Hacker News new | past | comments | ask | show | jobs | submit login
Why does that QR Code go to justinsomnia.org? (justinsomnia.org)
309 points by jacobr on Jan 28, 2012 | hide | past | favorite | 72 comments

QR codes are a massive phishing scam waiting to happen. I'll just go cover up the one at my bank with a sticker of the same exact size that links to my own site that looks exactly like the bank's site. Or maybe I'll put one on the ATM and see how long I get traffic before someone takes it down.

I also think QR codes could eventually be used by "shock site" trolls as in the bad ol' days on Slashdot. It's perfect because there's no way to inspect the URL before visiting the website. I've scanned a few QR codes on street lamps (for music events, etc.) and this is always in the back of my head.

Here's a much more fun example of a QR code prank: http://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/302963_1... (totally SFW of course)

I do agree that QR codes can be used for trolling, but there's absolutely no reason you can't inspect the URL before visiting a link from a QR code - all that's stored in the QR code, after all, is the URL!

The trivial technical solution is a QR code reader which tells you where you're going before it sends you there, which ZXing (the Barcode Reader for Android) and several iOS QR readers already do.

It's phishing. Sure, you're going to check the url. But most people won't. And simply being on the bank is going to be validation enough for most.

Short URLs (very common in the QR code space, for making a smaller code) quickly circumvent this solution. If I see "bit.ly/asdf", I'll assume they just shortened their URL.

And this is one of many reasons that URL shorteners must die. If it weren't for Twitter, people wouldn't be so used to blindly clicking through short URLs.

But anyhow, most URL shorteners offer an API to retrieve the long URL. You could implement that in your QR code scanner as well, for the most popular URL shorteners, to allow people to see where they will be redirected to.

Alternatively on Android, you can use FairyPreview to decode most minimized URLs for you before sending them to the browser.


And cell phones don't display long URLs, another phishing problem begging to be exploited

No way to inspect the URL? What QR code reader do you use? I use Barcode Scanner, and when I scan a QR code, it always shows me the URL, and I have to click "Open browser" before it will actually browse to that URL.

Though they do pose an interesting avenue for protest/civil disobedience. I could easily post QR codes on fast food restaurants that go to PETA or on the back of bus seats that link to pages about transportation system corruption.

Or perhaps what would be even more fun, is I could put download links for movies on their own posters.

Yeah… if only anyone actually used qr codes.

Wow, never considered this but you're right. Scary. I'm glad I don't scan QR codes.

Scanning software should handle this just like browsers the regular phishing sites. This won't eliminate the problem, of course, but it shouldn't be more dangerous then url faking.

'cept if people are trained to use them. It's harder to read a url on a mobile device. Plus i can change the url and put up a new sticker. Or just use a bit.ly redirect. And then browsers would have to have a specific link warning instead of just having domain granularity.

This is a similar concern to the one that people kept raising about short URLs a year or two ago, but they're hardly uncommon now.

'cept I don't see any bit.ly links on Bank of America's website but I do see them using QR codes.

Yes, but you can also put a sticker that says "Go to www.bankofamerica-manage-account.com". Although, it's easier to notice, of course.

QR codes present a much lower barrier to entry though. That means they can be acted on before it occurs to the target that they should think about what they're doing.

They're also not human readable. I can imagine scanning a QR code and not noticing that the URL is somewhat off. If I was forced to type the URL, I would probably realize that it wasn't entirely legitimate.

When I worked in marketing communications, we had a policy that anything that could be mistaken as final, approved assets in a printed piece had to be covered with a big, diagonal, magenta "FPO" label (for position only). Whether it was an inaccurate placeholder image, or a justinsomnia QR code, it had to be obvious it was not the final art.

This only supports my long running contention that normal people (outside of Japan) do not understand QR codes, and wherever they are printed, you would be better off writing a short URL. They are 1) opaque, 2) ugly, 3) impossible to memorize, 4) confusing to non techies and 5) no faster than typing the URL for the majority of viewers.

I agree with your first four points, but how did you arrive at your fifth point? QR Code applications I've used scan in about 1-2 seconds (the time it takes to auto-focus), which I think is probably faster than typing a URL.

If you include the time it takes the download (or find) a QR Code app, it makes sense. Considering that neither iOS nor Android come stock with a reader.

Agreed, no doubt it takes time to set up a phone to read QR codes. I was more interested to see whether there was some link/study which compared the actually processes of typing vs. scanning, which I thought was the intent of his fifth point.

We use QR codes extensively where I work. We use them in print ads and on TV commercials and I have a re-occurring nightmare that we'll use the 'wrong' QR code somewhere disastrous... like printing a link to our competitors on 10,000 brochures or something like that.

I insist that I check all QR codes before they're sent out, and I scan them with 2-3 different QR scanning apps.

As another commentor mentioned, I often send our QR codes to a redirector URL - either a branded redirector service I built, or to a WordPress site with the redirection plugin, or even to it's very own domain name which is configured for forwarding.

In TV commercials? Is the expectation that people will grab their phone, turn it on, launch a scanner app and run to their TV before the commercial ends?

Very curious - are they actually effective? Do people use them? What's the "click-through" rate like?

They are not very effective... yet. At this point the 'click through' rate is a fraction of a percent. The reason we're doing it is so that we will be prepared - the day that Android or IOS includes a QR code reader built into the OS (it will happen) usage will go through the roof.

WP7 has them built in, and I agree, it _is_ rather convenient. But as other commentators mentioned, it is a phishing disaster waiting to happen because the UI doesn't display the full URL if it gets too long.

An interesting data point - Storm On Demand (http://www.stormondemand.com/) use AdWords a lot, and I'm always seeing their ads (clearly Google has designated me their target market - correctly).

Some of their MPU adverts had QR codes in them, and I called this out on Twitter telling them it was moronic to think that anyone would want to scan the QR code off an advert rather than just click it. Their response was that in their testing of many different adverts, the ones with QR codes were getting the best CTRs. They didn't know the reason for this, and neither do I - but it's interesting none-the-less.

It'd be interesting to compare the CTR to the scan-through-rate(% of people that scan the actual QR code).

I'd imagine that quirkiness of a QR code to the average user would pop-out of the page quicker and catch their attention faster than a normal image would.

I did ask that and, while they obviously didn't give figures for either, did say that by CTR they were judging actual clicks - i.e. yes, it was a case of having a QR code making people click it, not that it was making people scan it.

(They were also tracking QR scans seperately, but didn't say how well that was going.)

As an aside- you're seeing lots of storm on demand ads because you've been put on a remarketing 'list' See http://www.google.com/ads/innovations/remarketing.html

I made the experience that it's never a good idea to point a QR code to a fixed domain. Always create a little redirect app where you can define later on what target the link should point on.

So for example point the link to http://mysite.com/qr

where you have a little redirection-php file that you can edit at all time.

As a user, that would really annoy me. I like to know where I'm going before I put a URL in my browser.

Any URL can send you anywhere. If you trust the origin of the QR-code, there's no reason to not trust going to /qr.

For the record, I agree with reviewing the URL before hitting it, but if the domain matches what I expect, I'd be strongly inclined to trust the rest.

I don't think the majority of users check the URL of the QR code. Why wouldn't you trust the advertiser? I think it's really rare to see an advert that looks innocent, but actually isn't, and at the same time contain a QR code that has a "malicious-looking" URL.

I guess I'd trust ads more than random QR codes on blogs. My point is, if the point of a redirect is that you can send people to a different page later in time, then you really can't depend on the QR code taking you where you expect, or even to the same page that it used to go to.

If this is such a concern, you can always have your browser ask you for permission before it follows a redirect. Any URL anywhere could potentially redirect.

I guess the point is that there is a certain amount of comfort to be had if the url is http://www.domainname.com/ because at least then you know that any redirects are intended for the entire world: no one is shuffling you though ad trackers making you feel like a pawn.

And if you care that much about the URL you should be able to infer from website.tld/qr that it's a QR code specific URL to track hits.

But if it's a redirect, it could send me anywhere. That's what I don't like about it.

You just scanned an unreadable symbol. It could already send you anywhere. Vetting URLs by whether they look like they point at a redirect script seems like overkill.

Oh, actually I've never used a QR code reader that didn't show me the URL before letting me decide whether to go there.

Even that's not an absolute assurance, as millions of people who have failed to renew expired domains can attest. And the HTTP status codes have a whole block of redirect codes while just about every web server permits backend proxies. When you visit http://viral.example/ it can already send you anywhere; seeing the URL http://viral.example/qr only tells you that you're getting QR-specific content, and still does not tell you what that content is.

I guess the only problem is people can't recognize familiar URLS if you use a redirect page. If you link to a Facebook event for a concert, for example, people could see the trusted domain before visiting.

Consider what can be done with a punycode'd URL here, too.

Mix a QR with a little punycode and you easily can end up anywhere, even if you do (quickly) review the URL before the jump.

Would you really be worried if AirBNB had a QR code which took you to http://airbnb.com/qr because it might be a redirect which could take you anywhere?

Currently, no. But I would be mad if they sold a redirect to someone else and it took me where I didn't expect. And if that happened often, then I would get more suspicious of redirects over time.

How about the more likely version: http://qrserv.clearcast.com/?adid=239af932e which redirects to http://airbnb.com/?

I don't much use QR codes, but when I want to go to a URL I got in email, and it looks like that, even if the email otherwise seems legit, I just type in the URL to the real site directly. Clicking on such a link feels like deliberately falling for a phish.

It's very common to use shortened URLs to decrease the complexity and size of the resulting code. I don't think most users scanning codes are any more concerned than they are clicking on a shortened twitter link.

"it's never a good idea to point a QR code to a fixed domain" why not?

Does anyone know of a FF plugin that will decode QR codes in images on a page, and maybe even turn them into live links? Here's one for Chrome: https://chrome.google.com/webstore/detail/bfdjglobiolninfgld...

Here's our Mac OS X program that reads QR codes anywhere on your screen -- any program (browser, editor) -- and makes them live links.


Check out the discussion here http://hackerne.ws/item?id=3532925

It says no.

One way to combat the issue is to create a "designer code", which is an intricately designed QR code. You can check out examples at http://www.paperlinks.com/designercodes.php. It is much harder for wrongdoers to mimic one of these.

There is a Vietnamese restaurant here in London where waiters have QR-codes in the back of their tees. Just last week I was there and some older guy was following a cute tall and slim waitress around with his iphone, trying to scan it. Creepy as fuck, but I guess it was justified by the QR code placement.

Interesting story, though I don't understand what he says at the end about not being able to redirect the QR Code to another link because the QR Code is the link. Why not just send a 302 redirect?

He sounds like he wouldn't do it on principle, but I don't understand the technical reason why he couldn't.

Because then his blog would be unavailable? The code points to the root of his domain.

And even if he was willing to have his blog redirect to that other site, there's still the issue about all these other misprinted codes. If they point to $randomblog it's mostly funny. If they point (via the redirect) to $possible_competitor, it's much worse

He already indicates in the paragraph just before that he technically could redirect the traffic -- that he offered to send all IPs from Belgium to some Belgian company which had accidentally used his QR code in actual advertisements. (And that they declined because he asked too much money.)

There is no technical barrier to redirection. What he actually says is "What does that mean? I’m guessing they think I can somehow magically cause that QR Code (which they accidentally used in something printed?) to redirect to another URL. I don’t think they understand that the QR Code IS the URL."

Notice the word order. He's "guessing what they think", and his guess is that they think he can "magically cause the QR code to redirect to another URL" -- the object of the sentence is not his domain, and not his URL, but the QR code. (He's saying that they've phrased it as if there is a QR code database where the code must be looked up.)

It points to his top level. He'd be sending traffic away from his site unless he managed to filter it somehow.

Side note, Justin's an awesome guy, he just did a short stint as a co-worker at Kiva for the last 4-5 months, but is now working on a startup. We had a great laugh around the office last month when he was still here.

Odd, I thought it would have created a larger ripple after reading. See here: http://www.alexa.com/siteinfo/http://justinsomnia.org

ohkhey, that explains, why http://miniqr.com/justinsomnia is one of the most visited pages on miniqr, the QR code was scanned via http://miniqr.com/reader.php more than a 100 times. (a nice gallery of people scanning the QR code visible if you visit the first URL)

QR codes are the new XML. great technology that's perfect for a certain role but being used in far too many other roles whether it's a horrible fit. But it's another buzzword for a resume!

Not just another buzzword for a resume, I put one on my resume. I got more responses but no more offers doing that. It seemed to grab attention and then distract people.

Funny. I used his QR code to test my barcode scanner when I first got it working in my iPhone App.

+1 pageview.

Would be great for viral marketing. As far as I know it is possible to forge codes that are valid but have an image embedded. A stickfigure giving another one oral pleasures for example. Place it in the streets and people who think of QR codes as random jumble will see it as a funny coincidence, take a picture for the funny pages and maybe decypher it and visit your erotic gadgets shop.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact