Satan's Grid

As I was doing a little background for this article that has been brewing in my mind for some time I came across a piece over on Vice.com about the author’s hate for QR codes and I just wanted to poke the screen and say, “Yeah, that!” I’m not going to repeat her diatribe of reasons for despising QR codes (but I agree with every one of them) so go take a look at that article then come back and let’s talk more about the evilness of, “Satan’s grid” as she puts it…

…Back already? It’s so funny that the author talks about bibimbap and fine dining needing QR codes, as this has been my exact experience as well. Living in Sacramento and working in the Silicon Valley I see these QR codes pasted to the corner of the table in every Korean restaurant, at one of my favorite higher-end tapas restaurants in San Jose, La Catalana, and at one of my favorite swanky eateries here in Folsom, Back Bistro (I guess I should have added to the site header that I’m a foodie and we might edge into that on occasion as well when it overlaps with IT matters)…..

It drives me crazy both as a security professional and (let’s be honest here) a 50+ geezer, to sit down and see one of these on a table or bar top. Yes, I’m a technologist who is frequently an early adopter and purchaser of the newest technology, and who spends hours on my phone a day, but there is simply nothing new or exciting about QR codes. Not only do they make life in general a bit more complicated (and potentially insecure), but, in the case of restaurant usage, they distance the customer from the dining experience.

While I don’t like QR codes, and I don’t expect them to proliferate more than they already have as a result of the medical events of the past three years, I do expect them to linger around in enough instances that it’s necessary to know how to properly interact with them. For that I have a few recommended courses of actions for you, my readers, whenever you may be faced with the task of having to navigate a QR code in your daily outings:

1. Avoid the QR code altogether. Ask for a paper copy of whatever the QR code is referencing. In most cases this will be a menu. In every case when I’ve done this, I was promptly provided with a hardcopy menu with no snark or eye rolling. During the health crisis the whole sanitization and cleanliness angle may have been the primary reason given for the QR code, but most restaurants that have kept them around have likely done so either to save money on printing and/or to ensure that the menu provided is flexible and up to date with the latest daily specials and menu items. In this case, quite simply ask the waiter if there are any changes to the hardcopy menu you’ve been provided.

2. Make sure that you are scanning the QR code provided by the establishment and not a malicious replacement. Is the QR code printed directly on material with the business’ logo? Feel around the code. If it’s stuck on, is it one layer deep or does it look like someone may have added another layer of sticker over top of the original? Much like skimmers on Point of Sales devices in stores or gas stations, and ATMs check to make sure that you are not using some add-on provided by a malicious actor.

3. Ok, you’re pretty sure the QR code is legit so now it’s time to scan it. What app are you using? Does it display the link in plain text so you can ensure that you are going to the destination you expected? Does it check the link to make sure that it is safe? If it is determined to be safe, will it then open the page automatically to ease the experience like Trend Micro’s QRScanner? (Not an endorsement, but this app has zero ads and I’ve found it to perform the best out of everything I’ve tried).

4. The above three recommendations are all about what to do with QR Codes, but there are a few considerations around what NOT to do as well. Namely:

   1. Do NOT ever download an app presented to you via QR code as some fun or vital addition to your experience. Always use reputable app stores that have done some form of minimal vetting to obtain a QR Code scanning app.

   2. Don’t provide login credentials when taken to a site by QR Code.

   3. Don’t ever make a payment through the QR code, as you have no idea that the funds will make it to the intended destination (if the QR code is directly in the recipient’s app that is a different story).

If during the process you discover a malicious QR Code, please bring this to the proprietor’s attention so they can do something about it. In the end a QR code is in and of itself just a link to a URL. It’s boring dumb “technology” but it is not by itself malicious or dangerous. In the wrong hands it can be used maliciously though, so anytime you interact with a QR code just be aware of the above, be smart, and enjoy your meal.