
On SGQR, Singapore's unified QR code payment system - cow9
https://tongwing.woon.sg/blog/on-sgqr-code/
======
0vermorrow
Also on a related note woth mentioning is Poland's BLIK[0] it's a very nice
system based on generated one-time codes that are confirmed via your mobile
device.

It works for online payments, ATM withdrawals and even in brick & mortar
shops.

The flow for online looks like this:

1\. Go to the Payments / billing page.

2\. It is almost prevalent now that you just see a BLIK input box immediately,
and the other standard "pick your payment options" box below.

3\. Fire up your bank's mobile app, navigate to the BLIK tab (normally a swipe
away), grab the 6 digits (or copy)

4\. Put them in the box (or paste)

5\. Press OK on your mobile device (you can even 'trust' your browser after
succesful payment, such that you don't have to confirm the next payments on
your mobile device with some monetary limits).

6\. Done.

It usually takes less than 30 seconds to do all of this. No need to put your
CC details or anything in.

[0] -
[https://polskistandardplatnosci.pl/en/](https://polskistandardplatnosci.pl/en/)

[more-info] - [https://www.ppro.com/wp-
content/uploads/dlm_uploads/2018/04/...](https://www.ppro.com/wp-
content/uploads/dlm_uploads/2018/04/ps_blik_170808_web.pdf)
[https://www.finextra.com/pressarticle/71555/blik-becomes-
the...](https://www.finextra.com/pressarticle/71555/blik-becomes-the-first-
non-card-payment-scheme-in-poland)

~~~
CaptainZapp
I don't get it.

Paying contactless with my card takes 2 seconds, max.

And I'm not adding an additional layer, introducing yet more possibilities for
things going wrong, into the payment process.

Honestly, I don't mean to be snarky. I just don't see the appeal of those
apps.

~~~
0vermorrow
Again, it's mainly for online payments, the others are an addition, and a
welcomed one at that if you forget your card (or don't have Google / Apple
Pay) when you're out somewhere.

------
hultner
We had/have a similar system in Sweden called SEQR[1] (pronounced secure)
which were launched back in 2011 but it never took off widely. However a
couple of years later, Swish[2], a similar system by the large banks using
phone numbers as the identifier instead (recently launched QR codes as well).
Unlike SEQR Swish took off big time in Sweden and is used by roughly 65% of
all Swedes.

An interesting side note is that Swish originally focused on easy instant
transfers between friends while SEQR focused on mobile payments in stores. The
"winner" Swish only started supporting payments in stores officially quite
recently and it's still not nearly as widely adopted as SEQR was. Basically,
any checkout machine in any large store supported SEQR but very few knew what
it was and even the cashiers were often surprised that the feature existed if
you tried to use it.

[1] [https://www.seqr.com/](https://www.seqr.com/)

[2]
[https://en.wikipedia.org/wiki/Swish_(payment)](https://en.wikipedia.org/wiki/Swish_\(payment\))

------
Uberphallus
> • SCAN the SGQR and check the merchant name

> • PAY the correct amount

Visual verification by users is bad news. Malicious users may register with
letters that have similar or identical glyphs to that of a real merchant. E.g.
eBay vs еВау. Leaving aside typos, multiple possible transliterations,
punctuation; overall it's a shitstream of headaches and possible attacks.

~~~
freddie_mercury
Singapore has been using QR codes for a long time, with just one wallet
provider having over 1.2 million monthly QR code transactions.

Can you point to news articles of people being scammed via the methods you
describe?

~~~
Uberphallus
[https://www.channelnewsasia.com/news/technology/scan-or-
scam...](https://www.channelnewsasia.com/news/technology/scan-or-scam-why-you-
should-think-before-you-use-a-qr-code-9506310)

~~~
freddie_mercury
"In response to queries, the Cyber Security Agency of Singapore (CSA) said
SingCERT has not received reports of malicious QR codes in Singapore."

So not a single case in tens of millions transactions. Seems like no point in
posting since it isn't actually a problem in practice.

It is also clear that it is only really a problem for the vendor, who doesn't
receive the money, not the customer, who already has the service/product.

~~~
Uberphallus
> So not a single case in tens of millions transactions

Citation needed. And I doubt it given that it's working since Monday.

Also to take into account that Singapore is basically a city, so as a sample
it's not very representative.

~~~
freddie_mercury
Singapore has been using QR codes for years, not just since Monday.

~~~
Uberphallus
The one we're talking about is since Monday. There are others in place,
displayed in tablets/screens, dynamically generated and cryptographically
secure. This is printed, like the fraud-ridden Chinese codes, so it's
vulnerable to the "sticker attack".

------
nayuki
I noticed that the QR Code for this payment method is unusually large. The
underlying text string is quite long compared to the strings for things like
Bitcoin addresses, social media profile URLs, etc.

~~~
jhanschoo
The article observes that there is considerable metadata encoded in the QR
code itself, as opposed to, say, a single hash that needs to be xross-checked
with a unified database.

------
jaxondu
The bigger announcement along side the launch of SGQR is the openning up of
FAST, electronic inter-bank transfer, to fintech and non-banks companies.

~~~
sohkamyung
I'm currently using NETSPay [1] in Singapore to do e-transactions.

It's a bit cumbersome at the moment; most shops assume I'm using NFC to pay
(which I think is the default option) but my cheap Xiaomi android phone
doesn't have NFC, so I have to ask them to print out or display the QR code
for me to scan using the app.

Other than that, it works: once scanned, the transaction completes within
seconds.

[1]
[https://www.nets.com.sg/consumer/products/netspay](https://www.nets.com.sg/consumer/products/netspay)

~~~
angelsl
You should explicitly say that you wish to pay by "NETS QR". Otherwise they
assume you mean by card or NFC.

------
lessclue
On a related note, India's UPI[1] and Australia's NPP[2].

[1]
[https://en.wikipedia.org/wiki/Unified_Payments_Interface](https://en.wikipedia.org/wiki/Unified_Payments_Interface)

[2]
[https://en.wikipedia.org/wiki/New_Payments_Platform](https://en.wikipedia.org/wiki/New_Payments_Platform)

------
zimbatm
Ideally the merchants only need a bank account, not to sign up with all these
apps that try to control the market. The client would use inter-banking
payments to send the money and voila.

~~~
bsaul
except payment apps are not only for payment. With wechat you can order in
restaurants as well by sending the qr code of your table. Paiement is only one
way the smartphone is entering the shopping experience but it’s very likely
those apps will enable much much more than what a banking app will.

------
adrianratnapala
A city states, gotta do what city states do:
[https://en.wikipedia.org/wiki/SPQR](https://en.wikipedia.org/wiki/SPQR)

~~~
cow9
SPQR refers to something totally different.. the article is on SGQR, the newly
adopted QR code for e-payment in Singapore

~~~
opportune
gotato, potato

