QR code substitution does involve significant in-person risk for the perpetrator. Some patsy has to go around swapping the QR codes on restaurant tables, likely raising some awkward questions from the staff and ending up with their face on multiple security cameras. It's certainly doable, but the risk/reward ratio seems poor compared to ransomware, hacking PoS systems, etc.
Can you elaborate on the perp’s risk/reward analysis?
Imagine a vending machine in a remote area with no hardline data access, and it’s unreliable for the machine to access the phone network. If there’s a QR on the machine, and if the customer has a data signal, then payments can easily be processed by phone and return a code to complete the purchase.
A perp swaps the QR, sends customers to a plausible-looking payment site and steals their buck-and-a-quarter.
It’s fairly easily detected because that machine suddenly stops making money. The perp’s website and payment processing would be subject to subpoena. And this is wire fraud, so a federal crime in the US.
