Comment by porridgeraisin
9 hours ago
Its not gibberish text.
Its just a URI.
upi://pay?pa=payeeID&pn=payeeName
You can add things like &am= to prefill the amount. Merchant txns have reference IDs and all that stuff.
9 hours ago
Its not gibberish text.
Its just a URI.
upi://pay?pa=payeeID&pn=payeeName
You can add things like &am= to prefill the amount. Merchant txns have reference IDs and all that stuff.
And that's the problem -- all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.
this is why QR codes, especially ones with complicated encoded uris, are a security problem. they're very hard for leypeople to audit before doing the wrong thing
No. You don't scan the QR with your camera or whatever. You open the app and scan it inside there. And there's no website. Only mobile apps in devices where attestation and full device/SIM binding is possible are allowed. The SIM has to match the one you register with your bank as well.
Client only talks to the payment service provider server which checks attestation, And only those few approved PSPs can talk to the NPCI server. And only the NPCI server can talk to banks.
> all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.
It is not how any of this works. But sure, keep up the uninformed fear mongering.