Your waiter seats you at your table and tells you to scan the QR code for the menu while they get water for the table. You scan the QR code and are prompted to enter a credit card number to start a tab, but you do not think much of this. As you wait for your order to arrive your phone buzzes with a text from your bank. Some fraudulent activity was detected on your credit card, but they canceled the transaction and your card. How did this happen?
QR codes found a resurgence in the wake of COVID-19 as many health experts implied physical transmission was a danger. To counter this, many companies turned to contactless business practices like curbside pickups and paperless menus. While QR codes seem innocent enough, there are hidden dangers to using QR codes.
Before going any further, I want to stress that this article is for educational and OpSec purposes only. Just as we have been warned to wear a seatbelt, or not insert an unknown jump drive into our computer, we must understand the risks of QR codes and the best ways to protect ourselves.
What is a QR Code?
If QR codes looked familiar when they began appearing in restaurants and on signs, it is because they are not a new tool. QR codes, which stand for Quick Response codes, were created in 1994 by the Japanese company Denso Wave. This technology was developed by Toyota to create easier tracking of cars and parts during the manufacturing process.
QR codes advance storable data quantity as they can be read in two dimensions (top to bottom and left to right). Traditional barcodes are only one-dimensional (left to right). The expanded data storage allows QR codes to store up to 4,000 text characters. Due to their higher storage, QR codes have been used for many items including storing phone numbers and website URLs, linking directly to websites, authenticating accounts, and making digital payments.
The expansion of storable data greatly aids in expanding shareable data past the data limits offered by the one-dimensional barcode system. Toyota created a tool that was ignored for multiple decades leading the QR code to stay ambiguous for almost 25 years. Now they are used widely with applications ranging from restaurant menus to fliers and business cards.
What are the Dangers of QR Codes?
How could QR codes be dangerous if they are tools for sharing data? They are not physical objects and do not seem to interface directly with your devices, but they share data similarly to how a jump drive shares data. We have all been warned about plugging a jump drive into our computer because we do not know what data it will share, but most people do not have this same concern with QR codes.
This is the danger of QR codes. You can never be sure what data is being shared with your device from looking at a QR code. Many QR codes direct our browser app to a specific web page, but we cannot be sure exactly where we are being directed.
From the diagram above we can see the normal flow for using a QR code. A QR code is scanned by our phone, then the phone makes a request to a server with the provided URL. The server checks for the webpage or file matching the URL and returns us a menu or ordering app. But what if it does not give us the actual menu or ordering app?
There’s a Man in the Middle
The man-in-the-middle attack is a cyberattack that has been around since network protocols were developed. In this attack, the hacker will insert themselves between a user and their server to be able to listen to or even redirect the user’s information and actions. This is a powerful attack because when done correctly, the user never knows that their actions or messages are being intercepted.
Man-in-the-middle attacks require one of two conditions to be successful. Either the hacker must be very knowledgeable, or they must have proximity to the network that a user is on. If a hacker is knowledgable they can simply redirect calls or hack the direct server to access records. If the hacker is not knowledgeable they may be more likely to rely on being in the network to do ARP spoofing on devices.
In the case of QR code spoofing, we will assume that the hacker is neither knowledgeable nor on the network. How would that hack work?
Using Paper: Stickers or Full New Pamphlets
Why hack into a network or hack servers when a hacker can do a little social engineering to do bad? Again, QR codes do not have distinguishing visuals that would allow users to tell the URL they will be directed to. If you replace the QR code, you can direct the user to any server.
In the case of an unethical hacker, this QR code could be used to point to a fake menu webpage or a fake ordering platform. Copying a webpage is not difficult, and changing the form to point to your own endpoint is something that even script kiddies can do. The real skill would come in being proficient in Microsoft Word in the year 2023.
How to Protect Yourself and Your Customers
This seems like too easy of a hack for black hats to do, but you can protect yourself and your customers by practicing good OpSec. OpSec in Cybersecurity stands for “operational security” and refers to the practices one takes to protect themselves in certain activities. This could include actions such as using a VPN while browsing online to prevent malicious actors from snooping on your traffic, changing passwords for accounts regularly, or blacklisting certain IP addresses that have no business accessing your networks or services.
While OpSec is commonly referenced with how large companies operate, it can also be practiced for small businesses and individual users. Let us discuss how to protect your business and how customers can protect themselves.
Ways for Businesses to Protect Themselves
The method outlined above seems simple as it involves printing stickers, standing up servers, a database, and a cloned webpage, but that is still a lot for someone to accomplish. While something like this may happen, the chances it happens to your business are very low. There are still steps you can take to protect yourself.
First, you can check menus and flyers frequently for stickers or tampering. Microsoft is a challenging program, and it would be simpler for a hacker to just use a sticker to try to skim information. A simple visual check when opening or closing your restaurant would suffice.
A second, but less frequent check you could perform is scanning the QR codes on all flyers and tables every week or so. If the hackers and script kiddies figure out Microsoft Word then you will want to check that the QR code is going to the right destination.
A third precaution you can take is to avoid using TinyUrl or other URL shorteners. You want your URL to be clear and easily distinguishable from fake URLs or typo squatters. A last precaution to take is to print the expected URL under your QR code so your users can have a reference whenever they scan the QR code and open a menu.
Ways for Customers to Protect Themselves
There are two ways for customers to protect themselves. First, they can inspect the URL in their phone’s browser as soon as they scan a QR code. If you are directed to “personalinfoskimmer.io” when you try to go to the Big Bob’s Burger Hut website then you know that you are not on the correct website. If you have any doubts at all, go with the second precaution which is to find the website on Google and navigate to the menu manually. It may seem like a pain, but it beats having your personal information stolen.
Conclusion
A restaurant may not be a tech business, but this does not mean that its use of tech tools does not create new attack vectors from malicious actors. Any integration into your business is a potential attack service that can damage both you and your customers. Do not be scared to add tools that enhance user experience, but always do your research to create the best possible customer experience and situation for your business.
