Sourced by: Cyber.GC.CA
Quick response (QR) codes are small white squares with two dimensional (2D) black markings, similar in look to a barcode. QR codes became more popular and widely used during the COVID-19 pandemic, offering touchless transactions, such as replacing paper menus with a QR code that displays the online menu when scanned. QR codes have also been used for COVID-19 screenings and contact tracing. QR codes are now being used for proof of vaccination requirements which may expand the landscape for threat actors to exploit QR codes and access your personal information.
How do QR codes work?
QR codes contain information that can be read by your device through the camera lens. There are three main types of user activities related to QR codes:
- Consuming is the most common activity. Users scan a QR code in order to read or review something like a restaurant menu or other documents.
- Sharing is becoming a common practice. Users present their 2D code to have their information verified (e.g. airline boarding pass, lottery tickets, or proof of vaccination).
- Generating is not as common but may occur if an application requires a code to perform an action, such as pairing a smart watch to a smart phone.
Are QR codes risky?
QR codes can contain personal information. They can also execute an action, such as opening a fillable PDF or online form, that prompts you to enter personal information. Once this information has been entered, scanning the QR code will display the stored information on your device. Some online forms also create a QR code once completed.
By scanning a QR code, you could be susceptible to the following risks:
- Tracking of your online activity by websites using cookies. Your data can be collected and used for marketing purposes without your consent.
- Collecting metadata associated to you, such as the type of device you used to scan the code, your IP address, location and the information you enter while on the site.
- Exposing financial data, such as your credit card number, if you used it to purchase goods or services on the website.
How can I protect my...?
Personal Information
- Use private browsing mode on your devices and consider using a browser with anti-tracking features.
- Be suspicious and carefully verify the website URL if a password or login information is requested after scanning a QR code.
- Check browser settings to disable cookies and storage of site data.
- Provide the minimum amount of personal information requested when completing online forms.
- Ask for the company’s privacy policy if you’re scanning their code to check in or access a service.
- Report suspected fraud or cyber incidents to your local police department, the Canadian Anti-Fraud Centre, or the Cyber Centre.
Devices
- Configure your device to ask permission and verification before launching the QR code action.
- Close your web browser if the QR code you scanned opened a suspicious site.
- Turn on automatic updates for your devices.
Personalized QR Codes
- Keep your personalized QR codes (e.g. proof of vaccination, boarding pass) in a secure folder on your device.
- Allow your code to be scanned only by a secure and verified application (e.g. provincial government proof of vaccination app).
For more information, click here