The Quick Response codes we see on everything from movie posters to business cards are becoming the ubiquitous contact links of an entire new generation of mobile devices and the people who use them. Originally invented in Asia at the end of the last millennium (circa 1994 Japan, actually), these matrix or 2D (two-dimensional) barcodes are now enjoying broad adoption in North America.

Claudiu Popa

Playing on their coolness factor, their practicality is fully realized when we’re out and about, with only a couple of seconds to take in snippets of information on billboards or posters. From our perspective as users, it’s an intriguing way to exchange contact details and access a wealth of information about different products by simply scanning a digital coffee stain.

For marketers, this is an opportunity to target and track their promotional messages across a wide swath of captive audiences in a very cost-effective manner. The QR-code you see here simply (albeit shamelessly) opens up my Kiva page on your cell phone, but it can just as easily allow me to count the ‘hits’, identify your handset and precisely target my message to your situation. Or push your smartphone towards a completely different web site destination.

Naturally, this presents a few opportunities for malfeasance from geolocating unsuspecting individuals to leading them to malicious Web sites that may infect their phones. The ideal situation would be to target specific phone brands, such as say, jailbroken iPhones (http://bit.ly/aLgncn), while presenting innocent (or differently infected) content to others in a bid to delay detection and maximize attack effectiveness.

While most handsets ask the user to confirm Web site access and to approve the download and installation of all software, such awareness is not as high with smartphones and mobiles as it is with traditional PCs. Most users simply want to install and start using the app, without thinking about the potential for privacy breaches, financial fraud, identity theft and other security mischief. The Australian Privacy Commissioner touched upon the threats posed by rogue applications, including unauthorized address book access, theft of written notes and other data such as passwords and bank account details. For more information see their Scamwatch site (http://bit.ly/cSJ85F).

So where does this leave users? We’re seeing a rapid growth in malware (PDF presentation) for all mobile phone platforms, with infection vectors ranging from web sites to the telecommunications companies themselves (http://bit.ly/cS9FJw). For those phones that don’t yet natively support QR codes, a variety of barcode reader apps are readily available (http://bit.ly/btGEus) and the increasing popularity of these digital calling cards – now used on everything from cartoons to tombstones – is making this functionality all but irresistible. Last but not least, the widespread use of URL shorteners (such as the ones used throughout this article) can help to obscure malicious destinations from being immediately filtered by anti-malware systems.

Unfortunately, it all comes down to awareness. In the near-term users will have to exercise caution when accessing sites, downloading and installing software. The technology to prevent and detect infection on mobile phones is still in its infancy. In the meantime, we can create and enjoy QR codes for what they are: a cool, quasi-steganographic, way to exchange contact details and get people to Like” our social networking pages.

About the author:
Claudiu Popa is an information security and privacy expert.
Share on LinkedIn Comment on this article Share with Google+
Around the Web
  • http://tag.microsoft.com Nadia

    Hey there,

    Great article on QR codes. I was wondering if you had heard about Microsoft Tag. Somewhat the same function as QR codes but on steroids! Offering analtycis, heat maps, scan analytics, customization, scalability and more. Right out of the box and for free.

    Check us out at http://tag.microsoft.com

    Or feel free to email me if you wish to further discuss.

    Cheers,

    Nadia

  • John

    Interesting article. I happen to love the whole QR code flexibility. I been using http://www.beqrious.com I truly believe they will be a standard feature in all advertisement in the future!

  • http://www.InformaticaSecurity.com Claudiu Popa

    Indeed, there’s a lot of interesting development going on in this field. The opportunities for security breaches are significant and will be exploited in time. In the meantime, Microsoft’s beta technology offers some interesting functionality:
    http://www.microsofttag.info/explanation/Microsoft_Tag_Comparison

    Claudiu

  • http://www.qrpal.com Rebecca

    I recently found a great QR Code scanner which has built in security features, it was free to download also, you can only download it for android now, but Im assuming that the iphone version wont be far off, Android market link – https://market.android.com/details?id=com.qrpay.qrpal

    • http://www.itbusiness.ca Nestor Arellano

      Thanks very much for the tip rebecca

  • ted

    This was a great eye-opening article, I was wondering if you happened to have any info on the many online QR generators. Can they just as easily overlay one of these malicious codes over your harmless one?
    If I’m creating one, should I try a few online generators and make sure the codes are identical?
    Thanks!

  • http://arm.2012dietadietolog.ru Victoria

    Unquestionably believe that that you stated. Your favourite justification appeared to be on the internet the simplest thing to take note of. I say to you, I definitely get annoyed even as folks think about worries that they plainly do not understand about. You managed to hit the nail upon the top as neatly as outlined out the whole thing with no need side effect , other folks could take a signal. Will probably be again to get more. Thank you

  • http://Website robot hayward

    I have noticed that online education is getting common because obtaining your college degree online has developed into popular option for many people. Numerous people have not necessarily had a possible opportunity to attend an established college or university but seek the improved earning potential and career advancement that a Bachelors Degree affords. Still other people might have a college degree in one course but would wish to pursue something they now develop an interest in.

  • http://www.heelskingdom.com Ariel Zheng

    Risk always creat somebody and destroy somebody.