Re: Recognising (or not) QR codes

Frank Slootweg, 2025-07-03 21:31:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2025-07-03 15:41, Frank Slootweg wrote:

[...]

   So QR codes are multi-purpose, *some* are dangerous, but others
*enhance* security/safety/privacy/<whatever>! :-)

>
And AFAIK, the danger is only when opening an URL without pausing.

 
  Indeed. VanguardLH sort of implied that there are QR scanning apps (or
QR scanning parts of camera, etc. apps), which directly open the URL
without pausing, but didn't give details, so for the moment that's FUD.

An URL itself is never "dangerous" - because if you assume that, that
*all* links in the web are dangerous as well, if you do not check, where
the link will bring you, before clicking it.

In fact the danger comes from trusting an URL to be a known website,
where you usually enter your account details to get access to your
e-mail account, bank account or similar. That's one of the reasons why
you should never open the website for online banking using a provided
third party QR code since you can never know, if the URL is trustworthy.
And since we have unicode nowadays and IDN domains, it may be possible
to substitude single letters by very similar looking unicode symbols, so
the URL still looks legit, even though it brings you to a fake phishing
website.

So the better approach is to enter the URL of your bank account or
webmail always manually or use a bookmark for that which you have
created on your own before. The problem of phishing on the other hand is
at least partly mitigated by using 2FA, TOTP (time-based one-time
password) or Passkey - in this case the username and password and not
enough, since you still need the second factor, the TOTP or the browser
needs to provide a valid key for the Passkey authentication. And Passkey
won't work at all on fake websites since the authentication with Passkey
is only registered for the original website and won't work on a fake
website with a different domain.


--
Arno Welzel
https://arnowelzel.de