| Deutsch English Français Italiano |
|
<mcv2npF7rf1U1@mid.individual.net> View for Bookmarking (what is this?) Look up another Usenet article |
Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Arno Welzel <usenet@arnowelzel.de> Newsgroups: comp.mobile.android Subject: Re: Recognising (or not) QR codes Date: Sun, 6 Jul 2025 12:50:35 +0200 Lines: 43 Message-ID: <mcv2npF7rf1U1@mid.individual.net> References: <457djl-m9c5.ln1@q957.zbmc.eu> <mcin6kF5upkU2@mid.individual.net> <hhndjl-bii5.ln1@q957.zbmc.eu> <ln5nvdl2qxrz$.dlg@v.nguard.lh> <92vejl-bft5.ln1@q957.zbmc.eu> <pbq03eupcvnb.dlg@v.nguard.lh> <1043hls$1kvvg$2@solani.org> <0b9gjlxfaq.ln2@Telcontar.valinor> <10468as.qpg.1@ID-201911.user.individual.net> <5stijlx3h.ln2@Telcontar.valinor> <1046sr7.7gk.1@ID-201911.user.individual.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: individual.net X9ZccEnS15nows6MDPKWcga0BZjNBJ6HlTCAIg1nyV03TFcSGx Cancel-Lock: sha1:lG8EsZf4v+qo9M83MLTVhT0+wmo= sha256:3XIU/qVHmD9f/mbgCYmI+EpnBScZldYNvx/8G/Ke1Os= Content-Language: en-US, de-DE In-Reply-To: <1046sr7.7gk.1@ID-201911.user.individual.net> Frank Slootweg, 2025-07-03 21:31: > Carlos E.R. <robin_listas@es.invalid> wrote: >> On 2025-07-03 15:41, Frank Slootweg wrote: [...] >>> So QR codes are multi-purpose, *some* are dangerous, but others >>> *enhance* security/safety/privacy/<whatever>! :-) >> >> And AFAIK, the danger is only when opening an URL without pausing. > > Indeed. VanguardLH sort of implied that there are QR scanning apps (or > QR scanning parts of camera, etc. apps), which directly open the URL > without pausing, but didn't give details, so for the moment that's FUD. An URL itself is never "dangerous" - because if you assume that, that *all* links in the web are dangerous as well, if you do not check, where the link will bring you, before clicking it. In fact the danger comes from trusting an URL to be a known website, where you usually enter your account details to get access to your e-mail account, bank account or similar. That's one of the reasons why you should never open the website for online banking using a provided third party QR code since you can never know, if the URL is trustworthy. And since we have unicode nowadays and IDN domains, it may be possible to substitude single letters by very similar looking unicode symbols, so the URL still looks legit, even though it brings you to a fake phishing website. So the better approach is to enter the URL of your bank account or webmail always manually or use a bookmark for that which you have created on your own before. The problem of phishing on the other hand is at least partly mitigated by using 2FA, TOTP (time-based one-time password) or Passkey - in this case the username and password and not enough, since you still need the second factor, the TOTP or the browser needs to provide a valid key for the Passkey authentication. And Passkey won't work at all on fake websites since the authentication with Passkey is only registered for the original website and won't work on a fake website with a different domain. -- Arno Welzel https://arnowelzel.de