Security Issues

While users might cognitively perceive the good features of QR codes, they may not intend to use those codes unless something is confirmed. They may want to personally ensure that a QR code is secure and dependable (Shin, Jung & Chang, 2012).

As the encoded information is intended to be machine readable only, a human cannot distinguish between a valid and a maliciously manipulated QR code (Kieseberg et al, 2011).

There is a proof-of-concept phishing attack on QR codes, which is based on the idea of changing the encoded data of a QR code by turning white modules into black ones (Khalil, 2012).

Depending on whether the reader is a human or an automated program (e.g., in logistics), different scenarios are possible (Kieseberg et al, 2011).
1. Attacking Automated Process: SQL injection (executing system demands, adding a user), Command injection (installing root kits) and Fraud (changing the automated system).
2. Attacking Human Interaction: Phishing (setting up a fake website), Fraud (redirecting user to a cloned website) , Attacking reader software (command injection), and social engineering tactics (poster offering discount in a nearby shop).

Mobile Security in general is not near as thorough as one’s computer security "Fewer than 5% of people have got some form of security on their mobile devices”.

As QR Code technology is developing so is security applications. Norton already has a solution to some of the problems above, in the form of ‘Snap’. The application is simply a QR code reader but with the added advantage of the Norton virus and malicious website database that allows the smartphone to be aware of the information the code is about to access so that necessary action can be taken.

It is argued that employing a reputable service provider to hosts your code on a platform adds an element of security. “A threat assessment service is provided along with the visual identification of the provider’s name/logo which reduces the risk of it being a malicious code and signifies that it is a managed code” (Wehrs, 2012).