Mobile Marketing Meets Security

It's a maexotic world ...

QR-Code in a window Stickers, like the one in the image to the right, can be seen in windows of branch offices of a bank here in Munich throughout the city.

In case you don't know, this is a QR-code (Quick Response code), a 2-dimensional bar code, which can store an amazing amount of information.
Despite the fact that the code was invented in 1994 already, it became widely used since about 2007. As most mobile phones have a camera it was obvious to have a code to encode information like URLs in and a program that scans the code from the camera and hands it over to a web browser. This mobile tagging is quite popular and so the marketing department of the bank probably decided to use it to "go mobile". So it isn't much astonishing that the QR-code links to a mobile website of that bank.

QR-codes are also very fault tolerant, so one can turn it into very nice badges, which are still functional. The article »SnapTags: Will they kill QR codes?« of the folks over at has some nice examples for this.

The problem however is that QR-codes aren't human readable at all. As the sticker of the bank is on the outside of the window it can be very easily replaced or modified and the link will lead one to a totally different site.

Above are three examples of QR-codes of websites. Do you think you can memorize one of the codes in a way that you can locate it again by heart from a larger set or even notice changes? I for sure cannot.

So what will happen if you replace or modify the QR-code of the bank in some highly frequented public locations to point to a website with critics about that bank or to a sex website? Will they notice? How long will it take them to notice? How big will the damage be?

How about if the link leads to a website installing some virus, trojan horse or key logger app on the mobile phones. It must be save, the bank has it on their window, so they guarantee for the security, right? Maybe this is some fancy banking promo app, so yes, people will install it.
Will the bank be held liable for damage?