Really surprised there hasn’t yet been a reckoning with QR code substitution attacks. Duplicate the menu, put up a “type your credit card details” form, and you could probably automate the actual order with the real menu site in the background. Boom—-skimmed.
There’s just no way for laypeople to evaluate the provenance of random QR codes. The restaurant industry often uses random third party sites for their menus, so even that is a poor signal.
EDIT: Adding second paragraph that was accidentally deleted before submission
QR code substitution does involve significant in-person risk for the perpetrator. Some patsy has to go around swapping the QR codes on restaurant tables, likely raising some awkward questions from the staff and ending up with their face on multiple security cameras. It's certainly doable, but the risk/reward ratio seems poor compared to ransomware, hacking PoS systems, etc.
Can you elaborate on the perp’s risk/reward analysis?
Imagine a vending machine in a remote area with no hardline data access, and it’s unreliable for the machine to access the phone network. If there’s a QR on the machine, and if the customer has a data signal, then payments can easily be processed by phone and return a code to complete the purchase.
A perp swaps the QR, sends customers to a plausible-looking payment site and steals their buck-and-a-quarter.
It’s fairly easily detected because that machine suddenly stops making money. The perp’s website and payment processing would be subject to subpoena. And this is wire fraud, so a federal crime in the US.
This is what came to mind immediately when a friend of mine was recalling a prank (purportedly) pulled on a Sydney restaurant. The QR code sticker on various tables was replaced with a legit-looking sticker which actually took users to a rather NSFW URL instead of an ordering page.
I hope it has caused people to start thinking about what could happen beyond the jokes.
I couldn't agree more. Though, just because we haven't heard of widespread cases doesn't mean it hasn't or isn't happening.
> There's just no way for laypeople to evaluate the provenance of random QR codes.
Arguably, even seasoned veterans may have difficulty confirming the validity. Too often, it's a patchwork of random third parties before the order is completed.
> The restaurant industry often uses random third-party sites for their menus, so even that is a poor signal.
Which makes this all that worse, as it's contrary to all of the "verify" messaging we've been preaching from the security world.
In the Indian UPI system the QR scan for payments involves an account holder name fetch from the recipient bank. This makes it very difficult to convincingly swap QRs
The menu doesn't ask for payment typically, the server still does that so a qr substitution attack would do nothing useful other than confuse the customers and staff for about 10 minutes before they decide to just rewrite the menu on some paper and deal with the problem after closing.
In Australia, QR code to website menu->order->pay has become the norm; restaurants without it are increasingly rare[1]. There are 2 or 3 major vendors of such systems, generally respectable (though a few dark patterns on some of them). I'm completely surprised there haven't been substitution attacks already.
[1] These emerged during/after lockdowns to minimise staff contact with diners, but have stuck around as there's an employment crisis whereby restaurants (and plenty of other businesses) can't find staff, so this reduces the need for staff to stand around waiting for you to place your order.
Sure, I haven’t described the universe of QR code usage at restaurants. The point still stands that a QR code at a table is an abusable trust boundary in some places where it’s used.
There’s just no way for laypeople to evaluate the provenance of random QR codes. The restaurant industry often uses random third party sites for their menus, so even that is a poor signal.
EDIT: Adding second paragraph that was accidentally deleted before submission