How to make sure QR codes are safe before you scan

I’m seeing QR codes are everywhere these days.

You know what I’m talking about right?  Those little bar code squares are popping up on buses, billboards and business cards.  You also might find them on train tickets,  job advertisements and magazines.

Interestingly, the ubiquity of these black-and-white “stamps” galvanized a few sites to lampoon the QR mania.  WTFQRCodes is a good example showing QR codes in absurd places such as coasters, cookie wrappers and cupcakes.

The world is teeming with QR codes.

These little freckled squares encode text and the apps that read them typically dwell on smartphones. Advertisers love QR codes because they entitle effortless access to their websites. The customer doesn’t need to sit there tapping out a long URL on his phone; instead he can just scan the code and get whisked away to the brand’s landing page.

So what could go wrong with that?

Well…

There’s no way to ascertain the destination of the QR code before scanning it.

Sure, if you trust the brand you can safely assume you’ll end up on their homepage; however, not all QR codes are created equal.

Through a process known as attack tagging (or just attagging), a malicious user could link to a duplicitous website designed to capture personal information or infect your system.  Since the QR code usually opens a default app, depending on the code, an unscrupulous hacker could craft one to exploit a weakness in that app.

Or even worse: depending on the permissions of your QR reader, the QR code could expose private data on your phone such as files, photos and passwords.  It also has the potential to furtively corrupt your privacy settings or arrogate your phone to use it as part of a botnet.

Now, you’re an unwitting accomplice in a massive distributed denial of service attack against a political website.  You thought your phone was static, silently sitting in your pocket but in reality it became a slave in a global campaign comprising thousands of other infected phones.  Now your abetting a hacker group determined to debilitate a Russian website…

Yeah… that sucks.

So what’s up?

Fixing the QR Crap

The antivirus savants at Symantec have a free app that scans QR codes before opening them.  It’s called Norton Snap and is a great way to “screen” QR codes before scanning through to the URL.

Norton stands in the middle, like a formidable bodyguard, and compares the QR code destination to its database of website ratings.

To use the app, just steady the QR code in front of your camera to focus and scan.

The screenshot below shows me scanning a code from my Adobe Indesign book.

Norton Snap Scanning a QR Code

It took me about 3 seconds to align the code inside the box but some people have problems holding steady (lay off the coke).

If that’s you, use two hands or clean the lens on your phone.  If it’s greasy from last night’s fried chicken dinner, it’ll never focus in time.

The three yellow squares near the base of the screen take you to the main screen, settings page and flashlight accordingly.  That last option is great for when you need to snap the QR codes slapped on the bottom of popcorn buckets at the movies.

Haha, couldn’t resist the fatuous places people put these things…


 

The Norton Snap results display the web url as a link so you can manually tap to open or you can do what I did and tap a check mark into Visit trusted sites automatically.

Norton Snap Results

You can grab Norton Snap in the Google Play Store.

The Bottom Line

Do you know what I like about Norton Snap?

It doesn’t beg for gratuitous permissions and works as advertised.

What do you think about Norton Snap and the proliferation of QR codes?  Is it a good thing for businesses to use them so liberally?  Have you ever visited an infected site via a QR reader?

Let me know in the comments!

About

Connect with Vonnie on Twitter

Posted in Mobile, Smartphones Tagged with: ,