On QR Codes

We are beginning to see QR (quick response) codes more frequently. At least I am seeing them in advertisements and other places where we have heard for decades they were going to arrive.

The idea behind a QR code is rather simple. A URL is changed into a square (or different shaped) composed of a matrix of square that are black or white. Using a camera on a phone with a QR code reader installed, a user scans the code which opens a web page (the most common use) or performs some other task (for example, we are configuring our learning management system so students can scan a QR code to record their attendance).

While this is an easy way to accomplish tasks, QR codes can also pose a significant security threat. When we scan a QR code, we really have no idea what is encoded. When navigating to a URL, we (at least) have the domain that provides a clue as to whose server you are connecting yours. You can use that to make some judgements about how safe it may be.

When scanning a QR code, one has absolutely no cues as to what it will do. Sure, it may take you to the promised web site, but it may also install malware.

I have come to follow this simple rule: if I know the person suggesting I scan a code and have an idea where is originated (for example if a presenter says “scan this code from Mentimeter,”) then I will scan it. If I am not certain the origins of the QR code, I don’t can it.