Can QR codes be dangerous?
Most people mistakenly assume that creating QR codes is something that requires official authorisation, when in fact it could not be easier for anyone (including bad actors) to make their own QR codes.
How easy? Simply enter any URL into a website like QR Code Generator and your new QR code is instantly available – whether it’s legitimate or not.
The reason – QR codes were designed for easy creation, identification and automation in trusted supply chains, not authentication or brand protection. Their strength is that they’re easy to generate and scan; the same features that are also their greatest weakness.
“A fake QR code on a fake product will often take you to a fake authentication website. Users cannot tell the difference as all QR codes look the same, and anyone can generate a QR code for free.”
Laava Joint CEO and Commercial Director, Gavin Ger
Why QR codes can't be trusted for secure applications
The problem is continually highlighted by numerous authorities, including the FBI, who issued a formal warning about the QR code appearing on ads during the Super Bowl. The US Army also advises caution, neatly summarising the problems:
“QR codes can:
- Add nefarious contacts to the contact list.
- Connect the device to a malicious network.
- Send text messages to one or all contacts in a user’s address book.
- Complete a telephone call to a telephone number that imposes charges on the calling phone.
- Send a payment to a destination where it cannot be recovered.”
At the bottom of this article, we’ve included a list of resources that spell out the potential dangers of QR codes – essential reading for anyone who manages a brand.
Spoofing and substitution: how QR codes can be dangerous
Substitution (also known as spoofing or clickjacking) is the method most often used to create fake or nefarious QR codes. A counterfeiter just has to scan one legitimate QR code, copy the HTML from the landing page and paste it into their own website, then link to that website from a new QR code they generate for free. And they’re in business!
The addition of secondary defence mechanisms for QR codes are so easily circumvented as to make them of no practical use. Encryption, anti-copy elements or special features within the QR code, scratch-and-reveal code panels, and SMS 2-factor authentication methods are all easily defeated.
The secondary layer of defence is simply never deployed: it’s child’s play for the counterfeiter to create a near identical looking substitute QR code without these measures to get around the extra protection supposedly offered. This is why security experts argue there is no such thing as a “secure QR code” – as the articles below make clear.
The secure and globally scalable alternative to QR codes
Laava Smart Fingerprints® are the secure alternative to QR codes and fast becoming The Global Mark of Trust™. Here’s why:
- Laava Smart Fingerprints are visually distinct and utilise patented computer vision technology, rather than simple machine-readable codes. This means that they can be easily distinguished by eye from QR codes. Unlike QR codes, there is no data stored in a Smart Fingerprint for a bad actor to use.
- Only Laava can issue Laava Smart Fingerprints, and Laava will only issue them to brand owners and authorised parties. They are also unique to every individual item and can be branded. By contrast, anyone can generate a QR code – whether they are the brand owner or not.
- Any smartphone with a camera can be tricked into scanning what appears to be a legitimate QR code, whereas only the Laava scanner can scan a Smart Fingerprint. The Laava scanner needs no special app – it can be easily embedded into the brand’s website, social media, app or any other official touchpoint.
- Laava captures an image of every scan and counts every one – along with the date, time, location and other factors related to every scan. This enables Laava to immediately stop any copied or reproduced attempts, as well as providing valuable forensic data for investigators.
- Laava is built for blockchain and NFTs, and can be white-labelled by partners and platforms globally. Because Laava is secure by design, it makes the ideal pairing with blockchain and NFTs, and can also be integrated with any supply chain traceability or ERP system.
- Smart Fingerprints can also be paired with a second Smart Fingerprint inside the packaging, or with invisible taggants or forensic technologies (we have several partners of both kinds) – to add protection for the product’s contents, not just the packaging.
- Finally, it’s worth noting that Laava is fast, easy and cost-effective to deploy – unlike many other offerings in the market. It needs no special inks, substrates, apps or technology – and brands can be in market with Laava in days and weeks, not months. If you’re building the globally scalable alternative to QR codes, this is important!
Because each Smart Fingerprint is unique and designed for secure consumer engagement, they are perfect for securely rewarding customers or capturing sensitive information. Read how our customer Tamburlaine used Laava to offer its customers fractional share rewards and engage with consumers.
When Australian premium fruit exporter Reid Fruits ceased using QR codes and adopted Laava’s anti-counterfeit solution, they experienced a dramatic reduction in counterfeit attempts in the first year – from thousands to only 10 attempts (all shut down automatically by Laava); only three in the second season, and zero known counterfeit attempts the following year.
“In the 2018/19 season in China, the counterfeiters had made a complete digital copy of our carton. We were using highly intricate laser-cut stickers affixed to our carton lids at that time – a new and different sticker design at the start of each season – as an anti-counterfeit measure. The copy carton included a digital image of the new sticker for the 2018/19 season.
At that point, we had also been using a printed card within each carton with the cherries with a QR code linked to a Reid Fruits website for customers to check authenticity through the QR code. The counterfeiters had also copied this card incorporating their own QR card linked back to their own fake Reid Fruits website to verify the carton as authentic.
We were also using carton liners printed with the Reid Fruits logo and carton bases with a watermark printed Reid Fruits logo – this was also copied.
All this happened within a week of our product arriving in the market in the 2018/19 season.
In the cherry season just gone (2021/22) we didn’t receive any reports of counterfeit products in market or any sign of attempts to counterfeit our cartons or labels.”
Tony Coad, Manager Marketing and Sales, Reid Fruits
Check out further case studies and stories.
Further reading on the dangers of QR codes
By now it should be clear that QR codes cannot be trusted for secure applications. If you need more proof, check out the further reading below. We’ll keep this list updated as we find further articles, so bookmark this page.
- FBI: Yes, scammers are using fake QR codes to put malware on your phone, access your accounts (1 March 2023)
- FBI: Fake QR Code Warning (7 September 2022)
- The Conversation: How QR codes work and what makes them dangerous – a computer scientist explains (7 August 2022)
- Better Business Bureau: BBB Scam Alert: Fraudulent QR codes continue to be used in a variety of scams (1 August 2022)
- Learn Hub: Are QR codes safe? Best practices to ensure QR code security (21 April 2022)
- Fast Company: How QR codes work—and what makes them dangerous (13 April 2022)
- Inc.: If you scanned that QR code from the Super Bowl (or any QR code), the FBI has a warning for you (22 February 2022)
- FBI: Cybercriminals Tampering with QR Codes to Steal Victim Funds (18 January 2022)
- US Army: Army CID cautions rise in QR code scams (11 March 2021)
- Forbes: I don’t scan QR codes, and neither should you (1 June 2020)