Hacker News new | past | comments | ask | show | jobs | submit login
Remember QR Codes? They’re More Powerful Than You Think (a16z.com)
245 points by yarapavan on Nov 1, 2019 | hide | past | favorite | 196 comments

I like the functionality of QR codes, but the fact that they're not human readeable makes them unsafe. It would'nt be unthinkable to make a QR-code, paste it over an existing one (for instance: the QR code in the bar to pay for a tip) and redirect the user to a spoof website where they can tip me instead of the bar/musician.

My QR reader on Android (ZXing's Barcode Reader) shows you the information on the screen before you decide what you want to do with it. That's as "Human Readable" as it needs to be, for me.

It's only helpful if you know what to expect.

A side effect of adtech and surveillance mania infecting everything, URLs in QR codes are likely to be either semirandom strings with tracking IDs, or links to URL shorteners that expand to such semirandom strings with tracking IDs. Either is very trivial to spoof with a similar-looking malicious URL.

It's the same with or without the QR code.

Say you're on the bus stop and want to check upcoming buses (real stuff in the place where I live).

The bus company could either slap a QR code, or a "bit.ly/bus-stop-1234" URL. And someone could paste over it a "evil.com/bus-stop-1234".

Hint: use Firefox Focus as your default handler for URLs on mobile phone. It clears all history and cookies after each usage, which is perfect for opening unknown URLs.

I'm looking forward to 20 years from now when all QR codes have to be digitally signed to be valid, and the digital signature must be authorized by a certificate authority in your phone.

And what would the benefit be from that?

That is how HTTPS works today, and does not protect you against phishing at all.

Maybe if the QR reader gave you the CN and domain of the certificate so you at least knew who signed it.

You scan your bust stop and it says "Verified Signed by City, County Bus service" instead of "anonymous asshole".

Not perfect, but it at least gives the users a chance unlike the blind redirect situation we have now.

Signed by "Mobile Transportation Services inc."

Having just navigated through a bunch of forms on my councils website I can verify that the following people are all on certificates at different points:

* a freelance web dev * two design agencies * nobody (plain lets encryot) * a payments middle man company (stylised like "EZ pay") * the council themselves (on the confirmation pages...)

So I would hazard a guess that "Mobile Transportation Services inc." ie a little too sensible to be trustworthy...

This sounds just like EV certificates, and they have not been shown to work very well.

(There have been many articles explaining why, here is one: https://www.troyhunt.com/extended-validation-certificates-ar... )

"Vеrifiеd Signеd Ву Citу, сountу Вus sеrviсе"

Paste that string into google, and tell me if you get the results you expect. You'll get a lot of Russian. Think people might go for that? There was an attack a while back where bad guys registered "adoḅe.com" and distributed malware. EV doesn't work.

Then you'll get "Verified Signed by Citÿ, County Bus service"

> And what would the benefit be from that?

Some assholes operating a digital signing authority get rich; good for you if you're one of them.

Sorry, I was being sarcastic.

EV would but that’s being killed off.

'cause EV didn't actually validate that, while claiming to. It was false security.

I don't. I like to be able to transfer data from my PC to my phone via QR codes; print out QR codes pointing to the latest photo album and and give them to friends; finding QR links on "garage sale" signs (real thing that happened today).

Requiring signatures will likely kill those applications.

It's incorrect to assume that the existence of signature validation would kill this use-case.

Similar to how the existence of HTTPS does not kill the ability to transmit data over HTTP and visit sites with no certificate or a non-trusted certificate.

It could be as simple as a pop-up saying, "this QR code is not validated, continue anyway"?

I've also heard of QR-reader software being exploitable through QR codes that they're supposed to read.

So any time I see a QR code, I hesitate to point a reader app at it because I'm concerned that my phone could get hacked through it.

It would be really hard for a QR app to take over your phone, even if it is poorly written and gets owned. There are layers of protection below the aps on an OS like iOS. I'm not saying it's absolutely impossible, but if someone figured it out they could sell the technique for literally millions of dollars to a huge assortment of potential buyers. They probably aren't going to waste it on you.

My phone is a rooted Android phone, though.

Then don't give the QR app root.

That's the case for any software that accepts any kind of input.

Your browser, your PDF viewer, your messenger are just more popular, but not fundamentally different from a QR reader application.

Years ago, WinAmp on Windows was exploitable through a maliciously prepared .m3u playlist: a simple plain text file expected to be filled with pathnames of songs, one per line.

If you're so scared, don't browse anything with your mobile device; browsers are exploitable through pages they land on.

I don't see how it can be made less dangerous. The QR code is read and decoded to a URL. The QR code is now gone, and it is the URL that is dangrous. The URL is dangerous no matter how you got it.

On mobile devices, you can't hover the mouse pointer over a link to see where you're going. That's subtantially more dangerous than a URL reader which shows you the URL.

Imagine if someone discovers a flaw in the qrcode library and manage to execute an arbitrary command once read? It's already too late, the device already read the code.

It's the same kind of issue that's possible with any kind of viewer (Adobe Reader, Flash Player, etc)

Once the file or data string is read, it's already game over, and both the QR code and PDF, SWF, etc aren't human-readable.

sure, but visiting any website or launching any app has those vulnerabilities too, except they're many times more complicated. even if it's a legit site, they could have been hacked, best to just not touch external data ever if that's your threat model.

This has actually happened before. [0]

> An exploitable code execution vulnerability exists in the QR code scanning functionality of Yi Home Camera 27US A specially crafted QR Code can cause a buffer overflow, resulting in code execution.

[0] https://talosintelligence.com/vulnerability_reports/TALOS-20...

Note that it was not in the QR scanner itself -- the parsing part was fine, the image was always decoded safely. It is the network setup script which parsed the extracted text which was vulnerable.

And this is not unique to QR codes -- the correct setup string looked like "b=USmtPf6GnLZYDuR9&s=PCheX14pPg==&p=AbCD123465". This already looks like gibberish to most people; if this was replaced with evil string, I am not sure user would realize that.

Uh, no? At least in mobile OS's, the applications are isolated very strongly. And QR reader app is likely to have minimal permissions, and does not declare "backgroup daemon" one -- so even if app is entirely taken over, the worst it can do is to show scary messages and redirect you to nasty URL.

The former is easily ignorable, while the latter is no worse than typing random link shortener URL you found on paper.

Imagine if someone discovers a flaw in any library that your web browser uses, or the browser itself or is JS engine ... oh no!

I think the app is Barcode Scanner, Not Barcode Reader.

You're right. The dumbest part is that I actually went to my phone to find the company name and still thought it said "Reader" for the app name.


If that became widespread, I could see places that display QR codes like the bar in your example take steps to make the QR codes physically inaccessible.

For example, they could put the QR code behind glass, and have a sign telling people to only scan the code if they can see it behind the glass. Someone could still paste a QR code of their own outside the glass, but it would be pretty obvious.

Or instead of printing them on paper, they could have a small LCD screen dedicated to displaying the code. This could be designed to make it obvious if someone tries pasting a code over the screen. For instance, the screen could be a bit bigger than the QR code, which could move around the screen, like the bouncing ball or logo in many screen savers.

I agree that QR codes are a bad idea because they’re not human readable. But wouldn’t that particular hack be possible with a URL as well? It might be detected faster I suppose.

Sure, but not many people would knowingly and willingly enter a long URL in their browser. The ease of use and simplicity of QR codes (just point your camera!) is what makes them a potential risk, IMHO.

We most certainly have the computer vision tech to detect URLs from images of the camera stream. That could be an extra feature of QR code readers app if it's not already.

If you have a Pixel phone, open the camera, scroll right to More, open Lens and point your phone at a (human readable) URL.


Then we have very different ideas of why QR codes are bad. I think they’re bad because they waste space with something that is completely useless to human senses. They should be replaced with good OCR, not with manual typing.

Teach machines to make use of human language instead of teaching humans to make use of machine language.

99.9% of the information in your computing life is not human readable; it's encoded in radio waves and electrical pulses that your senses can't interpret.

You can’t experience them with your senses at all, which is completely different. You can see a QR code, and in fact you have to see it to be able to use it, so it takes up space on signs, in magazines, billboards, etc.

but they'd enter bit.ly URL with no problem, and it can redirect to such URL

Check out HR codes, an alternative to QR codes which encode all valid URL characters to images. https://github.com/hantuzun/hr-code Human Response Codes are designed to be recognized by humans and OCR.

Great idea, thanks for sharing this! But how could we prove what's behind the image is exactly what is shown? Could someone still hack it, pretend to be a normal link but actually is a phishing link?

How can you know the URL doesn't redirect to something malicious?

The big downside of this is lack of redundancy. QR codes are incredibly redundant. check out images 6 ("lose an edge") and 10 ("blob of paint") in the page: http://datagenetics.com/blog/november12013/index.html

Both of these scan perfectly fine with QR. And in HR, those (and most of other damaged examples) would be unreadable.

you can also use cash.

If it's sticker based QR normally you just show your screen to the person behind the counter before you pay to verify recipient and amount.

Many payment QRs are actually dynamically generally on a POS machine LCD so you get amount and recipient on your device - so that fake sticker problem doesn't exist in these cases

I don't think making codes human-readable would help -- human-readable URLs are spoofable too.

For example, if you replace "tipme.com/some_bar" with "tipme.cz/some_bar", most people would have no idea the latter is the wrong URL; and even waiters/cleaners may not notice the change

Isn't this easily solvable by the URL based codes have to have a signature and other verification that the browser can enforce? So instead of a link to paypal to pay me, it is a link to the bar's website and that site has a paypal popup originated from the bar's website.

Well, the fact that they are not human readable and that some badly designed software takes dangerous actions with them without confirming with the user makes them unsafe.

They are readable when decoded; a lot of them just contain URL's.

There is a bit of an analogy here to shortened URL's.

You can add the "human readable tag" as 'VISIBLE' underneath any QR code you create in Bartender. (the only caveat is if the item the QR points to is a really long string it becomes unwieldy.. hang on lemme give you some examples -- I.. make a QR that points here.


and without the tag


Takes two seconds

I've seen this done in the wild. It's possible to defeat, but only if users are vigilant. Which not all are.

This unfortunately happens a lot in Asia - not sure what the best solution would be.

Because it says “powerful” rather than “useful”, I was expecting this to be about surprising data types rather than business cases.

For example, you can make a data URL containing JavaScript and turn that into a QR code:


Some QR code readers execute that JavaScript. (Not all, fortunately).

Ok Piet is pretty sweet...

Remember them? This wednesday I saw a giant QR code 2 meters high at a train station in Copenhagen.

They're very much in use, everywhere. I fail to see how I'd forget about them.

But without even reading the article I know that QR codes are only as powerful as the app that parses them. They can't do anything on their own, just convey a chunk of data to a reader.

I believe they caught on more than NFC because they require so little. Just a camera, which is already present in all devices. While NFC is a much bigger decision to implement since its field of use is much more restricted.

I think you are right on track with your observation. Another thing I might add:

QR codes can just be printed, by everybody with a printer. Designers don't need to think a lot about technical details, they just put the QR code into their layout and send it off to the printing press (or in fact the screen).

Additionally because QR Codes are optical, it doesn't matter if you stand 20 meters away from the billboard if the QR code is big enough, while with NFC you would have to come close.

Also NFC wouldn't work with a billboard a few dozen meters away, but QR does.

Although I find the stupid implementations funny, I've seen ads pasted on cars, they'd have super dense QR code, but maybe be the size of your palm.. uhm, if the idea is for people stuck in traffic around you to see them, they need to have less pixels or be bigger. Besides the dense QR codes are not just some domain, but usually is some ad agency who wants to track how many times the code has been scanned and how many times they've redirected people to the real URL, so they can charge the owner for the service of... having a QR code.

I live in NYC and have never in my life seen a consumer use their phone to scan a QR code in public here. Ever. Anywhere.

Occasionally you'll see one on an ad or something... but the number of people who would ever scan it must be minuscule.

It's just not part of normal life here. At all.

(Employees scan codes on tickets for events or transportation though, very common, but I don't think those are technically in QR format usually.)

They have (finally) snuck in to North American life, but it would still be unusual to see them on a billboard here. I find it interesting that most use cases in America involve transmitting information from a phone, rather than to it: boarding passes, event tickets, Amazon Prime codes at Whole Foods.

The only exception I can think of off-hand where scanning the codes on a phone is common here is scooter rentals. I doubt the average person on the street here would know how to scan a QR code they encountered in the wild (as opposed to app-specific codes).

QR codes seem to be more accepted in certain parts of the world. Even though they are becoming more popular in the USA it still lags behind Asian countries by a lot. And you're right about NFC...Its main problem is that you need to be right next to it for it to work.

I put a simple image on my homescreen with a QR code of my contact details some time ago. One thing I like to do when somebody asks me for my details is just show them the image and tell them to point their iphone camera at it. On Android, use Google Lense. The look on their faces when the phone offers to save the contact is priceless.

Apple only added this feature fairly recently. So, people are mostly unaware of how convenient QR codes can be. Most people I do this to are completely unaware their phone can do this and it beats having to fumble with apps and mobile keyboards trying to figure out email addresses, phone numbers, etc.

If you are interested; just google for qr code generator and contact and you will find dozens of sites offering that. There are plenty of libraries for generating QR codes client and server side. You can download them as pdf, png, svg, etc. I puth the document on my Google drive and created a short cut on my android phone.

Really cool idea. I used Qrafter[1] to make a QR code from my contact. Uploaded the image to Google Drive, then dragged a GDrive widget onto my home screen on my Android phone for quick access to the QR code.

Even cooler, on Sunday made friends with someone just back from teaching English in China, and at lunch we're exchanging phone numbers and I go, "Wait a minute..." and opened up the image.

She scanned it and immediately demanded to know how I'd done it. Thanks for the tip! :)

1: https://apps.apple.com/us/app/qrafter-qr-code/id416098700

Great idea. I just figured out my Xiaomi has a QR code option for each contact. It is also possible to share wifi passwords with QR codes.

"Nomophobia, the fear of low battery on phones, is virtually nonexistent in China, thanks to the widespread availability of power bank stations"

Perhaps I'm more paranoid than other people, but plugging your phone in to a public USB device seems incredibly dangerous to me. At the very least someone could have tampered with it to damage the next user's device, and at the worst it could be cloning your device's entire storage.

Well when in China you already have no expectation of privacy, so no worry there. And if you thought you could tamper and do some damage, well, remember the pervasive surveillance apparatus? Off to the dissident organ harvesting plant you go!

Aren't there USB condoms to prevent the cloning route? I don't know if that's still a thing in the days of type C.

Yes, as in cables with only the expected power/ground connectors present.

Android phones these days don't expose the data over usb unless the user chooses to.

You are best off buying a “USB condom”, a USB 2.0/3.0 connector with the data pins removed.

The problem there is that the USB standard requires the initial power transfer to be low amperage, and only switches to the high amperage mode on request, with the request being delivered over the data pins.

USB condoms include a tiny chip that does the negotiation to get full power. Sometimes they even work better than the phone itself at getting the charger to give up the juice.

For up to 1 amp, three resistors is enough (that's how power banks work) -- and those easily fit inside the connector.

An actual USB condom should also include a surge suppressor.

However, the closest thing to that I have found is simple battery packs which can generally remove the need for 3rd party mid day charging.

Cloning the storage, or any other file access, no longer works with modern devices. For example, last time I plugged my phone into rental car, I got two easily refusable prompts, to access contact list and to access files.

Damaging the device is a real deal -- I'd think more by accident than by design ("we spilled some soda on this charger... so it now gives out 20 volts instead of 5). That's why I used to carry a small USB voltmeter with me when traveling.

> public USB device seems incredibly dangerous to me.

That story is in China, where everyone is already massively monitored constantly (and this is not even hidden by their government).

I use QR codes to quickly share a URL (or text) with my Android phone from my iPad.

The Shortcut is simple and easy to use (1). If I wanted to do the same thing on Android, I'd use Termux (2).


My 'Universal Clipboard' is a text file on a VPS. My devices set or get the contents via SSH. E.g. Android[Termux SSH] > VPS < iOS[Shortcuts 'Run Script over SSH']. Comes in handy!

1: https://www.icloud.com/shortcuts/2190aca622b948258a9024d8dda... 2: https://termux.com/

I used QR odes for the same sort of thing, but Firefox sync has gotten so good at sending tabs to specific devices, including a desktop that might not have a convenient camera, that it's even more convenient.

In the "now that I think about it, it was silly" category, I "copy pasted" a mail using QR Codes from the computer to the phone while in a train. I could send the mail from the phone, but it was more convenient to type it with the computer.

KDE Plasma provides a QR Code for anything not too big you copy-pasted by clicking on an icon. "It should be more convenient than using the computer as a Wi-Fi hotspot for the phone, which is a two clicks operation, right?"

Wrong. It was painful.

We should reuse the idea of Quiet.js, seen today on HN [1], to solve this kind of situation.

[1] https://news.ycombinator.com/item?id=21415946

Shameless plug: http://zipl.ink is the bookmarklet I use for the exact same purpose which also keeps record of the interesting links I zipped to my phone locally as a nice side effect

I love Firefox sync, mostly to share tabs to any of my devices but also to access history/bookmarks

KDE Connect is a wonderful application for Android that covers these two use cases:

- Copy from the phone and paste on your computer, or vice versa (this is an optional feature, fortunately).

- Right-click on a link in a browser, or click on the KDE Connect icon -> send to device.

You can also send files between devices with it.

(it works outside the KDE environment too, even outside GNU/Linux apparently, and Gnome has its own implementation)

I created a Telegram Bot for sharing urls and texts between my devices - it doesn't do anything, it's just there. I pinned it on all of my telegram apps, and use it to copy and paste links and texts between all devices. I'm pretty sure this is not how it is intended, but it works for me.

I like this! Actually, I share things to the "Favorites" chat in Telegram (not sure what it's called in English) to get pictures around and it's convenient, sounds like you've got a similar setup.

Yep, the most convenient setup so far for passing notes/urls between a phone and a laptop. Slack is good too but somehow scrolling to your personal chat on the phone is cumbersome.

Well, same thing, I made a WhatsApp group with my phone whatsapp, my indian number whatsapp, my tablet Whatsapp. Anytime i need a unfo like wifi password, image or some note, i just send it in that group, & its available on all these three devices.

"Nomophobia, the fear of low battery on phones, is virtually nonexistent in China, thanks to the widespread availability of power bank stations"

Actually nomophobia is more than a fear of low battery - it is a fear of being without a working mobile phone, e.g. due to loss of phone, poor signal or low battery. It is more of a psychological condition, and proper treatment is to address the root cause rather than avoid the situation - it would be like saying heroin addiction is not a problem because there are heroin dealers on every street corner.

I think this is a valid thing to worry about.

It's almost the same thing as worrying about a car breaking down if you're 100 miles from the nearest town.

Yet we don't have a specific "fobia" for that, because it's really not a mental disorder to worry about such things.

So many things today depend on having a working mobile phone.

Curious to hear your thoughts/experience about the 'many things today depend on having a working mobile phone'. I often do not carry a phone because I use my laptop at home/office to do most digital things.

In certain situations people are so used to perform certain actions on their phones that they're caught by surprise if the phone is dead.

Boarding a train or bus, for example. You can pay using your phone, if it dies on your way and you don't have cash, that's a problem.

When you put on GPS to drive somewhere, and the phone dies midway. None has city maps anymore.

Making last minute plan changes in a group. If you don't have your phone, you won't get the latest messages.

Myself for example I've stopped carrying a debit card to withdraw money from ATMs because my banking app generates a code that I can use it.

And many others. Now I know _every single one_ of these has a work around, but most of them are "just plan ahead and have an alternative if your phone dies". After years and years of just using phones, people simply don't carry around cash or quarters for a phone call anymore.

It's not the phone itself, it's the device which gives you an instant connection to anyone around the planet at all times. The modem in the phone is what makes it valuable. If something happens, you can call for help, you can call your spouse to let them know you're late, you can get routed around traffic jams, look up contacts, etc. I can do all of that with a laptop too if it had a mobile internet connection.

Not to mention that I need it for 2FA.

My phone runs 2FA for almost everything. Missing my hard 2FA token, my phone is my only way of accessing a lot of stuff that I usually only have on my phone.

When my phone (5X) bootlooped on a trip (before I had the hard token) and I needed to access my email for plane ticket info/etc, I couldn't 2FA into anything.. I had to remember what airline I was flying, call them, then sort out details I was relying on having on my calendar or in my email.

Legit panic as I couldn't miss work and had spent hundreds on travel arrangements. I learned my lesson and got a backup hard token (and a backup for the backup that sits in a lock box) and I should probably drop the phone based 2FA as well for just the hard token but it is very convenient.

I'd say navigating on long road trips is one of them. While my current car has a built-in GPS, my previous one didn't, and so I was somewhat dependent on having a working phone in order to navigate.

Now, only somewhat. I generally know how to get home from where I am, and I figure if my phone were to fail, I could drive until I could find a gas station with a map. (Or perhaps a convenience store to get a charger cable or new phone.)

And of course, this fear (of being phoneless) is just an update of an old one (of being lost). It's really hard to get lost in the modern world of gps and data.

You don't need GPS to navigate, but without one you'll want to own a decent map.

Before GPS people just carried paper maps in their cars. It's harder to find paper maps at a gas station now, but if you're preparing for a long road trip, it's not a terrible idea to just bring along a paper map to start with.

There was also an intermediate period between everyone using paper maps and everyone using GPS. I didn't get my first phone until I was 23, before that for trips I just printed out the google maps directions and some map screenshots of nearby areas to the destination or stops along the way. Usually didn't even need that because the US interstate system is well labeled with road signs. These days I like an online maps navigation just to tell me about upcoming slowdowns or better routes, find the cheapest gas stations, etc.

2FA is the main thing for me. I protect basically all my important logins with 2FA, so losing my phone can mean getting locked out of most of my important accounts. This mostly scares me when traveling—I agree it's pretty nice to not carry a phone some of the time.

A personal example is that where I live, Uber has basically exterminated yellow cabs. So if your phone is dead and you can’t get an Uber, you’ve got no chance of flagging a yellow cab like you could do ten years ago. So if you have to get somewhere, you’re screwed.

I'm a native digital. I have weird memory patterns: I remember the information I need by search query. I just can't remember anything I know I can find on demand. I'm literally useless as a brick without access to internet.

Ah, you're right. So what I should have said is 'depend on having a working computer'.

I can't even begin to list the things; everything.

> Because every scan is linked to the shopper’s online profile, the store collects valuable data to personalize its customer experience.

No, thank you.

>No, thank you.

Do any shoppers actually want this? I have legitimately never walked into a supermarket and thought "Gee, the experience today just wasn't as personalised as it could've been. I'll go elsewhere next time".

I was in an airport in China, in the departures area. They had a screen showing a live video from a camera pointing at passer-bys, it said "Stand here, we'll scan your face and tell you how to get to your gate". I did, and it showed my name and where to go. But, when did I link my face to my boarding pass and agree to this "commercial" use by the airport?

Before you enter China there are machines where you scan your passport, face, and fingerprints, so that's how they link faces to identities, but the example above shows the government gives this info out to... at least airport operators, but whom else?

They don't need to give it to anyone, since they already operate everything.

Safeway tracks my buying habits and their app suggests coupons for products I buy often. It's probably a loss leader sales tactic but I manage my spending.

If you are paying attention, there's (I think) a reasonable trade off by some companies. I'll take 3 minutes before each grocery trip to save $20+ a month via coupons in exchange for my purchasing history.

People very often do say the opposite, though.

"Gee the experience today was very personalized, I'm definitely coming back next time!"

A great, older, lower-tech example of this: I go to the store looking for Lays chips and they only have Ruffles. They're chips, sure, but I don't want Ruffles. I want Lays. I don't come back to that store because they don't have Lays.

I go to the store next door, they have Lays. It's exactly what I wanted. I now come back to that store frequently. Store 1 has no way of knowing what I wanted or why I didn't come back. Store 2 has no way of knowing why I suddenly started coming to the store.

I would still frequent Store 1 if they had the products I wanted. I only go to Store 2 because its (inadvertently) personalized for me.

Depends what they use it for. So pretty much a 1% chance.

If it offered things like how to get through the store faster based on what I buy, changes to the location of products I buy, or changes to open hours that are when I usually go.

Instead it will probably just give ads for products it thinks I am slightly more likely that average to buy. So no thanks.

Plenty of people say it about the staff. I don't see why they couldn't come to expect the same about their digital experience as well.

Personal interactions between a regular customer and regular staff are very different from interactions between a regular customer and a customer database.

The digital version is much more one-sided. Some people may like this kind of personalization. I find it’s very rarely useful to me and very frequently intrusive.

Most of the store chain shopping reward programs will accept a phone number, so I'll use [Local Area Code] 867-5309. It's generally always setup for me already, but sometimes needs an override because it "was used too many times today."

Surprises me that YouTube videos don't use them - instead the YouTubers say: "click the link in the description" but I am always using a console to watch YouTube on TV from my couch, so I never click their link.

Also free to air television never uses them.

Also I've never seen one used on the giant screen at a sports game or concert.

Also they could just be used for paying for anything at the checkout.

My understanding of QR code’s is that they just are a machine readable string and that string is usually a URL. The phone then is responsible for parsing the string and doing something (like launching a browser/url or other installed app). So users are not paying by QR code, users are paying via a web app and Using the QR code to input the url for that app/item/quantity etc.

Is my understanding incorrect?

Correct. My (wild guess) understanding is that QR codes took off in China because of widespread usage of WeChat, which is a do-all mobile app, including payments etc.

If your QR code requires user to create an account in your webservice or install your native app to do anything useful, it does not bring much value, unless everyone around has your native app.

Whereas if you integrate via a an app widely used by all people in the country (i.e. the QR code is a URL which opens the widely used app with certain parameters), you're more likely to have people use it.

Classical chicken-and-egg problem and a situation where monopolies do better than a fragmented market.

That's one use case; the other use case that's less talked about is when you use an app where you need to log in on more than 1 device. WhatsApp and WhatsApp Web's QR login is a good example. One of my side projects, http://karaoke.house/ does something similar as well.

Standard QR codes can encode numeric, alphanumeric, kanji and binary data. Alphanumeric is the simplest, well supported and most widely used encoding mode.

QR code size increases with the amount of data they contain. The larger versions take up lots of space and can be awkward to use. URLs are popular since they're usually small.

You are right, a QR code can encode information about a bunch of transactions in an image, which is much easier for a person to use than do so manually through screens.

QR codes are not good for high throughput situations, like subway gates although:


But China is in love with the QR code, so who knows how many years or decades it will take them to make their subway gates use fast NFC payments.

Both have advantages that make them complimentary identifiers and not actually that competitive with each other. Ultimately they promote each other rather than consuming each others market share and I see both last years and years in to the future.

You can print a QR on paper. You can't do that with NFC.

NFC works in low light conditions -- QRs typically don't. NFC chips have allocated uids -- QRs are mutable. NFC is expensive and QRs are cheap. QRs are universal while NFC is tightly controlled.

>NFC chips have allocated uids -- QRs are mutable.

NFC is mutable too; the low-cost unpowered chips you'll buy are mostly write-once read-many, but an NFC device with host card emulation can largely be whatever you want it to be. I suppose it's analogous to a QR code displayed on a screen vs. a printed QR code.

>but an NFC device with host card emulation can largely be whatever you want it to be.

Nope -- even host card emulation can't emulate the UID for obvious reasons. Hence making it controlled.

Well sure, but it can emulate just about everything else. And if you're depending on the UID not being spoofable, well...


I sort of expect them to switch to facial recognition and do away with turnstiles altogether for most passengers to dramatically increase efficiency once the tech and databases are advanced enough. As in, the system recognises where you entered and where you leave and the fare is automatically deducted from your account. Those who are not known to the system (eg first time users and tourists) aren't allowed enter the station until they set up an account (long term or temporary respectively). The system would have a bunch of problems but the authorities wouldn't care too much as long as efficiency was high.

I live in Beijing, both NFC and QR code work just fine in the subway at the same time.

The QR code video shows a ton of people going through the turnstiles quite fast. The one guy that didn't go through might have run out of credits, and needs to top-up.

So those two videos actually demonstrates that QR codes is actually more than fine. NFC might be faster and more convenient but the difference isn't huge.

NFC gates in Japan take maximum 200ms and can handle one person per second at one gate; the riders never stop walking full speed.

The QR readers are certainly not “quite fast” and that’s nowhere near “a ton of people.” That QR gate wouldn’t stand up even on a weekend at a mid-range Japanese station.

In short: QR codes are a great way of connecting arbitrary physical items with your smartphone and as a consequence with any kind of web service. A bit similar to NFC, but with some important differences: they don't require any electronics, work at any range (just make the QR code large enough) and they can be done either by print or displayed on a screen. Additionally, when scanning the QR-code, the user can see the URL it translates to. (Doesn't have to be URLs, but that is probably the most common usage).

I am surprised, not more business cards have QR-codes printed on them with the important contact information. But for my personal use, I have a QR-code containing my email address as a picture on my phone, so I can display it for anyone to scan whom I want to give my address to.

> Tip bar staff [...] Scan and shop anywhere [...] digital public transportation cards

The thing that surprises me here isn't the success of QR codes, but the failure of NFC (and to a lesser extent Bluetooth) which was practically designed for paying with your phone.

How did NFC lose out to QR codes at the application it was designed for? Was it a reliability problem? Were the APIs too locked-down for anyone to be able to work with them?

My Alarm app has the functionality to remember a NFC or QR code that you need to scan in order to make it stop.

Why did I go for a QR code? I can print a QR code, but I can’t print a NFC code.

But you can buy NFC tags for relatively cheap.

You go to market with the printer you have, not the gizmos you'd like you have. You'd wind up printing something anyway to let people know about the NFC tag. And if you are printing something out, you may as well just add a QR code for folks who like that method.

There's a "if you give a yak a razor" joke in there somewhere.

I could, but printing a QR tag is even faster and cheaper, and there are no real benefits to the NFC in this case.

NFC is very much used in other places like Europe. I just got back from a trip to the UK and Iceland where I used contactless payments almost exclusively (except for automated gas pumps which required chip-and-PIN). I don’t remember seeing many QR codes at all.

That's a different concept, though.

With contactless payments, you share your payment information with the point of sales. You do not get the opportunity to check what's going on (and it will never be due to the awkward position you have to hold your phone to get within NFC range).

For QR code payments, the point of sales generates all the information (how much money to which merchant) and encodes it at QR. You scan the code and confirm the information, which results in a payment.

Pretty much any smartphone you've been able to buy for the past 10 years has had a camera, the same can't be said for NFC.

iOS for many years did not expose generic NFC functionality. I don't know if it is properly available even now? This meant that it was impossible to have the same user experience on iOS and Android - a serious problem for any product that would have NFC a key interaction targeting both these platforms (as most western things do).

This is IMHO the most correct answer. Apple. From experience lots of folks wanted to implement NFC but as soon as they got their idea to the C-suite all the execs whipped out their iPhones and it was game over.

Add to that the years of shenanigans as mobile operators tried to make sure they were the gatekeepers for any sort of serious NFC usage (by controlling access to the SIM-based secure element) and the fact that QR can be implemented in an afternoon by any developer who fancies it without reference to anyone else and, well, here we are.

But the NFC world is becoming a more hospitable place, and we will now see NFC gradually supplementing then replacing QR in many use cases (though not all, as some are much better suited to one or the other tech; they are not 100% interchangeable)

It's still not there yet. There are APIs now available for developers, but there is no way to react seamlessly to NFC tags in background. For example, it's impossible to put an NFC tag on a nightstand and run some automations when you put your phone there before sleep. You will have to tap a button to authorize the action.

I do understand security implications that lead to that decision, but it makes the whole process really cumbersome to use for wide range of applications.

To be honest I bought a Galaxy Nexus in 2011 with NFC and the promise of payment functionality, but I only got Android Pay (here in the UK) in 2017 when my bank, NatWest, decided to add support.

German Banks are somewhat behind on this, too. So I added a PayPal account and put my bank information there. Works like a charm.

QR pros are that they're distance-independent (you just have to make them larger) and you can just print them. Cons is that they're pretty cumbersome to use (you have to launch a camera and/or a dedicated app).

NFC pros are UX - you just place your phone, even without unlocking, and magic happens. Cons is, you can't make them at home, you have to order the tags, hope you order the right ones (few years ago there was some IP rights nonsense that prevented some types of tags working with some phones, not sure if it's true today).

As for NFC and payments, I'd blame a) above mentioned IP nonsense, and b) handling payments is a complicated relationship with third parties; if the third parties aren't willing to embrace NFC tags (and AFAIK they generally aren't, or will try to fleece you for it), there's nothing you can do yourself as a venue owner.

Also, not all phones are NFC compatible (hardware costs $). My current phone is a middle-tier Asus which is good enough in many ways, but has no NFC.

The order of things and they relative advantage of previous tech is important here. In order of appearance we had cash, swipe cards, chip cards, contactless cards, QR codes and NFC (in a usable manner). But not every country had them spread equally.

In China a large portion of the population practically skipped credit cards, when the mobile revolution came there was no NFC but QR codes were easy to implement. As a buyer you just need a camera on your phone and as a merchant you just need a piece of paper. No need for a register, no need for internet connection. In Hong Kong and Taiwan the transportation NFC card practically replaced cash and payment cards and also made NFC cards practically no better, also making QR codes relatively non-interesting. With the advent of WeChat however, this went to the side I suppose (haven't been there since so can't say for sure)

In contrast in Europe we did not use swipe cards much and went quickly to chip. Transition to contactless cards was more or less seamless because when you refreshed your card you got a contactless one. Which made merchants want to upgrade terminals. Mobile payment jut piggy backed on that. There are some shops that accept qr code payments, but with presence of Apple and Android pay, this is a massively worse use case. QR codes are marginally more convenient than credit cards, but they require almost zero specific infrastructure.

From what I understand in the US chip cards came so late that everybody just immediately skipped to Apple/Android pay. However since chip card terminals are needed for nfc, this made adoption by merchants more of a "thing". It was quite common to see "this shop now accepts apple pay" as a headline.

The problem with NFC was Google and Apple

Google intentionally hobbled NFC and stonewalled Panasonic from adding IrDA to Androud to force people into using Android beam. Apple never gave anybody access to raw NFC to prevent competition to Apple Pay.

I personally met people who made TenPay. They pretty much confirm that the sole point of QR code was to sidestep Apple and Google.

But Walmart, Lydia and others have also tried to sidestep Apple and Google (and Samsung). It never took up, because once you have contactless cards and NFC phones going to QR codes is a massive regression.

> They pretty much confirm that the sole point of QR code was to sidestep Apple and Google.

The QR code has been around since the mid-90s and had nothing to do with payment. That's a much more recent application.

The chip readers still have the problem of being too damn slow in the US. Often taking more than 5 seconds to complete the transaction. It may not sound like much, but that adds up over time. Apple pay is instant, although it has the annoyance that the range on the contactless payment is about 4" (10cm) too short so you have to wave your phone all over the reader until you find the one spot where the antennas line up just right to get the read.

> How did NFC lose out to QR codes at the application it was designed for?

Range, most likley. You have to be pretty much on top of one another for NFC to work reliably. However, Japan made NFC work pretty well, IIRC.

By constrast, you can scan a QR code with your camera from across the room if the QR code is big enough.

The real question is why not use BLE? And I suspect the answer was that BLE wasn't on feature phones in China when all this stuff was rolling out.

It may also be that QR codes practically always require you to contact a server somewhere, so China may prefer that over BLE for social control purposes. (For example, I believe that the Hong Kong protesters were doing information exchange over BLE in order to avoid getting shut down by the central authorities.)

Also, QR codes are much easier to make. You just print them on any cheap printer. You can display them on a screen. They are platform and medium independent. I think this is underrated.

Phones have screens which can display a QR code as well as camera which can read them.

Overwhelmingly most uses of QR codes I see today use the screen. Boarding passes etc

Getting a user to read a QR code is more painful

It's still strange to me that android doesn't come with a simple qr reader. They did the right thing with the thousand crappy flashlight apps, and just integrated the functionality in the OS. They should do the same with QR code scanning.

It's been built in to the Camera app for the last couple of years. It'll automatically scan them and throw up a little popover with the text/URL.

Actually, I don't know which version they started but on my Pixel it's built into the Camera as well as the Lens app.

When you point your phone camera to a QR code it'll show a description/link.

Same on my few years old MotoG4 ... but not a friends much newer Sony Experia.

QR codes are really handy for connecting to Wifi, I have a shell alias that runs:

    qrencode -t utf8  "WIFI:T:WPA2;S:<Basestation-SSID>;P:<SecurePassw0rd>;;"

Nice! How do you consumer it on your phone (I suppose)?

Is "WIFI:..." automatically passed to the network intent?

Edit: just tried in ZXing QR code scanner on Android, I was too curious.

After scanning the code, the proposed action that appears in the bottom part of the screen is "connect to network".

It just works! Super useful, thanks!

That's pretty neat! Good to know. Mine doesn't do it yet though. I'm also worried about discoverability if they don't give any indication that the camera has this feature.

Most android cameras recognize QR codes. Chrome has a QR code scanner built in, look for the icon at the top of the keyboard. Facebook has also had a scanner in their app for quite a while but of course that’s not native to Android.

Alan Zhang of WeChat was prophetic when he said: “The entry point for PC internet is the search box. The entry point for mobile internet is the QR code

Always reminds me of the "Pictures of People Scanning QR-codes" blog


I just found "The Barcode Book" in my local library, and it was pretty cool to see dozens of different barcode schemes out there, all with different properties. The world of interesting, useful barcodes is much larger than QR codes.

++ India. QR codes are everywhere for payments due to NPCI's (national payments commission of India's) efforts with instant payments. Shops small and big today display a QR using which you can pay bank to bank without credit/debit card charges and interoperability between payment processing companies like Paytm is mandatory.

The ad network and renting bikes and more recently charging electric scooters cases are also catching on.

>>>"At scenic sites and public spaces nationwide, toilet paper is BYO. Those who come empty-handed can do a QR code or facial recognition scan to receive up to 31 inches of toilet paper."

So hold on, if I don't have a working phone, I can't wipe my ass?

I think the biggest problem QR codes had when it came to adoption is that phones, by default, don't come with software to read them. If every OEM camera app could read QR codes I think they'd be much more common.

iPhones do it now, as well as some newer Android phones. They problem is that they don't tell you that :)

I find Vxiaocheng's use of QR to be super interesting and something that I'd think is worthwhile to work on; QR reading is now native in android + iphone camera apps and this is an itch I've been looking to scratch for a long time. Anyone interested? I would think of expanding the application to restaurants, libraries, etc. I would be comfortable with design + engineering + product while mostly looking for a business developer to sell the product to customers.

let’s chat. i’ve tried a couple qr-related early stage ideas this past year.

Many, many years back (2011?) I and a few friends applied to YC with an eye on use cases like 1/8/12, but mostly focusing on enabling quick interactivity with storefront displays, billboards, and public screens in general.

We didn't go through (our video was awful) and never carried on the idea, but almost a decade later I still feel there is a ton of yet-to-be-unlocked potential in this!

Just as much an enabling technology as QR codes is the ubiquity and openness of WeChat/AliPay/Taobao, in my opinion.

QR codes can also encode binary data. With structured append it's even possible to encode larger amounts of data as a series of QR codes. Open source decoders don't seem to support these features though. Could've been a great way to transfer small files.

I've seen this show up on Hacker News before - transferring data via an animated series of QR codes https://github.com/divan/txqr

Awesome project. I see it is based on ZXing. Do you know if it decodes binary data? I see there's support for multiple error correction levels in the qr/qr.go file but I don't see anything related to encoding modes, binary or otherwise. I assume it is defaulting to alphanumeric encoding.

I'm asking because I'm not sure if ZXing supports decoding binary data to begin with. I know zbar doesn't: current versions seem to mangle the output by trying to convert it to UTF-8. I haven't tested ZXing yet.

Also, is it using structured append mode or simply reading normal QR codes in a series and concatenating the data? Structured append mode QR codes have metadata such as an identifier for the sequence they're part of and as well as their position within it.

What throughput do you think you could attain with manual scan ?

Not OP, but I'd imagine a lot, if the camera scans at 30fps, maybe be conservative and show the codes at 10fps.

~30kb/s assuming the data density of 3kb per QR code. Not that much.

I'd say I wont scan manually at 10 scans per seconds. I'd say 2 seconds per scan, which would be 1.5kbps. Not that much but quicker than typing.

What system can encode data but not binary data?

It is possible to encode any kind of data as base 64 and place the result in an alphanumeric QR code. However, it won't be as efficient as the binary encoding. This is important because QR codes have size restrictions.

Concrete example: 4096 bit RSA secret keys. They can be encoded as binary QR code but not as an alphanumeric QR code with base 64 data.

I’ve contemplated a startup that eliminates “checking in” a doctors office using paper or worse, a shared tablet, via QR code to personal smart phone form. Have at it hackers.

I'm currently working on a QR product for small business and companies. I hope to launch in 6 weeks in my home country.

QRs are truly powerful.

TIL you need to provide ID for TP in China.

The rent-a-gym, I guess the west solves that by having gym equipment in a park? An interesting solution to a busy city.

I'd guess that they're not used more in the US because of patent trolls.

every post from a16z makes me hate my own profession.

This is a fantastic post. I particularly love the analysis about how QR codes have been underestimated in the US market. Great work by Avery Segal! He's been doing some great things at a16z. Rising star in tech!

QR codes are awful at usability. Shortlinks are much, much better.

I don't think that an average user wants to type in cryptic urls rather than simply scanning a code. At least, if they know what to do. But I don't know how the adoption rate for QR code scanning is. Do the stock android camera app and the ios camera support QR codes yet?

No, Android has no built-in support.

And if you break your camera, you can't use QR-codes. Happened to me with Whatsapp Web.

Like I said, QR-codes are awful at usability and have extreme pitfalls. Shortlinks are quick, fast and concise and they take much less space.

Also, shortlinks does not mean "cryptic urls". For example slush.org/L01 is much, much better and faster than some QR-code, it's wayyyy more accessible and also more shareable. You can also tell about it to people with just words that they can easily remember.

Stock iOS camera has supported QR codes for a few years now

Yeah, it's great UX to scan short links with your phone :)

And if your phone is broken? Or you want to share the resulting location? Do you share the QR-code? How about if your phone is charging somewhere else? Please.

QR codes are awful and have huge issues and pitfalls.

What is this garbage top 10 article? I could as well say Remeber 1 and 0 ? They're more powerful than you think since all computers use them to store your virtual copy.

I think they are talking about its usefulness as a cheap, easy, quick interface between computers and the physical world.

Oh if they'd said useful I would stay quiet. The word they used was powerful

I mean QR codes are just an encoded link, right ? What is the big deal ?

> I mean QR codes are just an encoded link, right

Encoded data. Could be a link. Could be WiFi credentials. Payment information. Any sort of identification code. Etc.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact