How QR Codes Work — and How to Decode One Privately

A Quick History

QR codes — Quick Response codes — were invented in 1994 by Masahiro Hara at Denso Wave, a subsidiary of Toyota. They were designed to track automotive parts during manufacturing, replacing barcodes that could only store about 20 digits. A QR code can store thousands of characters and can be read from any angle, at speed, even when partially damaged.

Denso Wave made the QR code standard open and royalty-free, which is why they spread globally without licensing friction. The COVID-19 pandemic accelerated their adoption as contactless menus and check-ins replaced paper.

The Structure of a QR Code

A QR code is a square grid of black and white modules (pixels). Several fixed patterns give scanners the information they need to read the code:

• Finder patterns: The three large squares in the corners. They tell scanners where the code is and what orientation it is in.
• Alignment patterns: Smaller squares within the grid that help scanners correct for perspective distortion on curved surfaces.
• Timing patterns: Alternating black and white modules along the edges of the finder patterns that establish the module grid coordinates.
• Format information: Strips adjacent to the finder patterns that specify the error correction level and the masking pattern used.
• Data modules: The remaining modules that encode the actual content.

Error Correction: Reading Damaged Codes

QR codes use Reed-Solomon error correction, a mathematical technique originally developed for deep-space communication in the 1960s. It allows a decoder to reconstruct the original data even when part of the code is damaged, dirty, or obscured.

There are four error correction levels:

• L (Low): Up to 7% of the code can be damaged and still be read
• M (Medium): Up to 15% damage recovery
• Q (Quartile): Up to 25% damage recovery
• H (High): Up to 30% damage recovery

Higher error correction means more of the grid is devoted to redundancy, reducing the capacity for actual data. Logos embedded in the center of a QR code rely on high error correction — the logo obscures part of the code, but the error correction recovers the lost data.

Versions and Capacity

QR codes come in 40 versions, ranging from version 1 (21×21 modules, ~25 alphanumeric characters) to version 40 (177×177 modules, ~4,296 alphanumeric characters or ~7,089 numeric digits). Most QR codes in everyday use are version 3–7.

The encoding mode also affects capacity. Numeric mode (digits only) is the most compact: 3.3 bits per character. Alphanumeric mode (A-Z, 0-9, space, and a few symbols): 5.5 bits per character. Byte mode (full ASCII/UTF-8): 8 bits per character. A URL with lowercase letters requires byte mode, which is why URLs should be kept short in QR codes.

What QR Codes Can Contain

• URLs: The most common use — a simple text string starting with https://
• vCards: Contact information in a structured format that phones can import directly
• WiFi credentials: SSID, password, and security type — phone scans the code and joins the network automatically
• TOTP secrets: Authentication app setup links encode the shared secret as an otpauth:// URL
• Plain text: Any string of characters, including multi-line text
• Payment links: UPI, Bitcoin addresses, payment app deep links

The Security Risk: QR Phishing ("Quishing")

Because QR codes are opaque — you cannot read the URL by looking at the pattern — they have become a vector for phishing attacks. Attackers place stickers over legitimate QR codes (on parking meters, restaurant tables, public posters) or embed malicious URLs in QR codes sent via email or printed material.

The FBI issued a public service announcement in 2022 specifically about QR code fraud. Thales Group's 2023 threat research identified "quishing" as a rapidly growing attack category, with malicious QR codes appearing in emails at a rate that bypasses many email security filters (which scan text and links, not images).

How to Verify a QR Code Before Scanning

A browser-based QR decoder lets you upload an image of a QR code and see the decoded content before acting on it. This is the safest approach for unfamiliar QR codes, particularly ones received via email or found in unexpected locations. Check that the URL is the domain you expect — not a lookalike domain or a URL shortener masking the final destination.

When in doubt: type the URL manually rather than scanning. QR codes are a convenience feature, not a necessity.