Maybe this is common outside of where I live and I'm blissfully unaware, but I went on a work trip recently and was surprised/disturbed by how every lunch/dinner spot was QR code menus. Multiple of these links went through a marketing platform redirect and the only reason this was obvious to me was the preview dialog on the iPhone camera showed a different domain than the page I landed on. I read the privacy policy for one of these platforms and it was not great.
It's already hard enough to get people to understand how URLs work, QR codes really don't help. Certainly it's in the best interest of corporations to scan codes in emails for security purposes, but I think it's on QR code reader producers (e.g. Apple via iOS camera) to make the concept safer somehow. I'd also really like to see well meaning people, like restaurants, create codes that do not use redirects or any other trickery and to have the link written out for the rightfully paranoid. And paper menus would be cool too...
Right now they're using QR code menus to push ads and collect/sell your personal data, but the ultimate goal with QR code menus is being able to gather data from your phone (like a device ID), use that to get information about you (like your income level or past purchase history), use that data to algorithmically determine how much money they can extract from you, and then finally push to your screen a menu where the prices are all individualized for you. That way they can charge you more for the same menu item than they changed the person sitting next to you, and you'll never even be aware of it.
Right now the main thing holding them back from doing that is that consumers tend to think this kind of discriminatory pricing is unfair (https://link.springer.com/article/10.1057/s41272-019-00224-3). There's a lot of work going into trying to get people to accept the idea that some people can (or should) get different prices than others for the same goods/services. Prices should be fully transparent and the same for everyone no matter who they are.
Be very careful when using QR codes for anything that results in a displayed price. Maybe compare the prices on your device with what's shown on the devices of the other people you are with, or better yet just insist on paper menus and walk away if they can't accommodate you.
The reason for the redirect is probably so that they can change the URL without reprinting the menus. For example, if a small business changes who they get to do their online ordering system, sometimes that involves a URL change because coordinating the transfer of control of domain registration, DNS (and consequently sometimes email) and website hosting, and preserving the old URLs (or even just the entry point) on the new system is too difficult.
I don't think the lack of redirects would really resolve anything either. You either trust that the QR code you're scanning was really generated by the organisation you think it was, or you don't. If you trust them then you can also trust their redirects.
Does Squarespace or Wix provide you your own link shortener and analytics for scanned codes?
Your average restaurant owner is not likely going to pay an IT consultant extra money to operate a link shortener for them on the GoDaddy domain they bought in 2006.
Your average small business don't control "their own domain". They have some IT or marketing company managing it for them. The problem comes when they want to switch supplier, and either the losing or winning subcontractor doesn't want, or more often doesn't have the ability, to facilitate a seamless handover.
When you're a supplier of something related, you don't want to be caught up with this, so in this case for example I speculate that one reason a marketing company providing QR codes will use a redirect is to avoid having to say "sorry we can't change the URL without reprinting".
I buy the first paragraph. Disagree on the 2nd though for two reasons:
1: The codes are outside in a public space. They could easily be replaced, I do not trust them.
2: Even if I trust the code is what the business intended to produce doesn't mean that I would like to consent to the privacy policy of or provide any information to the 3rd party they chose.
The 2nd point is made worse by how in some cases there isn't an option to decline. And do some QR code readers do a pre-fetch or fully resolve the rendered domain/URL? I would take a bet yes.
> The codes are outside in a public space. They could easily be replaced, I do not trust them.
This applies whether there's a redirect in place or not. If you're in the "False Napkin Restaurant", and they have QR codes that take you to falsenapkin.com, I could just register falsenapkinrestaurant.com and replace the menus. Ordinary people will have no way of knowing the difference.
> doesn't mean that I would like to consent to the privacy policy of or provide any information to the 3rd party they chose
That's an issue regardless of whether there's a direct client-side redirect or if there's just some Javascript inclusion going on that was provided by a third party but without an explicit redirect. Either way, your data can be used by whoever the restaurant has contracted and your ability to consult their privacy policy remains the same.
Sorry my headspace for disagreeing is in QR codes shouldn't be the menu. Yes to the point of removing redirects does not solve malicious replacements with look-alike domains. I think in the case of a direct link with 3rd party JS though I mean there are tools that can prevent that while still providing access to the menu. If my content blocker blocks the QR code providing service then I can't get a menu. If my content blocker blocks 3rd party non-functional JS then whatever, I don't notice.
I went on a work trip recently and was surprised/disturbed by how every lunch/dinner spot was QR code menus
There have been recent newspaper articles about how restaurants are now abandoning QR code menus.
Mostly because customers don't like them. But also because it turns out to be both a greater expense and an inconvenience to update the menus electronically, rather than to print new menus, or have their go-to printing company make the updates.
Restaurants are short-staffed, and don't have the time or technical ability to maintain electronic menus quickly or cheaply.
People have been pasting bogus QR codes on the parking meters where I live. They go to web sites that collect your credit card information, then forward you to the real web site.
Someone put up fake "Pay to park" signs with QR codes on them in the parking garage of the hotel across the street. The hotel has no pay-to-park mechanism. You give the hotel your license plate number when you check in and the fee is added to your bill.
Public trust of QR codes is such a massive security flaw.
Ah! Yeah - this happened at my college. They sold the [huge] parking lot adjacent to the main union area to the company that owns all the lots in the city since it was so torn up and [assuming] didn't want to pay to fix it.
Before it was sold, you just bought a little placard that hung from your rear-view mirror to park in the lot.
Well - the company it was sold do has been doing the QR thing for years at this point so they just implemented it after a quick repaving and that was that.
It's been a few people at this point who simply make a clone of the parking website and slap their own QR code stickers on a bunch of the spots. If you saw a ticket on the windshield upon returning to the car, most people assume they made a mistake so they are double paying for the spot. Once to a phisher and once to the actual company in the form of a ticket.
Company has sent out a ton of emails about it but because the lot is so high-volume [it's next to a new stadium so it's no longer just business hours college parking] the ability to make a quick buck so easily is just...there. No changes being made by the company - you'll see a thread pop up on the city subreddit about it every now and then where others share their own experiences - and that's as far as it goes.
The only surprising part in your story is that QR code scamming is somehow not a massive industry by now. Any charge and data collection could be easily hijacked.
Entering Louvre? Scan this QR code real quick for a ticket. Waiting in line in a USCIS office? Scan this QR code and pre-register with ALL your personal details.
Like if a popular QR code generator and redirector hosting service supported this and signed my QR code, couldn’t I just change the redirect but the original target URL is still valid? You could try to detect redirects but that could be tricky once JS is involved.
QR codes shouldn't exist in 2023, change my mind. We can recognize plants, animals and lanmarks using our phones, why can't we just read URLs with our cameras?
Politely disagree. They are a durable machine readable means to communicate data. I would argue that when a QR code is read, more tech controls need to be in place to protect users prior to where they're navigating to (show full unrolled URL, big confirm button, check URLs against malware/malicious URL databases).
Humans already don't check URLs carefully (email phishing and the efforts to encourage better behavior and awareness around that), they use QR codes because they are easy vs typing in the URL. If the camera read a URL with high confidence, people would still not check it. Humans are always the weakest link. Do more to protect the human.
In that sense human-readable link is more secure that a QR code, because you can at least read that it's "td.com" and not "xxx.win-lottery-get-pussy.tu".
There's a chance that people won't even point their cameras at URLs like this. Scroll this page down, someone said they scan every code just out of curiosity.
Error correction. Abrading one character in a URL will break it (or make it subject to a MITM attack via lookalike domains or whatever).
QR codes are insanely durable and redundant and can survive a lot of wear and tear. It's also a binary works or doesn't, as opposed to a OCR algorithm with probabilistic correctness.
And UX. People know what to do about a square barcode (thanks to covid). Nobody is gonna know to take a picture of a URL (they can in fact already do that and have it OCRed on many phones, but who knew?)
qualified agree -- marketers and worse are abusing the naturally-opaque entrance.. harken back to the days of certain bars being a supply of enslaved crew members via blackjack
It's already hard enough to get people to understand how URLs work, QR codes really don't help. Certainly it's in the best interest of corporations to scan codes in emails for security purposes, but I think it's on QR code reader producers (e.g. Apple via iOS camera) to make the concept safer somehow. I'd also really like to see well meaning people, like restaurants, create codes that do not use redirects or any other trickery and to have the link written out for the rightfully paranoid. And paper menus would be cool too...