Smartphone users could be exposing their phone to security threats when they scan QR codes, according to NGS Secure.
“The concern with QR codes currently is that control is taken out of the users’ hands,” says Paul Vlissidis, technical director at NGS Secure. “There is no indication on the code itself of the URL you are being transferred to, so no way of checking in advance whether it looks genuine. Even more worryingly, while a computer will warn you if you have clicked on a link to an unverified site, a smartphone will take you there directly.
“QR codes on billboards are surprisingly easy to manipulate – all it takes is for a fraudster to place a sticker over the existing code, and unsuspecting users can be directed anywhere. Malicious sites can start downloading malware to a device without buttons being pressed or files opened.
“There’s a clear convenience factor for drivers who can pay for their parking with the swipe of a handset – but here, again, there are security vulnerabilities that appear to have been overlooked in the rush to embrace a new trend. Without a verification from the phone that the site is genuine, how will a customer tell the difference between a real site and a malicious one that has been set up to ‘farm’ credit card details? 
“To wait until an incident occurs before fixing a faulty system is irresponsible. The onus is on smartphone manufacturers to enhance the security of devices now, allowing users to opt out of suspect sites, or take the risks on their own hands.”
We put NGS’s concerns to QR code specialist Scanbuy. MD Dave Marutiak told us: “A QR or 2D barcode code cannot directly be a virus, and the code reader app can only take you to source, not launch a subsequent action. In many ways clicking on a QR code is much the same as clicking a bitly or tinyURL link – you go there on trust according to the information you have surrounding the link, and you can decide what content you want to access after arriving at that link. Scanbuy runs a managed platform so the codes can be changed or deactivated any time, which is one of the main benefits over freeware code generators.”
