I am a foodie.

Wait a second. I know what you’re thinking. This is supposed to be a blog about cyber security. What does food have to do with cyber security? For now, just go with it.

I love all kinds of food. Food makes me happy. Many of you reading are probably from the greater New York area, and I grew up in New Jersey. New Jersey is one of the best places to live if you like food because it has every type of ethnic group and where you have every type of ethnic group, you have their style of food.

If you want good pizza, you don’t go to Pizza Hut or Domino’s. You go to some mom-and-pop shop like Reggio’s on Magie Ave in Elizabeth. Best pizza and best calzone ever, hands down. If you want good Portuguese food, you go to the takeout place in Union Center. For 30 bucks, inflation notwithstanding, you walk out with four trays of chicken, pork, vegetables, and rice to feed a family of eight, and it’s great food. I can keep going on. If you want fresh meats for cooking, you see Fritz, the butcher. If you want great cheesecake, you go to Kartzmann’s.

Now when I go out to eat, I like to study the menu. First thing I do is go through the headers: appetizers, salads, burgers and wraps, steaks from the sea, etc. I look at the categories to get an idea of what it is I want to eat. Then I zero in on two or three entrees that fit my mood and appetite. My eyes are always darting back and forth across the pages and then sometimes flipping a page so I can compare the ingredients and satisfy my epicurean desires.

The thing about QR codes

With COVID, many restaurants went to the QR code-based menu. You use your smartphone to scan the QR code, and then you can pull up the menu on your phone. Use your finger to scroll through the menu to see what you want.

I understand the health reasons for doing this, and I’m OK with doing that during COVID. Frankly, though, I’m no longer a fan. I accept that COVID is real, but it’s also part of life, and I’ve gotta deal with it. I don’t like going to a restaurant if I’m forced to use the menu off of my smartphone via a QR code. It takes too long to review a menu when you have to scroll through it and then scroll back. Your eyes in your hands, flipping a menu can be so much faster and so much more accurate because you remember where things were than scrolling up and down and back and forth.

Last week, I was dining with my colleague and fellow foodie, Dan. At one point, Dan reached across the table and pointed at the appetizers on my side. “How would you like to try that bowl of guac?” He couldn’t do that with a QR code. So, that is reason number one I don’t like QR codes.

You know what else I don’t like about QR codes?

From a cyber security perspective, I have no idea whether that QR code is safe to use or if it possibly has some type of malicious software embedded in it. For those of you who read my last bit about installing app after app after app on my smartphone, the same thing applies to QR codes.

Who created this QR code?

Who inspected this QR code to ensure it was secure?

Who is responsible for fixing it or fixing my device if it turns out that there is malware on the QR code?

How to safely use QR codes

A January article in threatpost.com highlighted the rise of QR codes with malicious software in the COVID era QR. Here are some recommendations from the FBI for using QR codes.

  • Double-check, the URL of any site, pulled up with a QR code to make sure it’s legitimate: “A malicious domain name may be similar to the intended URL but with typos or a misplaced letter,” the FBI added.
  • Before engaging with a QR code, check to make sure the code itself hasn’t been tampered with. The FBI suggests looking for evidence that a sticker has been slapped over the original code.
  • The alert also cautions users against downloading an app from a QR code rather than the application store, which has more security protections.
  • Do not download a QR code scanner app: The FBI said, “this increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.”
  • Don’t make payments to a site accessed by a QR code, if possible.
  • And, if you receive a QR code that you believe to be from someone you know, reach out to the person through a known number or address to verify that the code is truly from them.

Those are all sound recommendations. I have to go a bit further, so here are my additional recommendations on using QR codes.

Additional recommendations to increase safety and security

  • <Stomp feet! Stomp feet! Stomp feet!> Do not download an App from a QR code. Go to your smartphone App Store. See previous recommendations about Apps.
  • Beware of anything free – all QR codes are free – so be judicious.
  • Check the QR code to see if it has been tampered with. The large permanent QR codes on the park service information map are likely safe if they are permanent and built into the display.
  • Avoid scanning random QR codes posted in public like those on telephone poles, road signs, etc.
  • If you think the QR code is superfluous or not helpful to the operation, inform the requiring vendor or organization that you don’t support it. They won’t change without feedback.
  • If you are a vendor or organization that wants to develop a QR code, do your marketing research to see how your users will react to using it to do business with you.
  • Suppose you are a vendor or organization that determines it needs to deploy a QR code to its users. In that case, you have an ethical responsibility to your customers and members to ensure it passes and maintains secure coding standards.
  • If you deploy QR codes on your business premises, deploy it to the inside of the window glass so a bad actor can’t bootleg your QR code with a sticker.
  • If you deploy QR codes, you have an ethical responsibility to ensure an outside entity hasn’t altered your QR code. This may seem outrageous, but you inherit responsibility when you post QR stickers in public spaces all over town. Frankly, those public spaces don’t belong to you for your free advertising, which might make you wrong from the start, but I won’t mention that for now.
  • If you own a dining establishment and use a QR code for patrons to access more than a two-page 8.5 by 11-inch physical hard copy menu, please provide a physical menu as an alternative as soon as the health conditions allow. Some of us are losing patience. 

How do you feel about QR codes and my recommendations? Let’s discuss below!

Thanks for your time and consideration.