I think you've still got a more complicated idea of what a QR code is than what it actually is.

Think of a barcode on an item at the supermarket (or the back of a book). The combination of different thicknesses of lines encodes a set of numbers in a standardised way that can be read by barcode scanners. And typically those numbers are also printed directly underneath for when the scanners fail and they have to be typed in manually by the checkout operator - it's not a *secret* code, it's just for machine convenience.

Could you hack a barcode on a chocolate bar? I guess you could get out a sharpie and with a very steady hand thicken a line so the scanner sees it as a different number and charges you for, I don't know, a tin of tuna instead. Or more easily, take a barcode off another product and wave that over the scanner instead. But that would only affect the chocolate bar in your hand - every other chocolate bar in the store will still scan as a chocolate bar.

QR codes are the same except they're two dimensional and they can encode letters as well as numbers so they can spell out a website address, or a set of contact details. Again, the code isn't secret, it's just machine-readable. So if you've printed a bunch of cards with a QR code encoding your name, phone, email etc, the only thing a nefarious party could even theoretically do (in practice it would take incredible skill!) would be to take one of those cards and enlarge some lines and squares so that someone scanning the code on *that particular* card will get a misspelled version of your name. Or they could glue another code over the top of it so people scanning it get a completely different set of contact details, or get taken to a website. But that wouldn't affect any of the other cards you've printed and shared.

If you're comfortable handing someone a normal business card with your name, email, phone number etc, then it's exactly as safe to hand them a card with a QR code that contains the same information.

The security issues we've talked about in this thread aren't about what people can do with the code after it's been generated - instead it's about the process of generating the code in the first place. That's where there's a risk of a "man-in-the-middle" attack. That is, the communication process goes: You -> QR code generator(*) -> Patron. The QR code generator is in the middle of that process so has an opportunity to change your message for their purposes. That means you need to trust them - or to verify their output by reading the code yourself before sharing it - but otherwise you're good.

Deborah
(*) It occurs to me that the QR code reader is next in this process. So plausibly a patron's QR code reader app might be tracking all the data they scan, and theoretically it could show them false data for some reason. But that a) would hopefully get bad ratings very quickly on the relevant app stores and b) isn't something you can do anything about short of just not using QR codes at all.


-----Original Message-----
From: Code for Libraries <[log in to unmask]> On Behalf Of charles meyer
Sent: Sunday, December 3, 2023 4:04 AM
To: [log in to unmask]
Subject: Re: [CODE4LIB] QR Code replacement for business card

Caution: This email originated from outside our organisation. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Thank you Erich and Thomas.

I now  have a better understanding of QR codes.

Is there something I can do to protect the "text" in my QR code?

You can imagine how some fraudster might want to manulute or misuse it?

Can I pw protect it?

It might seem cool one day to be able to add graphics (logo) and a live link to the QR code but with that comes vulnerabilities.

This conversation is so interesting (to me at least!).

I hope others have benefited from reading this thread.

Thank you again,

Charles.

Charlotte County Public Library

________________________________

"The contents of this e-mail (including any attachments) may be confidential and/or subject to copyright. Any unauthorised use, distribution, or copying of the contents is expressly prohibited. If you have received this e-mail in error, please advise the sender by return e-mail or telephone and then delete this e-mail together with all attachments from your system."