Could QR Code Menus Pose a Risk to Merchants?
Tableside QR codes have nearly eradicated germy menus, but they may have opened the door to a new threat that businesses didn’t see coming: data fraud.
The use of QR codes on restaurant menus and business signage has skyrocketed during the pandemic. Nearly half (47%) of consumers say they’ve noticed an increase in their QR code use since Covid hit, and 32% have scanned a QR code in the past week.
Switching out traditional paper menus for tableside QR codes saves businesses money and prevents consumers from having to come into contact with a high-touch surface. However, with one QR code nearly impossible to distinguish from another, it’s not difficult to see how bad actors could swap out codes and redirect consumers to malicious websites that look similar to a restaurant’s online menu.
The Better Business Bureau has already started receiving reports of criminals using QR codes to their advantage, and that potential vulnerability has some businesses questioning what they can do to keep their patrons safe.
“Many restaurants have started using QR codes to encourage touchless transactions, but like any card-not-present transaction, there is an opportunity for fraud,” explains Jim Ducharme, chief operating officer at Outseer, a technology company that specializes in combatting payments fraud.
Scanning QR codes for menus and payments opens up a new avenue for fraudsters to access private information — who a person is, what they look like, what they do, their habits, and more. To the average eye, QR codes all look the same, so it’s nearly impossible for a consumer to verify whether a QR code is legitimately from a business or if a criminal has replaced it and is misdirecting people to a malicious website.
“While it may not seem like a big deal, even an email address can prove to be valuable for fraudsters on the dark web,” Ducharme says.
A Growing Threat
As touchless tech and mobile payments become more prevalent, criminals have more avenues to potentially target consumers.
Ducharme says businesses should be aware of the different types of fraud that can occur when using QR codes, and how they can take anti-fraud measures to prevent fraudsters from gaining access to sensitive customer information. For example, Card Not Present (CNP) and Account Takeover (ATO) are two types of fraud that can come from QR code vulnerabilities. These types of attacks happen through phishing techniques where criminals impersonate a brand or business to collect customer information, like emails and other login credentials.
There are things merchants can do to fight back.
Ducharme recommends that businesses use trusted and verified CNP technology on the other side of their QR codes. A key way for businesses to do this is to leverage the latest EMV 3-D Secure standard for online transactions. By working to authenticate customers transparently behind the scenes, the frictionless approach increases transaction approvals for legitimate purchases without slowing down or compromising the customer.
Merchants should be on the lookout for red flags, and they should be running frequent QR code checks to ensure there is nothing taped over their codes or added to them that would direct users somewhere other than their own menus or payment options.
“Businesses can add validation and verification steps to login portals accessed through QR code scans,” Ducharme says. “Businesses can also use geolocation and behavioral data to help identify fraudulent activity and suspicious logins [or] users.”
Consumers play a role as well. Ducharme suggests that restaurant patrons look for signs that a code is clearly connected to the business, including QR codes taped to a table or identified by an employee. If a QR code appears to be taped over another, consumers should ask an employee if it is connected to the business or not.
“If anything about the code seems out of place, consumers should trust their gut and ask for verification before scanning,” Ducharme says. “Consumers using QR codes can also protect themselves by using a QR code scanner app with security and virus detection capabilities, instead of using their phone camera.”
Stephanie Miles is a senior editor at Street Fight.