Honeywell Forge Visitor and Vendor ManagementVCM Logo Mobile
Blog Contact Tracing QR1

QR code security risks: How to implement secure and accurate contact tracing

By Maddy GlynnDigital Marketing Specialist
Published on August 10, 2020

The COVID-19 pandemic has led to a resurgence in the popularity of QR codes. This once maligned technology that many passed off as a marketing gimmick has taken a frontline role in the ongoing effort to stop the spread of the coronavirus.

While many have sought a quick fix QR code to gather data from customers, there are important security considerations that all businesses must consider before implementing such a contact tracing solution.

What are the risks associated with QR codes?

Despite the rapid rise in popularity of QR codes over the last few years, the uptake and willingness of the general public to scan and utilise them have long lagged behind. This resistance has been driven in large parts by security concerns, in addition to the lack of scanning capabilities within native smartphone camera apps – an issue only recently solved in Apple’s iOS software.

Security of QR codes

QR codes, particularly printed to posters, are static and open to exploitation by cybercriminals. It is simple for someone to place their own QR code over a poster and send users to a different website. Further, there is no validation that the website you are being directed to is legitimate. 

This practice is called QR spoofing or QRL-jacking and while your QR reader may show you a preview of the URL you are navigating to, shortened URLs such as are frequently used to hide the final destination of that QR code.

Native Scanning

The behaviour of scanning QR codes has struggled to become instinctive for users. This has long been hindered by the lack of native scanning capability within smartphone operating systems like iOS and Android. The need for users to download a third-party app, just to scan a code that will direct them to a URL has been a significant hurdle to the widespread adoption of the technology.

The capability was recently added to the native iPhone camera app, however, it is still yet to be widely adopted across Android – driven in large part by the fragmentation of Android operating systems across devices. This makes it near impossible to rely on QR codes alone, with large portions of the population unable to utilise them.

Limitations of QR codes for contact tracing

QR codes have offered a quick and convenient way to implement contact tracing procedures as countries around the world battle to control the spread of COVID-19. However, a QR code-based contact tracing system still requires careful consideration of proximity issues, usability and data privacy concerns.

In the rush to roll out contact tracing solutions, many have failed to consider crucial elements of the system, resulting in incomplete solutions that have, in themself, given rise to new risks.

The importance of accuracy and proximity

As we have seen in recent months, the risk of a second wave of infections is ever-present. As cities look to re-open and kickstart their economic recovery. The safest return to work is one that is supported by fast and accurate contact tracing data when new cases are inevitably identified.

Systems built around scanning of QR codes are susceptible to inaccurate and unreliable data. As the old adage in statistics says – ”garbage in, garbage out”. In order to effectively contact trace, systems must be used that have been built to mitigate these weaknesses.

Proximity Checks

A basic QR code poster can be scanned by anyone, regardless of where they are in the world. This means that if a QR code is photographed and circulated, through social media for example. Then anyone who has access to that photo could scan and check-in to that location. This could lead to countless false check-ins to a site, negating the efficacy of contact tracing data.

Completeness of data

While checking in to a location is one part of the contact tracing equation, it’s just as important to know when someone left.

Check-in posters may work to gather details on entry, but without the right system in place, many people may walk out without again scanning and checking out of the location. This can result in incomplete records of movements throughout a location.

Identity and data verification

Many governments have mandated that businesses collect contact information from everyone who enters their site as part of COVID-safe reopening plans. However, early research suggests that as many as 1 in 10 people have given incomplete or deliberately inaccurate details. This means that when cases are identified, potential contacts can not be reached, opening up the risk of further spread going unchecked.

Data security, privacy and compliance

Consumers are becoming increasingly cautious about who is collecting their information and how it will be used. Many consumers have already cited concerns their data will be used for marketing purposes or sold by those collecting it as reasons they have provided false information to contact tracing registers.

Furthermore, in collecting personal information, businesses themselves are subject to relevant privacy legislation such as the GDPR and Australian Privacy Act. If businesses collect these details without compliant processes in place for the handling of that data, they are exposing themselves to significant risk resulting from any accidental breaches of these legislations.

A framework for secure, reliable contact tracing with QR codes

Here at Sine, we are leaders in the field of visitor, contractor, staff and workplace management. Our industry-leading solutions have been developed over many years with a continued focus on building effective, secure and compliant systems for our clients.

In our ongoing efforts to support businesses and organisations through COVID-19 we have turned this expertise and leveraged our platforms to provide solutions that will offer the strongest protections for managing the ongoing threat of COVID-19.

Using our Sine Pro mobile app, we are able to create a closed ecosystem for QR code scanning and contact tracing. The app is free, secure and available for both iPhone and Android users.

Protection against QR code security risks

With the Sine Pro mobile app, only QR codes that contain check-in details can be scanned and actioned. This protects users entering your business from risks such as QR spoofing and QRL-jacking.

Verify the proximity of check-ins and automatic check-out prompts

When a user scans your QR code using Sine Pro, the system checks against the geofenced location of your site, ensuring that only people who are physically present on your site can check-in. Further, this geofence will also ensure that when people leave your location they are reminded to check-out or they can even be automatically checked out of your location when they leave the geofenced area.

proximity verification for check in with qr code

Sine does not track or keep a record of your movements, other than simply creating a “pass” when you enter a site. There is no other record of your movements.

This ensures your contact tracing register is accurate and only contains people who have physically been on-site, while also providing the complete picture with check-out information too.

Verifying identity and contact details

Users only need to set up their profile and details once, when they set up a private and free account. In addition, the most important contact details (email or phone number) are verified as part of this setup process, ensuring that you can reach everyone on your contact tracing register if the need arises.

We take privacy and data security seriously

With Sine, we are based in Australia and all your data is private and subject to the Australian Privacy Act. As an organisation focused on earning our customers’ trust and handling their documents with care, Sine has developed a strong compliance culture and robust security safeguards.

You can contact us at any time to discuss your privacy, or view our privacy policy here.

Real-time reporting and capacity management, anywhere

With Sine’s real-time reporting, you’re able to remotely view how many people are on your site in real-time, meaning that you have complete oversight of your capacity management. With Victoria’s Stage 4 lockdown regulations only permitting 5 people on site, this compliance is critical.

Real-time reporting and capacity management

While Sine’s in-App push notification service can be used to send group messages to all on-site App users, for informational or emergency correspondence. 

Getting started is simple

Our contact tracing solution is available with branded posters with QR codes and instantly downloadable from your Sine dashboard. These can be customised for every site you operate.

Print your site poster

To get started, just visit your Sine Dashboard and print out the relevant site poster from your 'Site Settings'.

Print your site poster

Download the Sine Pro mobile app

Then, have everyone arriving on site simply download the Sine Pro mobile app to check-in on arrival.

That's it! You're set with a safe, secure and compliant contact tracing solution.

Book your demo today and keep your workplace secure, compliant and COVID-safe.