They'll get lazy and wont put limits on how fast the QR code scanner can be run, or how many times it can scan a wrong card. People will write smartphone apps to blitz through random QR codes until one works. Call it QR blaster. Shit, I could write one with my eyes closed (hypothetically) if we had a better understanding of the format of the data in the QR codes they're using. How many QR codes will be stolen by man in them middle vulnerabilities? How many will be exfiltrated by people duping a local access point's MAC address and siphoning data via wireshark or something similar? How many will just pay bums to give them fenced cellphones?