Is scanning QR codes with your phone risky?

I understand that the QR code is a website address, but am I supposed to whip my phone out before the QR code disappears from the screen and point the camera at my TV, which will be able to read the QR code from 15 feet away?

My local paper has just decided to supplement their print edition with QR codes that will let me listen to podcasts, watch videos, or be directed to further information on their website. If I wanted to do all that, I’d subscribe to just their online edition, and not bother to get the print edition delivered.

I guess I’m just an old fart. (and get off my lawn!)

Obviously you already have your phone out, because everyone always does, and obviously you’re just going to pause the TV, because everyone has a TV that can pause live programming.

Would you be more likely to use this feature if the reader was shaped like a cat?

I have one of those! A CueCat that I use for scanning barcodes for my ReaderWare DVD inventory program.

Whatever gave you that idea? :grin:

There are privacy concerns over this practice.

I don’t worry too much about it - I figure “they” have all my information one way or another, anyway.

The built in photo app in iOS will automatically process QR codes and I assume it’s the same on Android. There is no real risk in scanning QR codes if you use the built-in photo apps in Android and iOS to scan them. It’s no different than visiting a URL in your browser.

(In fact, in the latest versions of iOS and Android, the photo apps will automatically do OCR and offer to copy any text in the images to your clipboard or even search for photos containing those words… it’s pretty cool!)

Almost–you have to go to the “Google Lens” mode. But it’s just a couple of taps away.

QR Codes—so dangerous and ominously scary. Like some sort of cyberpunk nightmare. Now Aztec codes, those are just fine.

In my strong technical opinion the answer to the question in the title is “no”, assuming you are on a modern device with all the latest software updates.

It could be restated as “is clicking a link dangerous?” and with a nice up to date device in hand, definitely no. Otherwise we’d all be screwed because people loooove clicking random links!

If you want to be extra careful you could go to incognito mode before visiting the link. I do that sometimes for links of sketchy provenance.

I’m hardly a technophobic old fogey, but I refuse to scan these stupid QR codes at restaurants for the various reasons mentioned upthread. In fact, I’ve disabled the QR reader on my phone. If the restaurant can’t be assed to give me a real menu, I can always go elsewhere.

The Podesta email dump was a result of a phishing attack, and played no small part in the outcome of the 2016 presidential election. So, uh… yes, we are already being screwed by people clicking random links. The lack of effective verification is one of the biggest security holes on the internet.

Eh, I disagree, that was about 2 factor auth which has made leaps and bounds of progress since 2016!

So I’ll add a caveat. Is clicking a link dangerous?

NO, assuming you are on a modern device with all the latest software updates and have enabled two factor authentication on your important accounts.

For most people important means email, bank, and whatever you use most for social media. Discourse (here) supports 2FA as well.

2FA helps, though 2FA via SMS has problems of its own.

There’s still no real solution to how do I know this page really is what I think it is? Sophisticated users can look at the URL for clues, maybe detect if the page itself looks suspiciously different from the normal page, look at the certificate, and so on. But these are all imperfect.

There’s probably no perfect solution. But that just means that people need to always be on their guard when visiting a page from an unknown source. Of course, the click itself is not too dangerous (with some exceptions); acting on the contents of the page may well be.

Well yeah if the page you visit is asking you to LOG IN that’s a different thing.

I would assume people clicking on a simple informational link that leads to an unexpected login would just bail on it. Certainly in the context of the first post, you’re at a restauraunt scanning a QR code to get a menu in the browser… no way you should see “PLEASE LOG IN TO YOUR BANK ACCOUNT” in the browser at that point :stuck_out_tongue_winking_eye:

Please log in to your Google account to continue appears in so many places that I’m sure some people get inured to it. And I’ve seen restaurants do a lot of stupid crap with regards to their websites. I’ll bet at least a few have uploaded a PDF of their menu to a Google Drive, which might well trigger a login prompt.

Can you please explain incognito mode and exactly how it would protect me?

Outlined here

TL;DR it turns off a number of tracking features including cookies. It’s kind of like a cloth mask for COVID – it’s only helpful in conjunction with other safety tools, not meant to be a complete solution on its own.

In general, is giving your credit card number to an app more dangerous than to a website that displays a lock symbol on the credit card entry page?

I’d always consider giving a credit card number to an app dangerous, because an app ought to be using the much more secure payment service system that comes with the OS. And if they can’t get that right, who knows what else they’re getting wrong with their security?