← Back to context

Comment by bigfishrunning

7 hours ago

So people scan a QR code, and then enter a secure banking pin? this sounds like a security problem waiting to happen...

7 comments

bigfishrunning

Reply
wiradikusuma  6 hours ago

The QR code doesn't open a link. It's just "gibberish" text only usable by app that can understand it (e.g. banking apps).

(I don't know anything about UPI, but in Indonesia we use a similar system)

  • porridgeraisin  6 hours ago

    Its not gibberish text.

    Its just a URI.

      upi://pay?pa=payeeID&pn=payeeName

    You can add things like &am= to prefill the amount. Merchant txns have reference IDs and all that stuff.

    • bigfishrunning  3 hours ago

      And that's the problem -- all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.

      this is why QR codes, especially ones with complicated encoded uris, are a security problem. they're very hard for leypeople to audit before doing the wrong thing

      1 reply →

  • Imustaskforhelp  6 hours ago

    I am Indian and I think what you are saying is correct. It opens up the banking app or in our case UPI providers app so like Google pay, Phonepe,paytm, Bhim UPI and other such apps.

unmole  1 hour ago

QR code based payment systems have been widely used across Asia for well over a decade. That doesn't stop randos on HN from middlebrow fear mongering.

SanjayMehta  3 hours ago

It depends on the QR code:

1. Static QR codes displayed by the vendor have the problem you describe.

2. Dynamic QR codes are time limited, have the amount embedded in them along with the destination. These are the ones generated by websites or POS terminals for payment. Most people will only use these at a POS terminals, pay and move on.

Fraudulent websites have used static QR codes but I'm told one can dispute the transaction and the amount is usually reversed in a couple of days.