Blog: Consumer Advice

What the cluck?! Cyber hygiene when eating out.

Fergus Crossley 02 Dec 2020

This feels like the new norm for eating out at a restaurant:

  • Stand uncomfortably, 2 metres from the party in front/furrow your brow when the other party move within your “safe zone”.
  • Make a huge over-theatrical show of sanitising your hands, as though you’re about to perform some major surgery.
  • Smile nervously and sympathetically at staff then realise that they can’t actually see your odd grimace through your face mask.
  • Scanning a multitude of QR codes.

I’ve been through the process many times myself, after appearing blinking in the sunlight and excited by my newfound freedom after the first lockdown…probably more frequently than BC (Before Covid).

The caged feeling of not being able to get a McDonalds for 4+ months or go for a beer with friends, of which I did infrequently anyway (Parenthood) was finally lifted and I was free at last! I was out, wild-eyed and following any guidelines that were thrown at me just so I could experience a small amount of normality!

One thing which did strike me was the willingness, on the most part, of the public to follow the guidelines and happily take out their smart phone to snap any QR code which was put in front of them.

QR Codes

One such experience did stick with me. I was visiting a well-known spicy chicken venue and was instructed to snap a QR code to get access to the menu. It made perfect sense! I could view the menu (No need for them to sanitise it after each sitting) and order whatever I wanted with limited human contact… perfect for a slightly awkward introvert such as myself!

Oh, and…pay…for…it…

While I was waiting for my food to arrive I started to think about the ways in which QR, and the public excitement and enthusiasm for embracing the “new” could be used to exploit…

Having worked in security for some time, I’m well aware that this attack vector certainly isn’t revolutionary or highly complex.

But with QR being the new “norm” for getting access to venues which sell lovely food and drink, I wondered how complacent we’ve become to the risk of scanning anything which is proffered to us.

How to scam it

The spicy chicken restaurant in particular worried me, as I was asked to plumb in my card details in order for the friendly masked staff to bring over my food.

A quick scan on the internet for a similar domain to theirs threw up the below:

With limited skill/knowledge I could easily scrape the code off the original website and copy it exactly, so the look and feel was the same.

And I could easily create a QR code sticker to place over the ones on the tables using one of the many websites online:

This would allow me to quite quickly harvest upwards of 30 credit card details before an issue was identified. Even when it was, the staff would not be aware that this was some sort of malicious attack, and would most likely revert to good old pen and paper and an EPOS machine.

An hour or two could go by before what was actually happening would be truly discovered. And even then, how would staff be able to identify which customers had been hit? (They’d plumbed their details into MY dodgy site, not their own) So this could be upwards of 50 sets of CC details…. PER STORE. PER HOUR

A well-orchestrated attack, using, say, 5 “ne’er-do-wells” over 5 stores could give me over 250 sets of card details in a couple of hours!

PrivacyAffair’s Dark Web Price Index can give you an idea on what these could be sold for:

BTW Credit card data costs $12-65 depending on the bank account balance

According to the site, a success rate of 80% is given for the cards, meaning 2 out of 10 cards either do not work or do not have the specified bank account balance.

$3000~ is not a bad return on investment for my time and 99p overhead… and that’s being conservative…

How to protect yourself

  • Ask the staff if the QR code is the right one
  • Check that there’s a URL below it and that it matches the link that pops up on your phone
  • Is the URL related to the shop? Be aware that shortened URLs used in QR codes can make this more difficult

A quick sanity check will make the scammers life more difficult.

Conclusion

Now what I most certainly do not want to do is discourage people from eating out. The hospitality industry has been battered more than most by Covid and we should do what we can to get it back on track. But a large breach and an undermining of public trust in places such as these would do further damage.

The solution is fairly simple: Educate the public. We’ve already been told a multitude of times how to sanitise our hands, so a quick Public Service Announcement on how to practice good cyber hygiene while eating out should not be too difficult.