Also on a related note woth mentioning is Poland's BLIK[0] it's a very nice system based on generated one-time codes that are confirmed via your mobile device.
It works for online payments, ATM withdrawals and even in brick & mortar shops.
The flow for online looks like this:
1. Go to the Payments / billing page.
2. It is almost prevalent now that you just see a BLIK input box immediately, and the other standard "pick your payment options" box below.
3. Fire up your bank's mobile app, navigate to the BLIK tab (normally a swipe away), grab the 6 digits (or copy)
4. Put them in the box (or paste)
5. Press OK on your mobile device (you can even 'trust' your browser after succesful payment, such that you don't have to confirm the next payments on your mobile device with some monetary limits).
6. Done.
It usually takes less than 30 seconds to do all of this. No need to put your CC details or anything in.
Again, it's mainly for online payments, the others are an addition, and a welcomed one at that if you forget your card (or don't have Google / Apple Pay) when you're out somewhere.
This is called "Twint" in Switzerland. When paying online, scan a QR code, done. You can also send cash to people with name + phone number. It's great.
- the biggest Polish banks (whose initiative this was) support it, and the ATMs (Euronet included) usually have that as an option.
- ALL of the Polish payment providers / gateways support BLIK.
- Poland is quite infamous for supporting contactless payments [0] and most of the POS terminals support BLIK as well.
- For merchants it also makes sense as there are no chargebacks.
I do concede that for BLIK vs. contactless payments in the brick & mortar shop the latter always would win for quick payments, but why does it seem high friction to you?
We had/have a similar system in Sweden called SEQR[1] (pronounced secure) which were launched back in 2011 but it never took off widely. However a couple of years later, Swish[2], a similar system by the large banks using phone numbers as the identifier instead (recently launched QR codes as well). Unlike SEQR Swish took off big time in Sweden and is used by roughly 65% of all Swedes.
An interesting side note is that Swish originally focused on easy instant transfers between friends while SEQR focused on mobile payments in stores. The "winner" Swish only started supporting payments in stores officially quite recently and it's still not nearly as widely adopted as SEQR was. Basically, any checkout machine in any large store supported SEQR but very few knew what it was and even the cashiers were often surprised that the feature existed if you tried to use it.
Visual verification by users is bad news. Malicious users may register with letters that have similar or identical glyphs to that of a real merchant. E.g. eBay vs еВау. Leaving aside typos, multiple possible transliterations, punctuation; overall it's a shitstream of headaches and possible attacks.
"In response to queries, the Cyber Security Agency of Singapore (CSA) said SingCERT has not received reports of malicious QR codes in Singapore."
So not a single case in tens of millions transactions. Seems like no point in posting since it isn't actually a problem in practice.
It is also clear that it is only really a problem for the vendor, who doesn't receive the money, not the customer, who already has the service/product.
The one we're talking about is since Monday. There are others in place, displayed in tablets/screens, dynamically generated and cryptographically secure. This is printed, like the fraud-ridden Chinese codes, so it's vulnerable to the "sticker attack".
I noticed that the QR Code for this payment method is unusually large. The underlying text string is quite long compared to the strings for things like Bitcoin addresses, social media profile URLs, etc.
The article observes that there is considerable metadata encoded in the QR code itself, as opposed to, say, a single hash that needs to be xross-checked with a unified database.
I'm currently using NETSPay [1] in Singapore to do e-transactions.
It's a bit cumbersome at the moment; most shops assume I'm using NFC to pay (which I think is the default option) but my cheap Xiaomi android phone doesn't have NFC, so I have to ask them to print out or display the QR code for me to scan using the app.
Other than that, it works: once scanned, the transaction completes within seconds.
Ideally the merchants only need a bank account, not to sign up with all these apps that try to control the market. The client would use inter-banking payments to send the money and voila.
except payment apps are not only for payment. With wechat you can order in restaurants as well by sending the qr code of your table.
Paiement is only one way the smartphone is entering the shopping experience but it’s very likely those apps will enable much much more than what a banking app will.
It works for online payments, ATM withdrawals and even in brick & mortar shops.
The flow for online looks like this:
1. Go to the Payments / billing page.
2. It is almost prevalent now that you just see a BLIK input box immediately, and the other standard "pick your payment options" box below.
3. Fire up your bank's mobile app, navigate to the BLIK tab (normally a swipe away), grab the 6 digits (or copy)
4. Put them in the box (or paste)
5. Press OK on your mobile device (you can even 'trust' your browser after succesful payment, such that you don't have to confirm the next payments on your mobile device with some monetary limits).
6. Done.
It usually takes less than 30 seconds to do all of this. No need to put your CC details or anything in.
[0] - https://polskistandardplatnosci.pl/en/
[more-info] - https://www.ppro.com/wp-content/uploads/dlm_uploads/2018/04/... https://www.finextra.com/pressarticle/71555/blik-becomes-the...