It’s not like the code will straight up send money somewhere the moment you scan it. Can they even do more than open an app or a website? The default scanner with my Pixel doesn’t even open it without first telling you where it’s going.
Due to the limited amount of information stored in QR codes, it’s generally a shortened URL, so usually that doesn’t tremendously help at informing where you are supposed to end up.
If you’re trying to do something unique, that you don’t normally do, which IMO is the entire use-case of QR codes (go here to do the thing), and you’re expecting… Say, a website for paying for parking, then… It wouldn’t be hard for an attacker to create their own mock-up of the site, grab the URL and feed it through a shortener, and encode that into a QR code, printed on stickers, that they them plaster over the legit QR codes.
Unless you’re looking at the URL, and let’s face it, most people don’t, the sites are similar enough that they are just handing their credit card info over to an attacker, thinking they’re paying for parking.
Of course, that’s just one of many examples.
Personally, I don’t generally trust anything I scan. Most of the time, the QR code has a website name printed next to it, and I’ll scan the QR, because if it works and goes where I want to end up, so much the better, so I will follow the link, and if it lands at any URL that isn’t what is displayed on the label with the QR code, I back out and type in the URL by hand.
I expect exactly zero users to have the same caution and attention to detail.
It’s not like the code will straight up send money somewhere the moment you scan it. Can they even do more than open an app or a website? The default scanner with my Pixel doesn’t even open it without first telling you where it’s going.
Due to the limited amount of information stored in QR codes, it’s generally a shortened URL, so usually that doesn’t tremendously help at informing where you are supposed to end up.
If you’re trying to do something unique, that you don’t normally do, which IMO is the entire use-case of QR codes (go here to do the thing), and you’re expecting… Say, a website for paying for parking, then… It wouldn’t be hard for an attacker to create their own mock-up of the site, grab the URL and feed it through a shortener, and encode that into a QR code, printed on stickers, that they them plaster over the legit QR codes.
Unless you’re looking at the URL, and let’s face it, most people don’t, the sites are similar enough that they are just handing their credit card info over to an attacker, thinking they’re paying for parking.
Of course, that’s just one of many examples.
Personally, I don’t generally trust anything I scan. Most of the time, the QR code has a website name printed next to it, and I’ll scan the QR, because if it works and goes where I want to end up, so much the better, so I will follow the link, and if it lands at any URL that isn’t what is displayed on the label with the QR code, I back out and type in the URL by hand.
I expect exactly zero users to have the same caution and attention to detail.