QR codes: how they work, use cases and security risks

The QR code — Quick Response code — has become ubiquitous since the 2020 pandemic. Restaurant menus, mobile payments, plane tickets, two-factor authentication, parcel tracking: this small black-and-white square is a universal gateway between the physical and digital worlds. Invented in 1994 by engineer Masahiro Hara at Denso Wave for car parts tracking, it took 25 years to conquer the mainstream — and with that popularity came new threats.

How a QR code works

A QR code is a two-dimensional matrix encoding binary data according to an ISO/IEC 18004 specification. Each module (black or white square) represents a bit. The three large corner squares serve for position detection: they allow the scanner to locate and orient the code, even if the photo is taken at an angle or upside down.

The QR version determines capacity: version 1 (21×21 modules) can contain up to 25 alphanumeric characters, version 40 (177×177 modules) up to 4,296 characters. For a standard URL, version 3 to 7 is ample.

An essential feature is error correction (Reed-Solomon algorithm): four levels (L, M, Q, H) allow recovering respectively 7%, 15%, 25% or 30% of damaged modules. This is why a QR code remains readable even with a logo in the center or an ink stain.

Major use cases

URL: the most common. A simple https:// link encoded in the square.
Payment: in apps like Payconiq (Belgium), WeChat Pay (China), PIX (Brazil), the QR contains the beneficiary identifiers and sometimes the amount.
Wi-Fi: format "WIFI:T:WPA;S:NetworkName;P:password;;" to share access without dictating the password.
Business card: vCard format automatically adding the contact to the address book.
2FA authentication: apps like Google Authenticator read a QR containing the TOTP secret encoded in base32.

Security risks: "quishing"

Since 2022, European authorities have warned about "quishing", a contraction of "QR" and "phishing". The principle is simple: replace a legitimate QR code with a malicious one that redirects to a site impersonating a bank, operator or public service. Documented cases:

Malicious stickers pasted over parking meter QRs, redirecting payment to a fake site.
Phishing emails containing a QR (image) rather than a clickable link, to bypass filters that analyze textual URLs.
QR codes distributed as flyers in mailboxes, pretending to come from an administration and requiring "urgent payment".

The danger is real because the user only sees the URL after scanning, by which time curiosity has already engaged. Some smartphones display the URL before opening — this is essential to verify.

User best practices

Always read the URL before opening: your scanner must display the full link before navigating.
Be suspicious of QRs in public places: check if it's not pasted over another (a sticker is easy to spot by eye or touch).
Never scan a QR received by unsolicited email or SMS, particularly if it requests urgent action or payment.
Prefer manual entry for sensitive operations: typing your bank's URL rather than scanning even an "official" QR.

Generating a QR code properly

To create a QR for your own use (guest wifi, business card, portfolio link), a client-side generator is the cleanest solution: no server storing your data, no redirection through a third party that could change the link later, no tracking.

Beware of "dynamic QR codes" offered by some platforms: they encode a link to an intermediate server that then redirects to the real URL. Handy to change the destination after printing, but it's a centralization point that can be compromised or shut down. For durable uses (business card printed in 5,000 copies), a static QR to a domain you control is more robust.

Our QR code generator produces static QRs directly in your browser. The entered URL never leaves your device, and the downloaded file can be printed or shared without external dependency.