QR Code Security & Privacy

QR Code 스티커 공격: 탐지 및 예방

<\/script>\n
'; }, get iframeSnippet() { const domain = 'qrcodefyi.com'; const type = 'guide'; const slug = 'sticker-attack-prevention'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme


      
    


    
    

      Widget powered by
      .
      Free, no account required.
    

  




  
  
  
Physical QR code tampering: sticker overlay attacks, tamper-evident materials, and verification strategies.

  
  

    
  








  
  

    
    
      
      
  1. 
        QR Code Sticker Attacks: Detection and Prevention
      
    2. 
      
      
  2. 
        How Sticker Attacks Work
      
    3. 
      
      
  3. 
        High-Risk Locations
      
    4. 
      
      
  4. 
        Detection Methods
      
    5. 
      
      
  5. 
        Prevention for QR Code Deployers
      
    6. 
      
      
  6. 
        Key Takeaways
      
    7. 
      
    

  









  
  

  
  

    
    

      
QR Code Sticker Attacks: Detection and Prevention


Sticker overlay attacks are the most physically accessible form of QR code fraud. An attacker simply places their own QR code sticker over a legitimate one, redirecting all subsequent scans.


How Sticker Attacks Work


    

  1. Attacker generates a QR code pointing to their malicious URL
    2. 

  2. Prints it on adhesive-backed paper or vinyl
    3. 

  3. Places the sticker over a legitimate QR code in a public location
    4. 

  4. Victims scan the overlay QR code, trusting the physical context
    5. 

  5. The malicious URL may mimic the expected destination for credibility
    6. 



High-Risk Locations


    

  • Parking meters and payment kiosks
    • 

  • Restaurant table cards and menus
    • 

  • Public transit information signs
    • 

  • ATM machines and payment terminals
    • 

  • Shared scooter and bike rental stations
    • 



Detection Methods


Visual inspection: Check for raised edges, different paper stock, or misalignment with the surrounding surface.


Peel test: Legitimate QR codes are usually printed directly on the surface, not on a sticker. A peelable QR code on a parking meter is suspicious.


URL verification: Check the URL preview — does it match the expected domain? A parking meter QR should go to the city's payment portal, not random-domain.com.


Multiple codes: If the same location has multiple QR codes (one underneath another), the top one is likely a sticker attack.


Prevention for QR Code Deployers


Tamper-evident materials:
- Holographic overlays that break when removed
- Security stickers that leave a "VOID" pattern if peeled
- Printed directly on the surface (not separate stickers)
- Tamper-evident ink that changes colour when disturbed


Technical measures:
- Digitally signed QR codes that verify authenticity
- Dynamic QR codes with server-side URL validation
- Regular physical audits of public QR code installations
- Domain monitoring to detect lookalike phishing domains


Operational measures:
- Document and photograph all legitimate QR code installations
- Train staff to inspect QR codes during routine maintenance
- Provide a reporting channel for suspected tampering
- Respond quickly to reports — remove stickers and notify affected users


Key Takeaways


    

  • Sticker attacks are simple, cheap, and effective against public QR codes
    • 

  • Visual inspection (edges, paper stock, alignment) detects most overlays
    • 

  • Tamper-evident materials make sticker placement obvious
    • 

  • Regular physical audits are essential for public QR code installations
    • 

  • Print directly on surfaces when possible to eliminate the sticker attack surface
    •