How To Prevent QR Hijacking


QR-jacking is the act of covering up a QR code and replacing it with an alternative - often malicious - code.

Your carefully crafted code could be replaced by one which...

  • Points to a rival's site.
  • Calls a premium rate phone number.
  • Redirects the user to a site which EXPOSES THE TRUTH BEHIND...
  • Goes to a non-legitimate site which asks for credit card / personal details.
  • Downloads a virus or other form of malicious content.

It's a real threat - thankfully it's usually easy to spot. Especially in this case... QR Jacking

In the above image, it should be fairly obvious to anyone that the QR code has been replaced.

Combating QR Hijacking

There are some practical actions you can take to make sure that your code isn't hijacked.

  1. Say where your code will go. In your call to action say something like "Scan for our mobile site" that way, it should be obvious that a code which tries to call a premium rate number is fraudulent.
  2. Don't use short URLs. How can a customer tell if bit.ly/CYRWP goes to your site or to a rivals? Always use your domain name in your QR codes.
  3. Place a logo in your QR codes. It's not foolproof, but it means the hijacker has to work harder to look legitimate.
  4. Use a light background colour for your code. It will mean the hijacker has to print on more expensive coloured paper and it is less likely to look like a seamless replacement.
  5. Track down hijackers. If a your code is being redirected, try to track down those responsible.

Finding Joachim Schmid

I am fairly confident that the above inept defacement was by Joachim Schmid. The above photo was taken at Olympia in London. The same defacement is recorded on the Nine Errors blog, which appears to be run by Schmid. The photo on the Nine Errors blog was taken on November the 18th, according to the EXIF data. Schmid was presenting his work at Olympia on November 18th.

The Nine Errors project is a slightly odd attempt by Joachim Schmid to "intervene" and redirect QR codes to error pages.

Need Help?

Want some bespoke QR advice? Give me a call.


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

3 thoughts on “How To Prevent QR Hijacking”

  1. says:

    Terence. Interested to read your thoughts on QR code hijacking. We are developing a very public facing QR (and NFC) application, and the hijacking aspect worries me - so I have trying to think of ways to make the scammers' attempts harder to implement - for example, holographic QR codes, codes with background colours/images, as well as telling users this will redirect them to a specific URL (although we will be redirecting from there, which may complicate things!). But I am struggling to think of anything else.....

    Reply

What links here from around this blog?

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">