Author

Topic: Payment QR codes: a Potential for Abuse? (Read 2262 times)

hero member
Activity: 868
Merit: 1000
March 04, 2013, 05:17:12 PM
#14
I have noticed that some QR codes presented by merchants for payment encode not only the destination address, but the amount of the transaction. This is, I am sure, meant to be a convenience for the buyer. However, it would be quite easy for an unscrupulous operator to encode some much higher amount than the legitimate price into the QR code, thus scamming an unwary customer. In a system wherein charges are difficult to reverse, and wherein many wallet programs lack a confirmation dialogue box, it would behoove all to be wary..

A customer should always double check his receipt before he leaves to make sure everything is right.
qwk
donator
Activity: 3542
Merit: 3413
Shitcoin Minimalist
tl;dr: people don't care about fraud with petty cash.


Just wanted to toss in my own 0.02 btc:

A while ago i spent a couple weeks in Hong Kong, and got used to a nifty little thingy called the Octopus Card.
Basically, a contact-less prepaid debit card for petty cash. You could use that thing just about anywhere, the underground, busses, McDonald's, vending machines, you name it.

And you know what? Nobody, literally not a single person (including myself) ever bothered even looking at what amount got charged. With minor amounts, you just don't care, the comfort of "it just works" outweighs whatever risk of fraud there might have been.
newbie
Activity: 19
Merit: 0
The QR code in question was used by Bitmit (note: I am not accusing them of anything; the amount encoded was in this case the correct one.) The wallet software was Andreas Schildbach's Android app. Perhaps a confirmation screen in said software would be a good patch.

I honestly don't see Bitcoin transactions happening in brick-and-mortar businesses. The time to clear a transaction is just too long. This is not a problem for online businesses, however.

There's a nice bit about that in the Wiki:

https://en.bitcoin.it/wiki/Myths#Point_of_sale_with_bitcoins_isn.27t_possible_because_of_the_10_minute_wait_for_confirmation.

Basically, for purchases of modest value, it is considered reasonably safe to go through with the physical transaction without any confirmations, just watching for the transaction and any double-spends. Getting away with a double-spend in those conditions is difficult enough that nobody would bother to do it just for something worth significantly less than, say, the current block reward.
legendary
Activity: 1526
Merit: 1134
There is a confirmation screen in that app, and there has always been one. How did you manage to go direct from scanning a QRcode to sending a transaction?
full member
Activity: 122
Merit: 100
The QR code in question was used by Bitmit (note: I am not accusing them of anything; the amount encoded was in this case the correct one.) The wallet software was Andreas Schildbach's Android app. Perhaps a confirmation screen in said software would be a good patch.

I honestly don't see Bitcoin transactions happening in brick-and-mortar businesses. The time to clear a transaction is just too long. This is not a problem for online businesses, however.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
March 01, 2013, 01:51:11 PM
#9
QR code behind the register, or electronically displayed each time. Can't cover what you can't get at.
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
March 01, 2013, 01:50:07 PM
#8
Perhaps i am missing something? But wouldn't you see that your balance is incorrect as soon as you pay?
member
Activity: 112
Merit: 10
Admin at blockbet.net
March 01, 2013, 01:44:15 PM
#7
One other kind of abuse with the QR codes is simply replacing the code with another one, without anyone noticing. Imagine a store cashier that has a QR code somewhere, an attacker will only need to distract the clerk for a second and then put a sticker of his own Bitcoin QR code on top of the store's QR code. No-one will know the difference until a few bitcoin have disappeared, and the thief will be gone by then.

I also really would like a system that would ask me for a password when dealing with large amounts. I need to maintain a fair number of bitcoins on my hot wallet, make a lot of transactions daily, and even if I'm very careful, it's only a matter of time when I'll accidentally send 17 bitcoins to somebody instead of 1.7.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
March 01, 2013, 05:38:45 AM
#6
I agree. The only place where I* encode amounts in my QR code is at http://pay.thebutterzone.com - so you see the exchange rate, put in the USD amount, it converts it to BTC and regens the QR. You can double-check the math if you want.

*or rather, my host, which does allow the setting of a commission, that I left at 0.
full member
Activity: 200
Merit: 104
Software design and user experience.
March 01, 2013, 02:57:32 AM
#5
An idea: the wallet app may keep in memory a collection of decrypted keys for a total amount "up to 10 BTC" (configurable), that can be used to pay without entering the password. If you want to pay more, you enter the password. So for regular small payments, you won't be bothered with a password and don't need to triple-check the amount. For larger payments, a password request will pop up which will make you more careful. So, if you are buying a sandwich for 34 BTC instead of 34 mBTC, then you will get an unexpected dialog box: "You are about to spend 34 000 mBTC, please confirm with a password". "mBTC" can be used to bring extra attention to the amount ("why is it so big?! ah, okay, it's correct"), but, admittedly, can be very confusing until people get used to mBTC in daily operations.

This is equivalent to using two separate wallets, but more convenient.
legendary
Activity: 4536
Merit: 3188
Vile Vixen and Miss Bitcointalk 2021-2023
March 01, 2013, 12:44:43 AM
#4
many wallet programs lack a confirmation dialogue box
Citation needed. No wallet software that I know of will execute a payment from a URI without clearly displaying the amount and address and requiring some form of confirmation from the user.
newbie
Activity: 39
Merit: 0
February 28, 2013, 11:15:45 PM
#3
I have noticed that some QR codes presented by merchants for payment encode not only the destination address, but the amount of the transaction. This is, I am sure, meant to be a convenience for the buyer. However, it would be quite easy for an unscrupulous operator to encode some much higher amount than the legitimate price into the QR code, thus scamming an unwary customer. In a system wherein charges are difficult to reverse, and wherein many wallet programs lack a confirmation dialogue box, it would behoove all to be wary..

Can you show an example of this?
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
February 28, 2013, 11:12:49 PM
#2
Fundamentally, I think it's silly to keep a wallet balance on a computer.  The way I see it, this is asking to get cleaned out.

For me, this would never trip me up, because I never have BTC online in any amount other than what I'm about to transact right then and there.  So if I'm about to spend 1 BTC and a merchant trips me up with a code that baits me into paying 100 BTC, I will see "insufficient funds".  That's because I will only have imported 1 (or slightly more than 1) BTC from paper wallets before making that transaction.
full member
Activity: 122
Merit: 100
February 28, 2013, 11:05:39 PM
#1
I have noticed that some QR codes presented by merchants for payment encode not only the destination address, but the amount of the transaction. This is, I am sure, meant to be a convenience for the buyer. However, it would be quite easy for an unscrupulous operator to encode some much higher amount than the legitimate price into the QR code, thus scamming an unwary customer. In a system wherein charges are difficult to reverse, and wherein many wallet programs lack a confirmation dialogue box, it would behoove all to be wary..
Jump to: