upvote

points

by 0x5FC34 hours ago |
comments
upvoteby bigfishrunning3 hours ago|
[-]
So people scan a QR code, and then enter a secure banking pin? this sounds like a security problem waiting to happen...
reply
upvoteby wiradikusuma3 hours ago|
parent|
[-]
The QR code doesn't open a link. It's just "gibberish" text only usable by app that can understand it (e.g. banking apps).

(I don't know anything about UPI, but in Indonesia we use a similar system)

reply
upvoteby porridgeraisin3 hours ago|
parent|
next
[-]
Its not gibberish text.

Its just a URI.

  upi://pay?pa=payeeID&pn=payeeName
You can add things like &am= to prefill the amount. Merchant txns have reference IDs and all that stuff.
reply
upvoteby bigfishrunning43 minutes ago|
parent|
[-]
And that's the problem -- all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.

this is why QR codes, especially ones with complicated encoded uris, are a security problem. they're very hard for leypeople to audit before doing the wrong thing

reply
upvoteby Imustaskforhelp3 hours ago|
parent|
prev|
[-]
I am Indian and I think what you are saying is correct. It opens up the banking app or in our case UPI providers app so like Google pay, Phonepe,paytm, Bhim UPI and other such apps.
reply