Some folks think that just copying and pasting addresses is the way to go, while others argue that using QR codes for addresses is way safer.
Since many prefer using tail OS or building their own airgapped setups, I'm curious how you all go about scanning QR codes? I feel like the real risk comes from scanning random QR codes you find online instead of just sticking to Bitcoin wallet addresses or those from reliable exchanges.
For anyone who's not a fan of copy-pasting because they think it's risky, can they still use tail OS? Or is there a DIY method to scan QR codes without needing to copy and paste?
Anyone is safe. The important thing is if you are able to verify that the address that you scan is correct and that there's no malware in your device that switched the address to a scammers own. Some hardware wallet can still scan QR code and it does not make them to not be safe it will not be safe if you cannot verify that the address that you are sending to is correct.
Just make sure that after you copy and paste the address, that the address copied did not change to another address. Even if you used QR code and camera instead, make sure the addresses did not change.
You should still be able to use QR code and camera on tails OS with zbar-tools package, according to what I found about it. But I do not think it is necessary if it is about bitcoin addresses.
The silver bullet approach is to build your own QR scanner based on Raspberry Pi. One relevant DIY project is shown here, and I'm sure there are dozens of similar examples available online, justgoogle. After scanning QR code with your own device, you can compare its output with the reading shown by the scanner on the device you normally use, such as your smartphone or computer.
Safer or safest, if you practice it rightly, you will keep your wallet and bitcoin safe.
How to lose your Bitcoins with CTRL-C CTRL-V.
You already asked about QR code and scanning QR codes.
What could go wrong scanning QR codes.
How to Install Tails OS on USB flash drive for Wallet Purpose.
QR code can be created from your wallet and you will use it on another device to sign the transaction. Like this with Electrum wallet.
Creating a cold storage wallet in Electrum.
QR code is at the right corner.
Manual check the address everytime.
Checking the address is where you get the ✅ checked mark.
Because all QR Code does is getting the address in one go for you, makes it easier and faster, that's all.
Scamming doesn't mean it's safest, and also be careful around easier options, this is one of them, thinking scanning means reliable.
It's possible that QR code has a wrong address, or fake address, if you can it you end up with the fake address still, so scanning address or copy pasting shouldn't be a reason why anyone wouldn't want to use crypto wallets on Tail OS or others.
A QR code is a visual format that cannot be read by humans. Without a reference to the Bitcoin address represented, if your scanner is corrupted or fraudulent, you won't realize the address isn't what it should be.
All of the above methods have the equal inherent risks; if you don't like copy-paste and are still unsure about scanning a QR code, use drag-and-drop(*) or type it in manually.
*) https://en.wikipedia.org/wiki/Drag_and_drop
It is easily to build a QR Code Reader using Arduino & QR Scanner Module which is costing less than $30 or Raspberry Pi with a camera module or convert an old phone into a QR Scanner (after deleting the parts that connect to the internet).
standard QR code (V40) data capacity is 3K, which is less than what is required for some signatures, so a microSD card is necessary.
Its possible if youre using your tails OS with wallet like electrum that supports webcams this way you just scan address from the other device, even PSBTs are signed from tail OS using QR codes, so address scanning wouldnt be any problem. Personally I even rate high QR code scanning as safer than even copy and paste or using usb when its an airgapped wallet.
for verification though you can do that manually, normally its actually possible that a flawed QR code can be contain wrong addresses and thats why even platforms that gives you the QR code to sign have address written below it, so you simply manually verified the address after scanning.
Scanning with QR code doesnt mean the transaction easily goes through like that, the recipient address is just automatically filled with that address and you can still edit it. So its best to manually verify the address
I don't think there is a safest for both of them because you are still susceptible to online attacks if you use this on an online device. Similar to copying and pasting a Bitcoin address and sending it to the incorrect address, some people scan the QR code and send a Bitcoin to the incorrect address.
You can only be safe if you have a separate watch-only wallet online and a cold storage wallet on separate devices.
As previously mentioned, if you know how to double-check the transaction when importing it to your Electrum offline wallet before signing it, using Electrum to scan a QR code or copying and pasting the raw hash are both safe.
The crucial step is to confirm the transaction in an offline Electrum; it should display a preview of the transaction with your address and the recipient's address. If you don't check this part, there's a chance you could send your BTC to the wrong address even if it is safe on an offline device. So always double-check before signing a transaction.
Basically, if youre using both methods in cold storage.. you still need to verify the details from your offline device just like everyone already mentioned.
To me, its same.. unless the flash drive itself isnt really a flash drive but most people will argue QR code is better which is true anyway, you can cant trust anything from a device / wallet used on the device that connects to the internet . The unsigned txn is also coming from same source.. remember ?
Use both offline wallet and watch only wallet that supports using of qrcode for what you need. You can use Electrum. Electrum comes with tails, all you have to do is verify .
Yes, you are right, there are known history issues on QR code.
QR code malware
QR Code replacement scam
Security News This Week: US Energy Firm Targeted With Malicious QR Codes in Mass Phishing Attack
You can look at this option for you: https://github.com/mchehab/zbar.
In any case, due diligence is needed.
Use either copy paste or QR code to make sure you are sending crypto to the correct address. It is not easy for many people to type every letter of the address perfectly. Copy and paste is a safer way to send crypto to the desired wallet.
HeatBit had another topic that was created before this topic about QR code and issues with it. There are both discussions and recommendations for him about resources to learn more about QR code, this phishing type and how to avoid this scam.
Phishing is a famous scam type and if QR codes are used, it's called as Quishing.
What could go wrong scanning QR codes.
Forum friends have submitted the solution, try verifying the authenticity of the scanned "QR code", or verifying the "copied/pasted" address. Because, the copied/pasted address could be changed (due to hacking), and so could the QR code. Furthermore, QR codes can also be manipulated by directing potential victims to fake websites (to scam), a method called "Quishing", and the process of manipulation (or fraudulent method) in paste is called "paste jacking". Therefore, try to be vigilant in every activity you do in crypto, especially when making Bitcoin transactions. You don't need to rush into transactions; take the time to verify them, which only takes a short time.
Reference : cloudflare.com - What is quishing?
Additionally, I also recommend you to disable clipboard history, and preferably avoid Sync across devices.
Copy and paste is safe if you don't have malware and recheck the address. The hackers won't be able to make address that is 90% similar.
In the case that you really want a QR code, just build scanner by yourself.
When you are building one, you need to watch out for the supply chain attack and cherry pick library to use.
Or simply clone existing git repo and let claude inspect it.
For the danger you mentioned, maybe just don't scan any QR code you found online. Or if you insist, use some throwaway devices to scan it first and make sure its safe.
Tons of people loses their money scanning random QR code that trigger an app to send money to scammers' addresses but I haven't seen one with crypto.
It is not necessary for tail OS to have a camera so that it can scan a QR code, many people will be fine with copy and pasting bitcoin addresses.
All you have to do is make sure you look at the address very well before sending the coins, the most important thing here is keeping your private key safe so that you don't lose your Bitcoin.
Which one will you choose? Losing your coins or you not been able to scan QR codes? It makes no sense sorry to say, at the end of everything what matters is keeping your coins alive for many years to come, not if you can scan QR codes or not.
What do you mean how... we just point the camera to them, and than confirm address or link visually.
There is DIY signing devices like SeedSigner and Krux that have integrated cameras for scanning so you can use them.
They are based on raspberry pi and similar small devices, and parts can be purchased anywhere and than assembled.
TailsOS is just a portable linux operating system, it has nothing to do with QR codes.