A side effect of adtech and surveillance mania infecting everything, URLs in QR codes are likely to be either semirandom strings with tracking IDs, or links to URL shorteners that expand to such semirandom strings with tracking IDs. Either is very trivial to spoof with a similar-looking malicious URL.
Say you're on the bus stop and want to check upcoming buses (real stuff in the place where I live).
The bus company could either slap a QR code, or a "bit.ly/bus-stop-1234" URL. And someone could paste over it a "evil.com/bus-stop-1234".
Hint: use Firefox Focus as your default handler for URLs on mobile phone. It clears all history and cookies after each usage, which is perfect for opening unknown URLs.
That is how HTTPS works today, and does not protect you against phishing at all.
You scan your bust stop and it says "Verified Signed by City, County Bus service" instead of "anonymous asshole".
Not perfect, but it at least gives the users a chance unlike the blind redirect situation we have now.
* a freelance web dev
* two design agencies
* nobody (plain lets encryot)
* a payments middle man company (stylised like "EZ pay")
* the council themselves (on the confirmation pages...)
So I would hazard a guess that "Mobile Transportation Services inc." ie a little too sensible to be trustworthy...
(There have been many articles explaining why, here is one:
Paste that string into google, and tell me if you get the results you expect. You'll get a lot of Russian. Think people might go for that? There was an attack a while back where bad guys registered "adoḅe.com" and distributed malware. EV doesn't work.
Some assholes operating a digital signing authority get rich; good for you if you're one of them.
Requiring signatures will likely kill those applications.
Similar to how the existence of HTTPS does not kill the ability to transmit data over HTTP and visit sites with no certificate or a non-trusted certificate.
It could be as simple as a pop-up saying, "this QR code is not validated, continue anyway"?
So any time I see a QR code, I hesitate to point a reader app at it because I'm concerned that my phone could get hacked through it.
Your browser, your PDF viewer, your messenger are just more popular, but not fundamentally different from a QR reader application.
If you're so scared, don't browse anything with your mobile device; browsers are exploitable through pages they land on.
On mobile devices, you can't hover the mouse pointer over a link to see where you're going. That's subtantially more dangerous than a URL reader which shows you the URL.
It's the same kind of issue that's possible with any kind of viewer (Adobe Reader, Flash Player, etc)
Once the file or data string is read, it's already game over, and both the QR code and PDF, SWF, etc aren't human-readable.
> An exploitable code execution vulnerability exists in the QR code scanning functionality of Yi Home Camera 27US 18.104.22.168D. A specially crafted QR Code can cause a buffer overflow, resulting in code execution.
And this is not unique to QR codes -- the correct setup string looked like "b=USmtPf6GnLZYDuR9&s=PCheX14pPg==&p=AbCD123465". This already looks like gibberish to most people; if this was replaced with evil string, I am not sure user would realize that.
The former is easily ignorable, while the latter is no worse than typing random link shortener URL you found on paper.
For example, they could put the QR code behind glass, and have a sign telling people to only scan the code if they can see it behind the glass. Someone could still paste a QR code of their own outside the glass, but it would be pretty obvious.
Or instead of printing them on paper, they could have a small LCD screen dedicated to displaying the code. This could be designed to make it obvious if someone tries pasting a code over the screen. For instance, the screen could be a bit bigger than the QR code, which could move around the screen, like the bouncing ball or logo in many screen savers.
Teach machines to make use of human language instead of teaching humans to make use of machine language.
Both of these scan perfectly fine with QR. And in HR, those (and most of other damaged examples) would be unreadable.
Many payment QRs are actually dynamically generally on a POS machine LCD so you get amount and recipient on your device - so that fake sticker problem doesn't exist in these cases
For example, if you replace "tipme.com/some_bar" with "tipme.cz/some_bar", most people would have no idea the latter is the wrong URL; and even waiters/cleaners may not notice the change
They are readable when decoded; a lot of them just contain URL's.
There is a bit of an analogy here to shortened URL's.
and without the tag
Takes two seconds
They're very much in use, everywhere. I fail to see how I'd forget about them.
But without even reading the article I know that QR codes are only as powerful as the app that parses them. They can't do anything on their own, just convey a chunk of data to a reader.
I believe they caught on more than NFC because they require so little. Just a camera, which is already present in all devices. While NFC is a much bigger decision to implement since its field of use is much more restricted.
QR codes can just be printed, by everybody with a printer. Designers don't need to think a lot about technical details, they just put the QR code into their layout and send it off to the printing press (or in fact the screen).
Additionally because QR Codes are optical, it doesn't matter if you stand 20 meters away from the billboard if the QR code is big enough, while with NFC you would have to come close.
Although I find the stupid implementations funny, I've seen ads pasted on cars, they'd have super dense QR code, but maybe be the size of your palm.. uhm, if the idea is for people stuck in traffic around you to see them, they need to have less pixels or be bigger. Besides the dense QR codes are not just some domain, but usually is some ad agency who wants to track how many times the code has been scanned and how many times they've redirected people to the real URL, so they can charge the owner for the service of... having a QR code.
Occasionally you'll see one on an ad or something... but the number of people who would ever scan it must be minuscule.
It's just not part of normal life here. At all.
(Employees scan codes on tickets for events or transportation though, very common, but I don't think those are technically in QR format usually.)
The only exception I can think of off-hand where scanning the codes on a phone is common here is scooter rentals. I doubt the average person on the street here would know how to scan a QR code they encountered in the wild (as opposed to app-specific codes).
Apple only added this feature fairly recently. So, people are mostly unaware of how convenient QR codes can be. Most people I do this to are completely unaware their phone can do this and it beats having to fumble with apps and mobile keyboards trying to figure out email addresses, phone numbers, etc.
If you are interested; just google for qr code generator and contact and you will find dozens of sites offering that. There are plenty of libraries for generating QR codes client and server side. You can download them as pdf, png, svg, etc. I puth the document on my Google drive and created a short cut on my android phone.
Even cooler, on Sunday made friends with someone just back from teaching English in China, and at lunch we're exchanging phone numbers and I go, "Wait a minute..." and opened up the image.
She scanned it and immediately demanded to know how I'd done it. Thanks for the tip! :)
Perhaps I'm more paranoid than other people, but plugging your phone in to a public USB device seems incredibly dangerous to me. At the very least someone could have tampered with it to damage the next user's device, and at the worst it could be cloning your device's entire storage.
However, the closest thing to that I have found is simple battery packs which can generally remove the need for 3rd party mid day charging.
Damaging the device is a real deal -- I'd think more by accident than by design ("we spilled some soda on this charger... so it now gives out 20 volts instead of 5).
That's why I used to carry a small USB voltmeter with me when traveling.
That story is in China, where everyone is already massively monitored constantly (and this is not even hidden by their government).
The Shortcut is simple and easy to use (1). If I wanted to do the same thing on Android, I'd use Termux (2).
My 'Universal Clipboard' is a text file on a VPS. My devices set or get the contents via SSH. E.g. Android[Termux SSH] > VPS < iOS[Shortcuts 'Run Script over SSH']. Comes in handy!
KDE Plasma provides a QR Code for anything not too big you copy-pasted by clicking on an icon. "It should be more convenient than using the computer as a Wi-Fi hotspot for the phone, which is a two clicks operation, right?"
Wrong. It was painful.
We should reuse the idea of Quiet.js, seen today on HN , to solve this kind of situation.
- Copy from the phone and paste on your computer, or vice versa (this is an optional feature, fortunately).
- Right-click on a link in a browser, or click on the KDE Connect icon -> send to device.
You can also send files between devices with it.
(it works outside the KDE environment too, even outside GNU/Linux apparently, and Gnome has its own implementation)
Actually nomophobia is more than a fear of low battery - it is a fear of being without a working mobile phone, e.g. due to loss of phone, poor signal or low battery. It is more of a psychological condition, and proper treatment is to address the root cause rather than avoid the situation - it would be like saying heroin addiction is not a problem because there are heroin dealers on every street corner.
It's almost the same thing as worrying about a car breaking down if you're 100 miles from the nearest town.
Yet we don't have a specific "fobia" for that, because it's really not a mental disorder to worry about such things.
So many things today depend on having a working mobile phone.
Boarding a train or bus, for example. You can pay using your phone, if it dies on your way and you don't have cash, that's a problem.
When you put on GPS to drive somewhere, and the phone dies midway. None has city maps anymore.
Making last minute plan changes in a group. If you don't have your phone, you won't get the latest messages.
Myself for example I've stopped carrying a debit card to withdraw money from ATMs because my banking app generates a code that I can use it.
And many others. Now I know _every single one_ of these has a work around, but most of them are "just plan ahead and have an alternative if your phone dies". After years and years of just using phones, people simply don't carry around cash or quarters for a phone call anymore.
Not to mention that I need it for 2FA.
When my phone (5X) bootlooped on a trip (before I had the hard token) and I needed to access my email for plane ticket info/etc, I couldn't 2FA into anything.. I had to remember what airline I was flying, call them, then sort out details I was relying on having on my calendar or in my email.
Legit panic as I couldn't miss work and had spent hundreds on travel arrangements. I learned my lesson and got a backup hard token (and a backup for the backup that sits in a lock box) and I should probably drop the phone based 2FA as well for just the hard token but it is very convenient.
Now, only somewhat. I generally know how to get home from where I am, and I figure if my phone were to fail, I could drive until I could find a gas station with a map. (Or perhaps a convenience store to get a charger cable or new phone.)
And of course, this fear (of being phoneless) is just an update of an old one (of being lost). It's really hard to get lost in the modern world of gps and data.
Before GPS people just carried paper maps in their cars. It's harder to find paper maps at a gas station now, but if you're preparing for a long road trip, it's not a terrible idea to just bring along a paper map to start with.
I can't even begin to list the things; everything.
No, thank you.
Do any shoppers actually want this? I have legitimately never walked into a supermarket and thought "Gee, the experience today just wasn't as personalised as it could've been. I'll go elsewhere next time".
Before you enter China there are machines where you scan your passport, face, and fingerprints, so that's how they link faces to identities, but the example above shows the government gives this info out to... at least airport operators, but whom else?
If you are paying attention, there's (I think) a reasonable trade off by some companies. I'll take 3 minutes before each grocery trip to save $20+ a month via coupons in exchange for my purchasing history.
"Gee the experience today was very personalized, I'm definitely coming back next time!"
I go to the store next door, they have Lays. It's exactly what I wanted. I now come back to that store frequently. Store 1 has no way of knowing what I wanted or why I didn't come back. Store 2 has no way of knowing why I suddenly started coming to the store.
I would still frequent Store 1 if they had the products I wanted. I only go to Store 2 because its (inadvertently) personalized for me.
If it offered things like how to get through the store faster based on what I buy, changes to the location of products I buy, or changes to open hours that are when I usually go.
Instead it will probably just give ads for products it thinks I am slightly more likely that average to buy. So no thanks.
The digital version is much more one-sided. Some people may like this kind of personalization. I find it’s very rarely useful to me and very frequently intrusive.
Also free to air television never uses them.
Also I've never seen one used on the giant screen at a sports game or concert.
Also they could just be used for paying for anything at the checkout.
Is my understanding incorrect?
If your QR code requires user to create an account in your webservice or install your native app to do anything useful, it does not bring much value, unless everyone around has your native app.
Whereas if you integrate via a an app widely used by all people in the country (i.e. the QR code is a URL which opens the widely used app with certain parameters), you're more likely to have people use it.
Classical chicken-and-egg problem and a situation where monopolies do better than a fragmented market.
QR code size increases with the amount of data they contain. The larger versions take up lots of space and can be awkward to use. URLs are popular since they're usually small.
But China is in love with the QR code, so who knows how many years or decades it will take them to make their subway gates use fast NFC payments.
You can print a QR on paper. You can't do that with NFC.
NFC works in low light conditions -- QRs typically don't. NFC chips have allocated uids -- QRs are mutable. NFC is expensive and QRs are cheap. QRs are universal while NFC is tightly controlled.
NFC is mutable too; the low-cost unpowered chips you'll buy are mostly write-once read-many, but an NFC device with host card emulation can largely be whatever you want it to be. I suppose it's analogous to a QR code displayed on a screen vs. a printed QR code.
Nope -- even host card emulation can't emulate the UID for obvious reasons. Hence making it controlled.
So those two videos actually demonstrates that QR codes is actually more than fine. NFC might be faster and more convenient but the difference isn't huge.
The QR readers are certainly not “quite fast” and that’s nowhere near “a ton of people.” That QR gate wouldn’t stand up even on a weekend at a mid-range Japanese station.
I am surprised, not more business cards have QR-codes printed on them with the important contact information. But for my personal use, I have a QR-code containing my email address as a picture on my phone, so I can display it for anyone to scan whom I want to give my address to.
The thing that surprises me here isn't the success of QR codes, but the failure of NFC (and to a lesser extent Bluetooth) which was practically designed for paying with your phone.
How did NFC lose out to QR codes at the application it was designed for? Was it a reliability problem? Were the APIs too locked-down for anyone to be able to work with them?
Why did I go for a QR code? I can print a QR code, but I can’t print a NFC code.
There's a "if you give a yak a razor" joke in there somewhere.
With contactless payments, you share your payment information with the point of sales. You do not get the opportunity to check what's going on (and it will never be due to the awkward position you have to hold your phone to get within NFC range).
For QR code payments, the point of sales generates all the information (how much money to which merchant) and encodes it at QR. You scan the code and confirm the information, which results in a payment.
Add to that the years of shenanigans as mobile operators tried to make sure they were the gatekeepers for any sort of serious NFC usage (by controlling access to the SIM-based secure element) and the fact that QR can be implemented in an afternoon by any developer who fancies it without reference to anyone else and, well, here we are.
But the NFC world is becoming a more hospitable place, and we will now see NFC gradually supplementing then replacing QR in many use cases (though not all, as some are much better suited to one or the other tech; they are not 100% interchangeable)
I do understand security implications that lead to that decision, but it makes the whole process really cumbersome to use for wide range of applications.
NFC pros are UX - you just place your phone, even without unlocking, and magic happens. Cons is, you can't make them at home, you have to order the tags, hope you order the right ones (few years ago there was some IP rights nonsense that prevented some types of tags working with some phones, not sure if it's true today).
As for NFC and payments, I'd blame a) above mentioned IP nonsense, and b) handling payments is a complicated relationship with third parties; if the third parties aren't willing to embrace NFC tags (and AFAIK they generally aren't, or will try to fleece you for it), there's nothing you can do yourself as a venue owner.
In China a large portion of the population practically skipped credit cards, when the mobile revolution came there was no NFC but QR codes were easy to implement. As a buyer you just need a camera on your phone and as a merchant you just need a piece of paper. No need for a register, no need for internet connection. In Hong Kong and Taiwan the transportation NFC card practically replaced cash and payment cards and also made NFC cards practically no better, also making QR codes relatively non-interesting. With the advent of WeChat however, this went to the side I suppose (haven't been there since so can't say for sure)
In contrast in Europe we did not use swipe cards much and went quickly to chip. Transition to contactless cards was more or less seamless because when you refreshed your card you got a contactless one. Which made merchants want to upgrade terminals. Mobile payment jut piggy backed on that. There are some shops that accept qr code payments, but with presence of Apple and Android pay, this is a massively worse use case. QR codes are marginally more convenient than credit cards, but they require almost zero specific infrastructure.
From what I understand in the US chip cards came so late that everybody just immediately skipped to Apple/Android pay. However since chip card terminals are needed for nfc, this made adoption by merchants more of a "thing". It was quite common to see "this shop now accepts apple pay" as a headline.
Google intentionally hobbled NFC and stonewalled Panasonic from adding IrDA to Androud to force people into using Android beam. Apple never gave anybody access to raw NFC to prevent competition to Apple Pay.
I personally met people who made TenPay. They pretty much confirm that the sole point of QR code was to sidestep Apple and Google.
The QR code has been around since the mid-90s and had nothing to do with payment. That's a much more recent application.
Range, most likley. You have to be pretty much on top of one another for NFC to work reliably. However, Japan made NFC work pretty well, IIRC.
By constrast, you can scan a QR code with your camera from across the room if the QR code is big enough.
The real question is why not use BLE? And I suspect the answer was that BLE wasn't on feature phones in China when all this stuff was rolling out.
It may also be that QR codes practically always require you to contact a server somewhere, so China may prefer that over BLE for social control purposes. (For example, I believe that the Hong Kong protesters were doing information exchange over BLE in order to avoid getting shut down by the central authorities.)
Overwhelmingly most uses of QR codes I see today use the screen. Boarding passes etc
Getting a user to read a QR code is more painful
When you point your phone camera to a QR code it'll show a description/link.
QR codes are really handy for connecting to Wifi, I have a shell alias that runs:
qrencode -t utf8 "WIFI:T:WPA2;S:<Basestation-SSID>;P:<SecurePassw0rd>;;"
Is "WIFI:..." automatically passed to the network intent?
Edit: just tried in ZXing QR code scanner on Android, I was too curious.
After scanning the code, the proposed action that appears in the bottom part of the screen is "connect to network".
It just works! Super useful, thanks!
The ad network and renting bikes and more recently charging electric scooters cases are also catching on.
So hold on, if I don't have a working phone, I can't wipe my ass?
We didn't go through (our video was awful) and never carried on the idea, but almost a decade later I still feel there is a ton of yet-to-be-unlocked potential in this!
I'm asking because I'm not sure if ZXing supports decoding binary data to begin with. I know zbar doesn't: current versions seem to mangle the output by trying to convert it to UTF-8. I haven't tested ZXing yet.
Also, is it using structured append mode or simply reading normal QR codes in a series and concatenating the data? Structured append mode QR codes have metadata such as an identifier for the sequence they're part of and as well as their position within it.
Concrete example: 4096 bit RSA secret keys. They can be encoded as binary QR code but not as an alphanumeric QR code with base 64 data.
QRs are truly powerful.
And if you break your camera, you can't use QR-codes. Happened to me with Whatsapp Web.
Like I said, QR-codes are awful at usability and have extreme pitfalls. Shortlinks are quick, fast and concise and they take much less space.
Also, shortlinks does not mean "cryptic urls". For example slush.org/L01 is much, much better and faster than some QR-code, it's wayyyy more accessible and also more shareable. You can also tell about it to people with just words that they can easily remember.
QR codes are awful and have huge issues and pitfalls.
I mean QR codes are just an encoded link, right ? What is the big deal ?
Encoded data. Could be a link. Could be WiFi credentials. Payment information. Any sort of identification code. Etc.