From Codes to Caution: Navigating the Tech and Security of QR and NFC

Written By: Shaafi Usman

In a world increasingly driven by digital technology, QR Codes and NFC Technology have become indispensable tools for connecting the physical and digital world. While they offer convenience these technologies also present security vulnerabilities. Being aware of these risks can help users take proactive steps to safeguard their privacy. Whether scanning a QR code or tapping an NFC-enabled device, individuals should be vigilant about verifying the source and considering their environment before interacting with them.

Technical Aspects of QR Codes and NFC Technology

QR Codes:

QR Codes, or Quick Response Codes, are two-dimensional barcodes capable of storing much more data than traditional barcodes, which hold around 1,556 bytes. In contrast, a QR Code can store up to 7,089 numeric characters, 4,296 alphanumeric characters, 2,953 bytes, or 1,817 Kanji characters (Ankhi, 2024).

This flexibility is achieved through four standardized modes of encoding:

• Numeric

• Alphanumeric

• Byte or binary

• Kanji

Every QR code consists of a detailed arrangement of black and white squares, which devices interpret to retrieve the encoded information. In this binary system, each black square signifies an "on" pixel, while the white squares represent an "off" pixel. This combination of zeros (white) and ones (black) effectively conveys the data stored within the code.

To enhance scanning accuracy, QR codes feature three larger square markers, known as the "eyes," strategically located at the top left, top right, and bottom left corners. These markers help scanners quickly identify the code's orientation, ensuring efficient and precise decoding.

NFC Technology:

NFC use wireless technology to enable data exchanges between devices within a 4-centimeter range. NFC enables small amounts of data to transfer quickly between devices, making it ideal for contactless payments and access cards (Alachi, 2024).

NFC tags come in two varieties: active and passive.

• Passive NFC tags are small, power-free devices that can only send information when read by an NFC-enabled gadget, making them ideal for access control, document tracking, and supply chain management.

• Active NFC tags have built-in power, transmitters, and receivers, allowing them to both send and receive data. These tags are typically found in devices like smartphones, enabling tasks such as data transfer and communication.

An NFC communication system comprises two key components: an NFC reader chip and an NFC tag. The reader chip serves as the active element, processing information and initiating specific responses. It supplies power and sends commands to the passive NFC tag.

Together, the NFC chips in both the reader and tag facilitate short-range, wireless communication when connected to the appropriate antenna. This close-proximity interaction enhances security, allowing only devices within a short distance to exchange information via NFC. For instance, NFC chips can be embedded in contactless payment cards and terminals for secure transactions

Security Features and Vulnerabilities of QR Codes

QR codes offer significant convenience but their vulnerability to tampering and exploitation presents notable security risks. Hackers can easily replace legitimate QR codes with counterfeit ones leading users to harmful websites that automatically download malware. This malware can then infiltrate devices, accessing sensitive information such as contacts, location data, and even monitoring user activity, raising serious privacy concerns (Gupta, 2024). Attackers often place fake QR codes on public posters or advertisements, tricking users into scanning them. These counterfeit codes may redirect to phishing sites that request login credentials or financial information, or even trigger malware downloads that spy on activity, access clipboard history, or lock devices for ransom (Compumatik, n.d.).

The potential for QR codes to share personal data also raises security concerns. Scanning a code might prompt users to enter sensitive details such as names, addresses, or payment information. The Government of Canada (2024) cautions that websites can use cookies to track online behaviour and collect metadata like IP addresses and device types, heightening privacy risks. If cybercriminals obtain this information, they could exploit it for phishing scams, identity theft, or malware attacks aimed at financial information.

While QR codes enable quick access to digital content, awareness of their risks is crucial. Users should verify the legitimacy of a QR code before scanning, avoid sharing sensitive information unless confident in a website's security, and use protective tools to safeguard devices from malware. Taking these proactive steps can help mitigate these vulnerabilities.

Security Features and Vulnerabilities of NFC Technology

NFC tags are generally considered more secure than QR codes, thanks to encryption that protects sensitive information like payment data, making unauthorized access more difficult (Alachi, 2024). However, the reliance on short-range communication introduces some limitations. NFC requires the receiving device to be closely aligned with the tag for successful data transfer. For example, even a slight misalignment between the device and the tag can disrupt the connection, which makes hacking attempts like signal interception less likely (Chandler, 2012). Despite this, in busy settings like crowded transit systems, the need for precise positioning may become inconvenient, affecting usability.

The technology also has some drawbacks related to cost and security. For businesses, equipping employees with NFC-enabled devices can be expensive, although costs are expected to decrease as adoption increases. For individual users, risks include the possibility of unauthorized contactless payments if a phone is lost or stolen. While most devices impose transaction limits to reduce financial losses, the threat of misuse remains.

NFC security risks, though relatively minor, include data tampering, eavesdropping, and relay attacks, where intercepted data is used for malicious purposes (Higgins, 2023).

There’s also the potential for NFC tag cloning, which could allow unauthorized access to restricted areas or devices. However, NFC is still considered more secure than traditional chip-and-pin methods, as physical cards can be more easily stolen and used compared to encrypted NFC data.

Conclusion

Both QR codes and NFC tags offer convenience but come with distinct security risks. QR codes are prone to tampering, leading to malware, phishing, and data breaches, especially in public areas where fake codes can be easily placed. NFC tags, while more secure due to encryption and short-range communication, still face risks like data tampering, unauthorized access, and cloning.

User awareness plays a key role in reducing these risks. Whether scanning a QR code or using an NFC-enabled device, it’s essential to verify the source and be mindful of the environment before interacting with the technology. By understanding potential threats and practicing safe habits; such as checking the legitimacy of codes and safeguarding personal information. Users can better protect themselves from security breaches.

In an increasingly digital world, awareness is the first line of defence.

Reference List

Alachi, A. (2024, May 2). NFC Card Security. NFC Tagify. NFC Solutions Ltd.  https://nfctagify.com/blogs/news/nfc-card-security#.   

Ankhi. (2024, September 4). The Ultimate Guide to QR codes: Everything you need to know. Uniqode Phygital, Inc. Denso Wave Incorporated. https://www.uniqode.com/blog/qr-code-basics/comprehensive-guide-to-qr-code#.   

Chandler, N. (2012, February 26). How secure is NFC Tech?. HowStuffWorks. https://electronics.howstuffworks.com/how-secure-is-nfc-tech.htm# 

Compumatik. (n.d.). Be Careful When Scanning QR Codes – There’s a New Scam Going Around! The Technology Press. https://www.compumatik.com/be-careful-when-scanning-qr-codes-theres-a-new-scam-going-around/  

Government of Canada. (2024, January 16). Security considerations for QR codes ITSAP.00.141. Canadian Centre for Cyber Security. https://www.cyber.gc.ca/en/guidance/security-considerations-qr-codes-itsap00141 

Gupta, D. (2024, September 20). QR Codes Exploitation: How to Mitigate the Risk?. Uniqode Phygital, Inc. Denso Wave Incorporated. https://www.uniqode.com/blog/qr-code-security/qr-codes-exploitation#.   

Higgins, M. (2023, August 10). NFC security: 10 security risks you need to know. NordVPN. https://nordvpn.com/blog/nfc-security/