking. Put up a QR code like those, that doesn’t look like a QR code. Convince people to take pictures of the “cool artwork”. Land them on your malware site, and profit.
I don’t know if all phones work the same way but mine just shows a link to the URL. You have to actively click on it to go to a site. The phone does not automatically bring up a site when you scan a QR code. Not to say that it still couldn’t be used as a malware vector, but it would be analogous to a phishing email.
That’s really the critical point here. A QR code is really just a two-dimensional bar code that’s typically used to encode a URL in a somewhat visually appealing way. There’s nothing inherently sinister or insecure about the QR code itself; it’s just a way to get a relatively long URL into something that’s easily machine-readable.
The big question is whether you trust that restaurant and whatever security software you have enough to open up whatever URL they encoded.
It’s not immediately clear that’s the case from the QR code, so the question is whether or not you believe that I merely encoded the thread URL, or if you think it might be a Rick Roll or a picture of someone’s hairy butt or something worse.
(FWIW, it IS the thread URL just in case you were wondering)
I believe the stock Android Camera app (or at least the Samsung version) already does that. I scan a QR code with it and it says “do you want to go to blahblah.com?” before I actually click to proceed.
ETA: Discourse changed what I wrote. The Chinese characters are not what I’m seeing. I see ‘Open “x [as in X-ray] n [as in November] [dash dash] ggle [Golf Golf Lima Echo] 0nda [dot] com”’
Yes, that’s what I saw, only without the www. I don’t know why this message board changed what I typed to Chinese.
I clicked on that link in your post and got here:
Hmmm… can’t reach this page
www.gοοgle.com ’s DNS address could not be found… diagnosing the problem now.
Except it doesn’t say www.google.com. It has the x-ray November string. (I really hate it when I know exactly what I want to enter, but the computer thinks it knows better than I do.)
The xn–ggle thing is supposed to be broken (I made sure I didn’t actually link to a malicious site). Your QR code reader appears to be more secure than mine, since mine renders it as the indistinguishable gοοgle.com and you can only tell the difference after clicking on it.
I can’t explain the Chinese character thing, except that perhaps Discourse has a bug in its punycode interpreter (punycode is the name of the encoding scheme that you’re seeing here, with the dashes and such). Any ideas, @codinghorror?
It’s a new iPhone SE I got Saturday to replace my iPhone 6S with the dying battery. I have not clicked on any QR codes with the SE; just looked at them through the camera on this webpage today. I’ve scanned the QR code using the 6S a few times at a restaurant we go to a lot. That was their anti-Covid measure. Before the 6S I had an LG Tribute. I had to download a reader to read QR codes. My wife had an LG phone until about six months ago, and she had to use my iPhone to read the menu because she never downloaded a reader.
I think the biggest security feature is that I generally don’t feel the need to read QR codes.
Emboldened by your replies to my query, I scanned a QR code for the first time just this minute. I’m at a restaurant I’ve patronized for years and I feel secure in doing so. I got their menu and everything is fine. Thanks for the advice.
I love it when TV shows/movies pay attention to the small details. On the most recent episode of Doom Patrol this shipping label is visible on-screen for a couple of seconds:
On the subject of QR codes: The last few days I’ve started noticing that some TV shows have been putting QR codes on the screen and telling you to “scan this QR code with your phone to (get more information on/sign up for)”. How is that supposed to work?
The store where I do my grocery shopping has added QR codes to most of the shelf price tags. This is Fred Meyer, a member of the Kroger family of stores. I use to spend an hour or so a week looking through the stores on line coupons and ads before shopping. Now as I shop, I scan the codes using the QR reader in the Fred Meyer app. I then find the actual price, whether there are any digital coupons I can download to my loyalty card and generate rain checks for products the are out of. You can do the same basic thing at Walmart and Target, instead of scanning a QR code, you scan the bar code on the shelf price tag. I saved a bunch on a coffee maker at Target a few months ago. I was looking something cheap and was scanning the shelf tags. An $89 Cuisinart coffee maker showed up on clearance for $35 when I scanned the BC. The shelf tag had not been changed to show the clearance.
When I shop at stores in Beijing, I have two options for paying: pay a human cashier, or go through the “self check-out” station. If I use the first option, I go to the store’s app or WeChat account and show my member QR code to the cashier, who then scans that before scanning my items. If I go through the self check-out station, I use the store’s app or WeChat account to scan the QR code that the station shows after I scan all my items. In both cases, whatever coupons and discounts that are available are automatically applied to the purchase.
