And that's the problem -- all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.

this is why QR codes, especially ones with complicated encoded uris, are a security problem. they're very hard for leypeople to audit before doing the wrong thing