QR Codes – Pros and Cons

Topic

New Reply

I’ve been seeing more QR codes lately and have just ignored them until recently I’ve been seeing them on my Medical Insurance statements, and some other postal mail I often recycle.  How far can they or should they be allowed to go with these and not jeopardize my privacy?

Currently I cut out all QR codes from junk mail along with my name and home address before putting it in the bag to be recycled.  It may seem like I’m being overly cautious but I don’t think so.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

6 users thanked author for this post.

jburk07, geekdom, Slowpoke47, Fred, Lars220, Kirsty

Reply | Quote

Replies

That wasn’t an aspect I had seen here, but it sounds like a reasonable security action.

There has been a continued increase of abuse of QR codes, linking them to malware, lots since the impact of pandemic contact-tracer apps around the work.

3 users thanked author for this post.

jburk07, Charlie, Slowpoke47

Reply | Quote

Sounds sensible to me. I don’t use QR codes, who knows what they are telling your device to do?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

3 users thanked author for this post.

Kirsty, Charlie, Slowpoke47

Reply | Quote

Charlie wrote:

Currently I cut out all QR codes from junk mail along with my name and home address

I agree with Charlie that it is a good idea to cut out and shred the QR codes and addresses, along with any other PII Personally Identifiable Information just as a safety / privacy consideration. If the QR code is on our medical correspondence, it may contain PII.
The Make Use Of website has an article from July 29, 2022 titled:
“4 Ways Scanning QR Codes Can Expose You to Security Threats”
https://www.makeuseof.com/ways-scanning-qr-codes-expose-security-threats/
Which has good information about QR codes and how we should use them, including:
“How to Avoid QR Code Security Threats”. I recommend a visit to linked website for info.

Amazing Truths Revealed: Link to Simply Magnificent AskWoody Knowledge Bases

1 user thanked author for this post.

Charlie

Reply | Quote

I shred all paperwork with my details on it before recycling. Been doing that for years.

cheers, Paul

2 users thanked author for this post.

Charlie, Slowpoke47

Reply | Quote

I too shred all received paperwork with personal/identifying information… QR codes included.

IMO it’s just common sense these days.

2 users thanked author for this post.

Charlie, Slowpoke47

Reply | Quote

Paul T wrote:

I shred all paperwork with my details on it before recycling. Been doing that for years.

cheers, Paul

Same here.  And it seems to me that QR codes amount to a new way to harvest personal info.  Largely for security reasons, I am a member of the 3% tribe without a smartphone, so I’m not scanning any codes, suits me just fine.  We do not click on unfamiliar links, and definitely no QR’s.  And in our house we abandoned both Google and Windows some years back due to their invasive nature.

The public is just beginning to recognize the countermeasures one must take (not only eschewing QR’s of course) to salvage a reasonable degree of privacy and security online.  By coincidence, today’s Boston Globe has an editorial on the subject.  I’m encouraged to see that others here share my concerns.

Bottom line- you cannot get unhacked.

2 users thanked author for this post.

Charlie, WSbobby-p

Reply | Quote

I have a printed QR code in my hallway so guests can attach their devices to my guest wifi network.

It’s just saved SO much time… QR codes are not all bad.

Unfortunately, as with everything these days, you can no longer just automatically trust.

(How did we end up with so many recent innovations that can be abused? Aren’t there standards bodies saying ‘but what if’?)

3 users thanked author for this post.

Kirsty, SueW, Charlie

Reply | Quote

Rick,

Details please on the QR code for guest wi-fi.

Is the functionality provided by your router, if not how did you do it?

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

RG,

I just used Nir Sofer’s QR Code generator and printed out the result.

The very basic access to my router’s web interface was simple. For example, mine showed as:

However, I needed to read this article about QR Code contents to understand how to configure the parameters. The defaults for wifi network config are:

WIFI:T:WPA;S:mynetwork;P:mypass;;

My network is configured differently and for obvious reasons I’m not going to post the settings I changed this to.

It was a bit (a lot) of trial and error at first but I now have a template which I can change easily if I ever choose to change the Wi-Fi SSID name and/or password of my router.

Hope this helps…

5 users thanked author for this post.

wavy, SB9K, RetiredGeek, Kirsty, windbg

Reply | Quote

Rick,

Thanks a BUNCH!

I just substituted my SSID & PW and changed security to WPA2 and bingo.

I’v had NirSofter utilities for ages and still haven’t explored them all and have probably forgotten about some I have…

Update: Now that I have verified that this works I’ve made the password for the guest wi-fi 20+ chars long and completely random, password generator in Robo-Form. I’ve printed several copies that I can store for guests. Now I’ll leave the guest network on all the time.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

And there is this site for a JS QR generator: https://qifi.org/

cheers, Paul

Reply | Quote

Just to clarify a bit, I get a lot of junk snail mail especially from non-profit organizations I donate to.  I only shred what I cut out, which is my name, address, account numbers, postal barcodes and QR codes if they are there.  That way, I have a lot less shredding to do and I just put the bigger leftover mail (minus my personal info.) into a paper bag to be recycled.

It’s easier for me to empty the shredder into a plastic bag which holds 3 or 4 shredder loads.  I put this in the regular trash because my recyclable collector won’t take plastic bags.  I only put out a bag of shredded stuff like maybe every 5 to 6 months, so it’s not that much.

I agree that all QR codes aren’t bad, but unless we scan them all we don’t know which ones are, and aren’t.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

RetiredGeek wrote:

Details please on the QR code for guest wi-fi. Is the functionality provided by your router, if not how did you do it?

I use my own QR codes a lot. Like Rick, I have a printed QR code so it’s easier for guests to connect to my wifi. This functionality is a factor of the phone or whatever is reading the QR code. It has nothing to do with the router or wifi configuration. Using a QR code facilitates the use of better passwords than most people would use if they had to write it down or recite it to someone else to type in.

A QR code is nothing more than a string of text, formatted in a standard way. Many modern smartphone cameras will recognize they’re looking at a QR code and offer to take some action based on the prefix in the text string — such as offering to connect to a wifi access point, or adding a contact to your address book, or opening your browser and going to a specific URL, etc.

Older phones may not know about QR codes, but there are QR code reader apps one can download that serve that purpose.

I’ll also mention that there are multiple ways to encode the QR data, so don’t be surprised if two QRs with the exact same text string look completely different.

There is so much error-correction built into the encoding that you can even cut out part of the image and it will still read correctly. That means you can overlay an embedded image or logo, within certain limits. Here are a few examples.

Here is a QR code for wifi credentials (with dummy QR data):

Here is a QR code for contact info (with munged QR encoding so it won’t read). This can be printed on the back of your business cards, and is a much quicker way of providing your contact info to someone else:

And here is an “In Case of Emergency” (aka, “ICE”) QR code (with munged QR encoding) that I’ve embedded on my phone’s lock screen background image. EMTs are trained to look for ICE info, but I’ve noticed not all phones use the same sequence of keys to bring up that info. EMTs probably know all the most common ways phones do it, but just in case, I stick an easily recognizable way right on my lock screen.

Charlie wrote:

I’ve been seeing more QR codes lately and have just ignored them until recently I’ve been seeing them on my Medical Insurance statements, and some other postal mail I often recycle.  How far can they or should they be allowed to go with these and not jeopardize my privacy?

I periodically scan some of those just to see what they contain. In every case they’ve been nothing more than a long string of numbers, which I presume may be a code to quickly match the paper letter with your record in the sender’s database. In no case have I ever found any of the numbers to match any of my personal information. It’s not any privacy data, and it’s likely worthless without access to the sender’s database.

Still, there are no guarantees a sender won’t let slip at least some private info in the future, and databases can and have been hacked. So erring on the side of caution is a wise move.

A QR code contains only a limited amount of text, though, so I’m not overly concerned with the QR code. I’m just as, if not more, worried about the identity theft concerns with the letter itself, which may contain account numbers, or even just the mere advertisement of the fact that I have an association with ABC Bank or XYZ Medical Hospital, for instance. That info alone could be useful to phishers. So my practice is to shred any paper from such sources with any PII on it … and that obviates the need to destroy the QR code separately.

 

9 users thanked author for this post.

geekdom, jburk07, SueW, zat_so, Rick Corbett, Slowpoke47, Kirsty, Charlie, DrBonzo

Reply | Quote

Thanks for all that information.  I know a lot more now, but still think I’ll stay cautious.  You don’t know when the day may come when some miscreant will find a way of using them for foul play.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

1 user thanked author for this post.

dg1261

Reply | Quote

I think that’s wise, Charlie — better to be safe than sorry.

For you or anyone else who wants to explore reading QR codes further, I’d recommend the Android “QRKY” app. (I don’t know if there’s an iOS version.) What I like about QRKY is that it shows you the raw text string in the QR code image, without trying to parse it. There are a wide assortment of other QR code readers out there, but most seem to want to “interpret” the code without showing you the raw text.

For instance, in the example Rick mentioned in his post, QRKY would show you the text string “WIFI:T:WPA;S:mynetwork;P:mypass;;” while most other readers would instead say, “That’s a wifi code, the SSID is this and the password is that.”

If you’re exploring random QR codes such as on those mystery postal mailings, it sometimes helps to see the actual text instead of having some app trying to interpret it, because you don’t know what the app isn’t showing you.

 

4 users thanked author for this post.

Rick Corbett, jburk07, Charlie, zat_so

Reply | Quote

You never know what someone might do on purpose or just by accident. I have Chinese shippers put my phone number on a shipping label .

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

If you have an Android phone, you can generate a Wi-Fi QR code via Settings, Connections, Current network – settings, QR code, Save as image (Gallery … Print).

(Not so simple on an iPhone.)

2 users thanked author for this post.

jburk07, Kirsty

Reply | Quote

Chrome can create a QR code for any web page it displays.  Another way to send a link to someone.

HTH, Dana:))

1 user thanked author for this post.

Rick Corbett

Reply | Quote

RetiredGeek wrote:

I just substituted my SSID & PW and changed security to WPA2 and bingo.

Happy to help RG… you’ve helped me so many times over the years, my friend.

It’s kinda magical when guests just point their smartphone’s cameras at the QR code and get connected.

Reply | Quote

Drcard:)) wrote:

Chrome can create a QR code for any web page it displays. Another way to send a link to someone.

You’re right… this is really useful and I’ve used it on occasion.

If it wasn’t for Chrome’s ubiquitous data-slurping I would possibly change from Firefox.

Reply | Quote

Rick Corbett wrote:

If it wasn’t for Chrome’s ubiquitous data-slurping I would possibly change from Firefox.

Vivaldi, a Chromium derivative, also has this feature:

Vivaldi, like most other Chromium derivatives other than Chrome itself, has the data slurping stuff removed, not to mention the limitations of Google’s self-serving limitations on ad blockers. The setup shown is highly customized to bring back my favored layout (which I also use in Waterfox), and I am using Chromium’s experimental dark theme for websites, as well as a dark theme in the browser itself and in the OS.

At present, I still prefer Waterfox G5, but I could easily fall back to Vivaldi if Firefox ever faded away (and without Firefox, there’s no Waterfox).

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

dg1261 wrote:

And here is an “In Case of Emergency” (aka, “ICE”) QR code (with munged QR encoding) that I’ve embedded on my phone’s lock screen background image.

Excellent suggestion. Thank you for this.

1 user thanked author for this post.

dg1261

Reply | Quote

samak wrote:

Sounds sensible to me. I don’t use QR codes, who knows what they are telling your device to do?

I’m cautious about QR codes I haven’t generated myself but have noticed that – post-Covid –  more and more venues have QR readers to check pre-bookings in with as an alternative to manned stations… so, increasingly, we’re being forced into using them or waiting interminably for a human (who invariably just says ‘scan this QR code’).

Reply | Quote

Rick Corbett wrote:

I’m cautious about QR codes I haven’t generated myself but have noticed that – post-Covid – more and more venues have QR readers to check pre-bookings in with as an alternative to manned stations… so, increasingly, we’re being forced into using them or waiting interminably for a human (who invariably just says ‘scan this QR code’).

Fortunately, I have never seen anything like that. I would not have known what to do with a QR code if someone exhorted me to ‘scan’ it, if I was willing to do so (and I would not have been). If I am expected to bring equipment to check in, they need to let me know in advance rather than springing it on me when I am already there.

I tried taking a picture of one of the codes in this thread, and I got a picture of a QR code. I know it is a dummy code, but the camera app didn’t try to interpret it… it just took a picture. I guess I could then show the picture to the human and see how they react… that might be amusing.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

RetiredGeek wrote:

Now that I have verified that this works

It took me more than a few goes at this before I worked it out.

Reply | Quote

Ascaris wrote:

I tried taking a picture of one of the codes in this thread, and I got a picture of a QR code.

I don’t know about Android but iOS now has QR code recognition built-in.

You don’t take a photo, you just point your smartphone’s camera at the QR code then move the camera forwards and backwards until the QR code is framed.

Apologies for the wonky screenshot but this is what happened when I tried:

You can just about see the yellow framing guides when the QR code was at the right distance from the camera lens, even though I was holding it a little tilted as I tried to co-ordinate the two-fingered dance needed to take a screenshot.

My iPhone wasn’t able to recognise the other 2 QR codes from the same post but that’s why I munge screenshots of QR codes I’ve generated.

I note that many recent books now include a QR code to get to author or publisher’s websites.

A Google search for qr code hacking shows they can be used/are being used as an attack vector, hence the need for caution.

For info, QR codes can be used for:

• Follow website links
• Direct-download apps from your app store
• Call phone numbers
• Add contacts to your phone
• Convey up to 4K words
• Authenticate an online account
• Verify login details
• Access a wifi network
• Send and receive payments
• Compose emails

For example, here’s a text QR code that shows the first 2 paragraphs of this post:

(Although I used Nir Sofer’s app some time ago, I’ve since found this online QR Code Generator much more versatile and easier to use.)

Hope this helps…

2 users thanked author for this post.

Ascaris, dg1261

Reply | Quote

Rick Corbett wrote:

I don’t know about Android but iOS now has QR code recognition built-in.

I would imagine Android does too. I am using a degoogled AOSP-derived ROM. I didn’t expect it to work, as that is the kind of thing that probably would have been in one of the Google apps, and my phone has none of those.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Ascaris wrote:

I tried taking a picture of one of the codes in this thread, and I got a picture of a QR code. I know it is a dummy code, but the camera app didn’t try to interpret it… it just took a picture.

Yeah, it varies by camera app. My wife’s Android phone behaves similarly to Rick’s screenshot, where the camera app recognizes it’s a QR code and a bubble pops up to join a network, or add to contacts, or go to a URL, etc. My own phone is older and the camera app does not recognize QR codes, but I can use an app (e.g., QRKY, QR Droid, QR Scanner, and perhaps some of those mentioned by others in this thread) that opens the camera and serves the same purpose.

Rick Corbett wrote:

My iPhone wasn’t able to recognise the other 2 QR codes from the same post but that’s why I munge screenshots of QR codes I’ve generated.

Yeah, I munged the other two illustrations in my post so they’re unreadable.

For the wifi illustration, I created a legitimate QR code but with dummy data, and pasted the “WiFi” logo over it. This example proves the QR code is still readable even though I overlaid part of it.

For the other two illustrations, I didn’t bother recreating functioning QR codes. I just took a couple of my QR codes and munged them by copy/pasting a block of QR “pixels” from one side of the image over other portions of the image. I didn’t want them to be readable, so this method of munging makes it still look like a functional QR code but it will fail error-checking and won’t decode.

Those two were just to stimulate people with some ideas of how they could use their own QR codes. I’m retired now, but I used to print QR codes with my contact info on the back of my business cards. My daughter has printed QR codes on Avery labels and sticks them on the back of her business cards.

For my lockscreen background image, I found an image I wanted to use for my lockscreen, copy/pasted a QR code in an image editor on my PC, and moved the image to my phone. It took a little positioning trial-and-error to make sure it wouldn’t be obscured by the other stuff phones overlay on the lockscreen, such as the clock, notifications area, etc.

 

4 users thanked author for this post.

wavy, Rick Corbett, Charlie, Ascaris

Reply | Quote

dg1261 wrote:

For the wifi illustration, I created a legitimate QR code but with dummy data, and pasted the “WiFi” logo over it. This example proves the QR code is still readable even though I overlaid part of it.

I would never have thought to do that… but it obviously works and seems like a good idea to make the purpose of the ‘wall print’ even more obvious to guests. I’ll incorporate it next time I change my Wi-Fi SSID/password combo.

In my experiments I thought at first that I would need to make the printout large… but that’s just not the case. My template is now 2×3 on a single page, i.e. the same QR code printed twice across by three times down to provide six instances on a single sheet of paper.

I now have 3 rooms with QR codes… with 3 spare.

I’m still experimenting with a QR code for the lock screen of my iPhone for ICE info… but, again, it’s another really good idea which I didn’t think of.

Many thanks for the suggestions.

1 user thanked author for this post.

dg1261

Reply | Quote

Rick Corbett wrote:

In my experiments I thought at first that I would need to make the printout large… but that’s just not the case. My template is now 2×3 on a single page, i.e. the same QR code printed twice across by three times down to provide six instances on a single sheet of paper.

Phone cameras are pretty sharp, so the QR code doesn’t need to be very big at all. For instance, the QR codes Charlie was talking about to start this thread are probably no more than a quarter inch square.

Of course, the smaller the image is, the less useful it is to try and embed some type of branding or logo, but in that case just reverse the QR and the logo:

 

Rick Corbett wrote:

I would never have thought to do that… but it obviously works and seems like a good idea to make the purpose of the ‘wall print’ even more obvious to guests. I’ll incorporate it next time I change my Wi-Fi SSID/password combo.

FWIW, this particular “Online QR Code Generator” will embed a logo or text overlay for you. You upload the graphic and it will resize and embed it with the QR code it generates.

I don’t particularly like to rely on websites that may or may not be there tomorrow, so I endeavored to figure out how to do it myself. I experimentally resolved some rules of thumb I follow:

• The logo need not be square nor even rectangular.
• The logo need not be centered. However, the QR spec places a line of timing pixels near the top and left edges, so don’t get too far off center — if those get blocked it won’t decode.
• Try to limit the logo area to no more than about 6% of the QR code, and the height and width to less than 25% of either dimension. (This is with “High” error correction. I haven’t tested how much of the QR code you can obscure with other error correction levels.)
• I place a border around the logo of the same color as the background and at least 1/2 to 1 “pixel” wide. (This probably isn’t strictly necessary, but I want to make sure the decoder will never mistake part of the logo as being part of the QR coding.)

I haven’t found a definitive reference so there’s probably more to it than that, but these rules of thumb have always worked for me.

 

1 user thanked author for this post.

Rick Corbett

Reply | Quote

dg1261 wrote:

I haven’t found a definitive reference

You’ve already posted far more info than I found out in my first attempts to provide a working Wi-Fi printout for my entrance hall, and have since provided much food for thought for other uses so… a big thank you for your efforts.

1 user thanked author for this post.

dg1261

Reply | Quote

As a postscript to this topic about QR codes, here’s a good video that was just recently posted:

Veritasium: “I used to hate QR codes. But they’re actually genius”

The second half gets into a lot of mathematics so could be kind of eye-glazing to many, but the first half is quite fascinating as it explains the history and how QR codes are constructed.

 

 

6 users thanked author for this post.

Charlie, satrow, Lars220, Rick Corbett, SueW, b

Reply | Quote

What a fascinating video. I never knew the history before now (and, unlike a lot of YouTube videos, it was clear, concise, well-paced and well-enunciated).

The second half was as fascinating as the first, probably more so (IMO). The maths (‘math’ for our cousins across the pond) was presented so clearly it was very easy to follow and intriguing.

Thank you for posting the link to it.

1 user thanked author for this post.

Lars220

Reply | Quote