How To Prevent QR Hijacking
hijacking qr security · 3 comments · 400 words · read ~1,619 times.
QR-jacking is the act of covering up a QR code and replacing it with an alternative - often malicious - code.
Your carefully crafted code could be replaced by one which...
- Points to a rival's site.
- Calls a premium rate phone number.
- Redirects the user to a site which EXPOSES THE TRUTH BEHIND...
- Goes to a non-legitimate site which asks for credit card / personal details.
- Downloads a virus or other form of malicious content.
It's a real threat - thankfully it's usually easy to spot. Especially in this case... 
In the above image, it should be fairly obvious to anyone that the QR code has been replaced.
Combating QR Hijacking
There are some practical actions you can take to make sure that your code isn't hijacked.
- Say where your code will go. In your call to action say something like "Scan for our mobile site" that way, it should be obvious that a code which tries to call a premium rate number is fraudulent.
- Don't use short URLs. How can a customer tell if bit.ly/CYRWP goes to your site or to a rivals? Always use your domain name in your QR codes.
- Place a logo in your QR codes. It's not foolproof, but it means the hijacker has to work harder to look legitimate.
- Use a light background colour for your code. It will mean the hijacker has to print on more expensive coloured paper and it is less likely to look like a seamless replacement.
- Track down hijackers. If a your code is being redirected, try to track down those responsible.
Finding Joachim Schmid
I am fairly confident that the above inept defacement was by Joachim Schmid. The above photo was taken at Olympia in London. The same defacement is recorded on the Nine Errors blog, which appears to be run by Schmid. The photo on the Nine Errors blog was taken on November the 18th, according to the EXIF data. Schmid was presenting his work at Olympia on November 18th.
The Nine Errors project is a slightly odd attempt by Joachim Schmid to "intervene" and redirect QR codes to error pages.
Need Help?
Want some bespoke QR advice? Give me a call.
I was told that QR codes would never succeed because no one could make money from them
What the UK Government gets wrong about QR codes
Good news...I'll store this away Terrance would like to get your thoughts on this..looks like a step in the right direction: http://www.mediapost.com/publications/article/163255/nfc-to-eclipse-qr-codes.html
All the Best
NFC is a dead technology - read my thoughts at http://shkspr.mobi/blog/index.php/2011/03/the-problem-with-rfid/
Terence. Interested to read your thoughts on QR code hijacking. We are developing a very public facing QR (and NFC) application, and the hijacking aspect worries me - so I have trying to think of ways to make the scammers' attempts harder to implement - for example, holographic QR codes, codes with background colours/images, as well as telling users this will redirect them to a specific URL (although we will be redirecting from there, which may complicate things!). But I am struggling to think of anything else.....