I saw this on a First Capital Connect train here in the UK. What could possibly go wrong?
Ignoring the horrible marketing-speak “Engage with this poster” header, several things can go wrong. I didn’t have NFC, so I couldn’t try that out. But scanning the QR code took me to http://kbhengage.zpt.im/u/aCq58 which, at the time, was advertising for… Just Eat. Not villaplus.com. Oops.
Similarly, texting “11518” to 78400 produced:
Thanks for your txt, please tap the link: http://kbhengage.zpt.im/u/b6q58 Std. msg&data rates may apply Txt STOP to end Txt HELP for help
which also produced content which did not match the displayed poster.
So clearly, the first risk is that the electronic interactive bits are not part of the posters themselves, and so the posters can be changed without the interactive parts being updated to match.
But also, there’s the secondary risk of QR codes – they are opaque to humans. Someone can easily make a sticker and paste a new QR code on top of the existing one, and no-one would see anything immediately amiss. But when you tried to “engage with this poster”, it would then take you to a website of the attacker’s choice.
Indeed. Arguably all QR-related apps should prompt the user before visiting the linked site, though the same could also be said about bit.ly and such like. The “Monmouthpedia” project, in which QR codes pointing to Wikipedia articles have been plastered around the town, is an example of the possibly misplaced trust in these things, given the obvious sticker attack that you mention. It is only one example of many, of course, but I mention it because it involved public expenditure and the locations included public buildings.
P.S. in the Monmouthpedia example, it seems that the codes pointed to a MITM domain that was privately owned by an individual volunteer at the time, and that the council didn’t realise this when they had the plaques installed. In the event it was all bona fide and the domain has since been transferred to a subsidiary of Wikimedia, but if QR-codes had been human-readable then the council might have been in a better position to decide whether the destination URL was appropriate in principle.
Ideally you would just display the human-readable URL written and your smartphone would OCR it for you. Obviously QR codes are more reliable at present, but the existence of this expedient alternative must surely be detracting from effort into the necessary OCR reliability improvements.
Yea gods, bit.ly have changed their clean interface into an all-singing, all dancing montrosity.
Anyway, if you add a plus at the end of a bit.ly link, like this
http://bit.ly/1gC5tV2+
, then bit.ly will display the target of the shortcut, and some stastics about how often its been visited. For other redirecters, use wget with redirections prohibited, like this
csm@laptop:~$ http://bit.ly/1gC5tV2+
–2015-02-19 21:30:25– http://bit.ly/1gC5tV2
Resolving bit.ly (bit.ly)… 69.58.188.39, 69.58.188.40
Connecting to bit.ly (bit.ly)|69.58.188.39|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://bit.ly/ [following]
0 redirections exceeded.
csm@laptop:~$
Opps, the command line in the previous post should have been
csm@laptop:~$ wget –max-redirect=0 http://bit.ly/1gC5tV2