Security Issues

While users might cognitively perceive the good features of QR codes, they may not intend to use those codes unless something is confirmed. They may want to personally ensure that a QR code is secure and dependable (Shin, Jung & Chang, 2012).

As the encoded information is intended to be machine readable only, a human cannot distinguish between a valid and a maliciously manipulated QR code (Kieseberg et al, 2011).

There is a proof-of-concept phishing attack on QR codes, which is based on the idea of changing the encoded data of a QR code by turning white modules into black ones (Khalil, 2012).

Depending on whether the reader is a human or an automated program (e.g., in logistics), different scenarios are possible (Kieseberg et al, 2011).
1. Attacking Automated Process: SQL injection (executing system demands, adding a user), Command injection (installing root kits) and Fraud (changing the automated system).
2. Attacking Human Interaction: Phishing (setting up a fake website), Fraud (redirecting user to a cloned website) , Attacking reader software (command injection), and social engineering tactics (poster offering discount in a nearby shop).

Mobile Security in general is not near as thorough as one’s computer security "Fewer than 5% of people have got some form of security on their mobile devices”.

As QR Code technology is developing so is security applications. Norton already has a solution to some of the problems above, in the form of ‘Snap’. The application is simply a QR code reader but with the added advantage of the Norton virus and malicious website database that allows the smartphone to be aware of the information the code is about to access so that necessary action can be taken.

It is argued that employing a reputable service provider to hosts your code on a platform adds an element of security. “A threat assessment service is provided along with the visual identification of the provider’s name/logo which reduces the risk of it being a malicious code and signifies that it is a managed code” (Wehrs, 2012).

Legal Issues with QR Codes

QR codes originally were developed for tracking parts in vehicle manufacturing and was then standardized by the Association for Automatic Identification & Mobility (AIM), Japanese Industrial Standards (JIS) and International Standards Organisation (ISO).

QR Codes are open in the sense that the specifications of QR Codes are disclosed and that the patent right owned by Denso Wave is not exercised. It can be used by anybody free of charge as Denso has released the patent into the public domain. Data structure standard is not prerequisite for current usage (Soon, 2008).

In Ireland, there is nothing in the data protection legislation to prevent the use of QR codes. There have been various reports of misuse to the Data Protection Office of QR codes – for example, leading to malware sites (Data Protection Office, 2012). This means that QR Codes have not been tested for misuse and therefore there is no legal structure around them.

“Today's legal concepts, procedures, and structures are insufficient to keep pace with technological advance. Our legal systems need to develop to ensure that technology serves as many people as possible and disservices as few as possible” (Bach, Ivinson & Weeramantry 2001).

QR Code Printing Size/ Error Correction Levels contd.

The data shown below is - QR Code Size Specification. (Source: QR Stuff, 2011)
 Modules: Number of rows and columns of little black squares in the QR code image.
 Characters: Approximate number of characters that would normally fit into a QR code with that many modules using binary data encoding (most do) and Level L error correction.
 Scan Distance: The distance the camera is being held away from the printed QR code.

This is also one of the reasons why a QR code containing the same data will look different depending on which QR code generator you use – it depends on the error correction level being used by that particular website. Even though there is a single ISO standard for QR codes, there are variables within the ISO standard (error correction level being one of them) that will result in a different looking QR code image based on how that particular QR code creation website sets these variables.
As the data load gets higher, the modules (cells) get smaller hence a denser QR Code image (See below).

Error Correction Levels

 Error Correction Levels

QR Codes have an error correction capability where data can be restored even when substantial parts of the code are distorted or damaged.
These are maximum numbers, and the amount of text space available to you depends upon which of the four error correction schemes are used. The error correction algorithm is based upon Reed-Solomon, and comes in four correction levels.
1. Level L – 7% of characters can be restored (default)
2. Level M – 15% of characters can be restored (most often used)
3. Level Q – 25% of characters can be restored
4. Level H – 30% of characters can be restored
Level L and M are most suitable for codes found in clean environments where the code will not get damaged. Level Q and H are for dirty environments, as in manufacturing plants. The error correction level that you use will dictate the amount of text that can be encoded. For example, Level L will allow you to encode 4,296 characters, while Level H only allows for 1,852 characters.

The lower the error correction level, the less dense the QR code image is, which improves minimum printing size.
 The higher the error correction level, the more damage it can sustain before it becomes unreadable.
 Level L or Level M represent the best compromise between density and ruggedness for general marketing use.
 Level Q and Level H are generally recommended for industrial environments where keeping the QR code clean or un-damaged will be a challenge.

QR Codes - Technical Details

 A QR Code is a matrix code developed and released primarily to be a symbol that is easily interpreted by scanner equipment. It contains information in both vertical and horizontal directions, whereas a classical barcode has only one direction of data (usually the vertical one). Compared to a 1D (1 Dimensional) barcode, a QR Code can hold a considerably greater volume of information: 7,089 characters for numeric only, 4,296 characters for alphanumeric data, 2,953 bytes of binary (8 bits) and 1,817 characters of Japanese Kanji/Kana symbols.

Finder Pattern (1): The Finder pattern consists of three identical structures that are located in all corners of the QR Code except the bottom right one. Each pattern is based on a 3x3 matrix of black modules (red in diagram for illustration purposes) surrounded by white modules that are again surrounded by black modules. The Finder Patterns enable the decoder software to recognize the QR Code and determine the correct orientation.

Separators (2): The white separators have a width of one pixel and improve the recognisability of the Finder Patterns as they separate them from the actual data.

Timing Pattern (3): Alternating black and white modules in the Timing Pattern enable the decoder software to determine the width of a single module.

Alignment Patterns (4): Alignment Patterns support the decoder software in compensating for moderate image distortions. Version 1 QR Codes do not have Alignment Patterns. With growing size of the code, more Alignment Patterns are added.

Format Information (5): The Formation Information section consists of 15 bits next to the separators and stores information about the error correction level of the QR Code and the chosen masking pattern.

Data (6): Data is converted into a bit stream and then stored in 8 bit parts (called codewords) in the data section.

 Error Correction (7): Similar to the data section, error correction codes are stored in 8 bit long codewords. (discussed later)

Remainder Bits (8): This section consists of empty bits if data and error correction bits can not be divided into 8 bit codewords without remainder.

The entire QR Code has to be surrounded by the so-called Quiet Zone (also called the buffer zone), an area in the same colour shade as white modules, to improve code recognition by the decoder software.

Smartphones in Ireland

RedC (a market research company) puts Irish household smartphone ownership at 49% of the population in 2011, but predicts it will accelerate to 71% by the end of the current year (2012). The statistical breakdown from these figures show 62% Male and 38% Female of smartphone ownership with 25-49 years olds making up over half of this.

A Google commissioned research shows how vital smartphones are when consumers are searching for local services – 89% seek out local businesses and 90% take action, such as making contact or transacting business
.
Smartphone operating systems can also affect scanning results. For instance some QR Codes may lead to an app store that is not dedicated to your phone operating system. E.g. If you phone is an Android and you scan a QR Code that leads you to the ‘Apple’ market, the scan is void and will not take you any further. It is important for marketers to realise this if they are promoting an app download via a QR Code. The main two operating systems are seen below.

This QR Code on the Absolut Vodka Bottle below scans. However, the user (Android) gets a blank page with the following written in small writing on the top: “you do not have permission to open this page”. This is a QR Code scan fail. The reason this Code did not scan effectively is because the QR Code only led to an App Store dedicated solely to an iPhone user. In this case, the company should not have used a QR Code or have used two QR Codes to suit the two main smartphones that is Android and iOS (Apple).

Below, Sligo Jazz Trail has embraced both of the major phones operating systems.

QR Code Measurement

QR Code Measurement

QR Codes can assist the marketer in bridging the gap between offline and online. “QR Code is one of the few alternatives that enable consumers to transfer from one medium to another, more or less instantaneously – one of the most suitable tools for multichannel marketing. For instance, they can be used to measure the effectiveness of a print advertisement in a newspaper. Asking the customer to scan the code and if they do they will receive a money-off coupon for example. This can ultimately help measure the offline success a particular campaign especially since the effectiveness of print advertising is almost impossible to measure.

Paul Crosbie, Managing Director from Metro Herald said: “This will give our newspaper a unique product and service that we can offer directly to advertisers and agencies. Metro Herald’s audience is a perfect fit for QR codes due to the high level of smartphone ownership and the regularity with which our readers access the internet via their handset”.

Measurement of all marketing methods is vital to what works in a particular organisation. QR Codes can be measured and can provide the marketer with much more knowledge about its customers than ever before. Colm Grealy, CEO of DRG said the results from recent campaigns with Metro Herald show that mobile marketing has exponential advantages for advertisers, ad agencies, retailers and traditional media publishers. “The opportunities for those in the digital media, marketing and advertising industry are extensive. QR codes enable customers to get information instantly whilst giving advertisers valuable customer information for future promotions”.