What Is a QR Code

A QR code (Quick Response Code) is a square matrix-type two-dimensional barcode. It was developed in 1994 by a team at Denso (now Denso Wave) to streamline automotive parts production management. Unlike traditional barcodes that store information only horizontally, QR codes encode data in both directions, allowing thousands of characters to fit in a small area.

Originally designed for factory inventory management, QR codes spread explosively after Denso Wave released the patent for free use. Today they are used in payments, ticketing, URL sharing, business card exchange, and vaccination certificates.

QR Code Data Structure

Although QR codes appear to be random black-and-white dots, they have a precisely defined structure.

Large squares placed at three corners. They allow scanners to instantly detect the QR code's position and orientation, enabling reading from any angle.

Indicates the QR code size. Ranges from Version 1 (21x21 cells) to Version 40 (177x177 cells). Higher versions store more data.

Uses Reed-Solomon codes to enable reading even when parts of the QR code are dirty or damaged. Four levels exist: L (about 7%), M (about 15%), Q (about 25%), and H (about 30%). Design QR codes with logos in the center exploit this error correction capability.

The area where actual data is stored. Supports four encoding modes: numeric, alphanumeric, binary, and Kanji. The optimal mode is automatically selected based on the data type.

QR Phishing (Quishing) Threats

As QR codes have become ubiquitous, a new attack method called QR phishing (Quishing) is rapidly increasing. Attackers embed malicious URLs in QR codes to redirect users to phishing sites or malware distribution sites.

Quishing is more dangerous than traditional phishing because the QR code content cannot be visually verified. While you can hover over email links to check URLs, QR codes reveal their destination only after scanning.

Common Attack Scenarios

Fake QR codes in parking lots or restaurants: Attackers place fake stickers over legitimate payment QR codes, redirecting funds to their accounts
QR codes in emails: Disguised as security updates requiring a scan, these redirect to credential-harvesting sites. Email filters struggle to analyze QR codes within images, making them harder to detect than text-based phishing
Fake Wi-Fi QR codes: Replacing QR codes at cafes or airports to connect users to malicious networks

Practical Guide to Safe QR Code Usage

Verify the URL after scanning: Always check the URL displayed by your browser after scanning a QR code. If it is a shortened URL, expand it before accessing. Never enter personal information on non-HTTPS sites.
Be cautious with public QR codes: Visually check whether stickers have been placed over the original code or if printed materials have been tampered with. When in doubt, skip the QR code and access the official site directly.
Use your OS default camera app: Some third-party scanner apps collect scan history. The default camera apps on iOS and Android preview the URL before opening, providing better security.
Enable two-factor authentication: Even if you accidentally enter credentials on a phishing site, two-factor authentication can prevent unauthorized login.
Corporate countermeasures: Include Quishing examples in employee security training. Some email security products can analyze URLs within QR codes.

Common Misconceptions

QR codes themselves contain viruses: QR codes are merely data carriers and cannot execute programs. The danger lies in the destination URL embedded in the code. Developing the habit of checking URLs after scanning is the most effective defense.
QR codes are read-only and cannot be tampered with: While the data within a QR code is fixed, physical sticker replacement or redirect changes via URL shortening services enable effective tampering. QR codes in public places always carry a tampering risk.

QR Code