Comment by bigfishrunning
7 hours ago
And that's the problem -- all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.
this is why QR codes, especially ones with complicated encoded uris, are a security problem. they're very hard for leypeople to audit before doing the wrong thing
No. You don't scan the QR with your camera or whatever. You open the app and scan it inside there. And there's no website. Only mobile apps in devices where attestation and full device/SIM binding is possible are allowed. The SIM has to match the one you register with your bank as well. And once you register (which involves 2FA with your bank), the device/app identity is frozen. And then there is a transaction-time secret which is your 6 digit UPI pin. Obviously, just knowing someone's PIN is useless - I know all my close friends PINs. Its just 6 digits after all. Even 4 is allowed. This is checked at the end of the line in the bank's server.
Client only talks to the payment service provider server which checks attestation, And only those few approved PSPs can talk to the NPCI server. And only the NPCI server can talk to banks.
The core code used by all the PSPs is the same, there is a common SDK that they have to use to be approved. There is a common test suite for the server side as well, that each PSP has to pass for certification.
PSPs like Google pay that aren't banks themselves, are called TPAPs, and they have to first partner with a willing bank. And you get TPAP client -> TPAP server -> partner bank server -> NPCI in the chain above. This is mostly for regulatory reasons.
> all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.
It is not how any of this works. But sure, keep up the uninformed fear mongering.