Now that we've all become accustomed to using QR codes to check in at venues, cyber security experts are warning Australians to keep in mind the risks of scanning the blocky black and white symbols.
Luis Corrons, a security expert with cyber firm Avast, said the company has seen an uptick in QR code scams since COVID-19 brought the nascent technology back into the spotlight.
"QR codes can lead you to fraudulent websites set up by scammers to capture your personal information or install dangerous fake ‘tracking’ apps that include malware," Corrons said.
"Only scan QR codes, including restaurant menus, in prominent locations or as directed by business staff, and only download government tracking apps directly from government websites."
Most Australian states have included QR readers with government apps for easy check-in at venues that display the state-sanctioned QR code – but in some cases venues still require patrons to scan codes which direct users to third party websites.
Director of RMIT's Centre for Cyber Security Research and Innovation, Professor Matt Warren, said the rush to implement QR codes in hospitality settings may have consequences if we aren't careful.
"Sometimes we start using a new technology but don't realise implications or risks that go along with it," he told Information Age.
"There's been a lot of uncertainty around QR codes.
"Part of that probably arose because the government didn't step up to say 'here's a national registration system'.
"Instead organisations have gone off and done their own things – they've Googled 'qr code' and installed systems without knowing if it's the best."
Venue check-in lists have been a valuable tool for contact tracing teams over the last year – far more so than the COVIDSafe app which identified only 17 unique cases of COVID-19 in its first six months of operation.
In the same period, the Digital Transformation Agency spend $5.8 million on the app's development and web hosting.
QR codes turned out to be a much more useful and common method of assisting contact tracers than always-on bluetooth which is still the main tracing feature of COVIDSafe.
Would you like data theft with that?
A side effect of our reliance on QR codes for coronavirus compliant check-ins is the gradual habituation as Australians get used to seeing and scanning the codes.
In China, QR codes have underpinned the digital economy by letting customers pay for items in-store using linked mega-apps like WeChat.
But while Australians are starting to make purchases prompted by QR codes, Professor Warren suggests the experience is still too new to be fully secure here.
"Because QR code payments are embedded into actual apps like WeChat, the security is in the app itself," he said.
"In Australia we don't tend to use apps like that, so this is very much a new experience.
"For example, if you are at a pub and scan a code to order drinks, it might take you to a separate website or prompt you to download another app.
"This where problems come in because if you've installed an app, you don't know if it could be malicious and gain access to your contact list, phone details, and have access to other apps like messages or emails.
"But I think the biggest problem is with third-party payment systems because there is the risk of person-in-the-middle attacks that could capture credit card information."