Following news that an Adelaide man has been charged with placing fake QR codes over official venue check-in posters, now is a great time to refresh yourself with the best ways to manage your privacy when scanning into venues.
Use the official COVID-Safe Check-in within the mySA GOV app.
The app has been designed to notify users when a scanned QR code is not official. This is the easiest way to ensure you are not inadvertently sharing personal information with malicious actors. If you scan a QR code before entering a venue and you get this error, you should notify staff at the venue.
Visually check the displayed QR code for tampering.
Although this method is not foolproof, the instances reported have involved stickers being placed over the genuine QR codes. You may be able to see a raised sticker over the original code. If you notice anything suspicious, you should notify staff at the venue.
If you need to use your camera app or another unofficial QR code scanner, always check the website URL.
The South Australian Government has acted quickly to change the default functionality when using the camera app to scan an official QR code. When scanning an official QR code, the camera app will direct you back to the mySA GOV app if it is installed on your device.
If the mySA GOV app is not installed on your device, or if you are using an unofficial QR code scanning app, always check the website URL you are being directed to. Official QR codes will always direct you to an address starting with https://checkin.covid-19.sa.gov.au...
If the URL does not include the .sa.gov.au domain name, do not enter any personal information, and notify staff at the venue.
Keep an eye out for unexpected triggers.
QR codes can trigger events on your mobile device like adding a contact, joining a Wi-Fi network, installing an app or sending an SMS. Keep an eye out for triggers that you don’t expect and be ready to exit the web browser if an unexpected trigger starts processing. If the QR code triggers an unexpected event, you should notify staff at the venue.
Remember, you will only ever be asked to provide three fields of personal information on the first screen after scanning if the QR code is official:
You will never be asked for an email address, date of birth, payment information or address. If you have scanned a QR code that is asking any personal information that is unexpected, close your web browser immediately, do not enter any personal information, and notify staff at the venue.
We still recommend using the mySA GOV app.
Openly still recommends using the mySA GOV app rather than the manual check-in forms where possible. There is still a significant privacy risk in using manual check-in forms that are stored and managed by the venue over using the official Government app.