For those who don’t know, it’s where someone takes a QR code like on a poster for a concert and puts a sticker with a different QR code on top to a fake website that looks like the concert website (or a Rick Roll).
The obvious answer is to scratch off the QR code if you notice it’s a sticker, but It’s not always acceptable -or legal- to start damaging stuff to check if it’s real or not. Also what if it’s out of reach on a sign or something?
You can’t put a little text under saying what the website is as a sort of checksum because the vandal can just write their own website under their sticker.
You must log in or register to comment.
Plain, readable urls rather than using shortening services is a step in the right direction, but it won’t stop lookalike phishing.
While there’s probably no global solution, personally I use a QR Code reader that doesn’t actually use the URL, but just displays it and lets me copy it to the clipboard. That way I can inspect it, and if it doesn’t look right, ignore it.
Mine has a setting for it.
I just don’t scan QR codes.
Unfortunately sometimes it’s really hard to avoid. I’ve been to restaurants that don’t even have physical menus. You could probably find a menu on their website, but not always.
“Hi, I’d like a menu”
“Oh, our resteraunt only has QR codes.”
“Ok, bye bye.”
“Sorry date/group of friends/family/work function, we can’t eat here. I don’t want to scan a QR code.”
Can I use your phone to view the menu? The camera in my phone is broken.
Which of those groups do you routinely lie to?
my UNI makes you scan QR codes, that’s what sparked this question, I can’t change unis because of a qr code.
deleted by creator
Like that one restaurant, with their fancy engraved QR code menus that linked to localhost.
As far as I know, the options are:
- Use a QR reader app that doesn’t auto open links (or lets you configure it like that), so you see the URL and inspect it before opening the URL in the browser.
- In case of a short URL, use a short URL resolver so you can see what is the real destination without actually opening the URL yourself.
- Using a DNS with block lists (that are updated often) of known phishing sites.
If these 3 checks fail, there is not much more you can do.
Something like this is harder to sticker https://github.com/x-hw/amazing-qr
Been thinking for awhile that it’s impossible that foreign spies don’t hang around D.C. just slapping a handful of these out at popular restaurants and watering holes. kill the URLs after 24 hrs and do it again to stay less detected, you’d get something for lateral movement in any given weekend.
deleted by creator
You do that when you want Hegseths phone, ASAP, for a few million.
You do this first to see if you can get there ahead of time for $1000.
deleted by creator
“hello sir I am with big newspaper, great time last night, please save contact as big important newspaper guy”
Teach your followers never to trust a QR code that is printed on paper. Only on screens that are on trustworthy devices.
Browsers should probably warn if a site on which you are filling forms with personal information or payment methods have been issued with KYC or not. And clearly state to whom physical persona or enterprise that certificate was issued.
Though I worry about the barrier from many people to get those certificates and then privacy concerns. It’s a balance between privacy and democracy and fighting scams. My guess is that browsers should only warn in certain websites, but in which websites and how to detect them… That eludes me, seems complex.
