Hacker News new | past | comments | ask | show | jobs | submit login
On SGQR, Singapore's unified QR code payment system (tongwing.woon.sg)
58 points by cow9 on Sept 20, 2018 | hide | past | favorite | 30 comments

Also on a related note woth mentioning is Poland's BLIK[0] it's a very nice system based on generated one-time codes that are confirmed via your mobile device.

It works for online payments, ATM withdrawals and even in brick & mortar shops.

The flow for online looks like this:

1. Go to the Payments / billing page.

2. It is almost prevalent now that you just see a BLIK input box immediately, and the other standard "pick your payment options" box below.

3. Fire up your bank's mobile app, navigate to the BLIK tab (normally a swipe away), grab the 6 digits (or copy)

4. Put them in the box (or paste)

5. Press OK on your mobile device (you can even 'trust' your browser after succesful payment, such that you don't have to confirm the next payments on your mobile device with some monetary limits).

6. Done.

It usually takes less than 30 seconds to do all of this. No need to put your CC details or anything in.

[0] - https://polskistandardplatnosci.pl/en/

[more-info] - https://www.ppro.com/wp-content/uploads/dlm_uploads/2018/04/... https://www.finextra.com/pressarticle/71555/blik-becomes-the...

I don't get it.

Paying contactless with my card takes 2 seconds, max.

And I'm not adding an additional layer, introducing yet more possibilities for things going wrong, into the payment process.

Honestly, I don't mean to be snarky. I just don't see the appeal of those apps.

Again, it's mainly for online payments, the others are an addition, and a welcomed one at that if you forget your card (or don't have Google / Apple Pay) when you're out somewhere.

Yeah, but that's only on real stores, not online?

This is called "Twint" in Switzerland. When paying online, scan a QR code, done. You can also send cash to people with name + phone number. It's great.

They also have beacons (probably NFC) in stores that you can scan and pay with the phone.

Whoa. Thats awesome. I'm Polish and I've never heard of it.

That seems very high friction. Is it well accepted?

It is quite well accepted, as in:

- the biggest Polish banks (whose initiative this was) support it, and the ATMs (Euronet included) usually have that as an option.

- ALL of the Polish payment providers / gateways support BLIK.

- Poland is quite infamous for supporting contactless payments [0] and most of the POS terminals support BLIK as well.

- For merchants it also makes sense as there are no chargebacks.

I do concede that for BLIK vs. contactless payments in the brick & mortar shop the latter always would win for quick payments, but why does it seem high friction to you?

[0] - https://zalewskiconsulting.pl/mastercard-poles-love-contactl... and also Android / Google / Apple Pay

We had/have a similar system in Sweden called SEQR[1] (pronounced secure) which were launched back in 2011 but it never took off widely. However a couple of years later, Swish[2], a similar system by the large banks using phone numbers as the identifier instead (recently launched QR codes as well). Unlike SEQR Swish took off big time in Sweden and is used by roughly 65% of all Swedes.

An interesting side note is that Swish originally focused on easy instant transfers between friends while SEQR focused on mobile payments in stores. The "winner" Swish only started supporting payments in stores officially quite recently and it's still not nearly as widely adopted as SEQR was. Basically, any checkout machine in any large store supported SEQR but very few knew what it was and even the cashiers were often surprised that the feature existed if you tried to use it.

[1] https://www.seqr.com/

[2] https://en.wikipedia.org/wiki/Swish_(payment)

> • SCAN the SGQR and check the merchant name

> • PAY the correct amount

Visual verification by users is bad news. Malicious users may register with letters that have similar or identical glyphs to that of a real merchant. E.g. eBay vs еВау. Leaving aside typos, multiple possible transliterations, punctuation; overall it's a shitstream of headaches and possible attacks.

Singapore has been using QR codes for a long time, with just one wallet provider having over 1.2 million monthly QR code transactions.

Can you point to news articles of people being scammed via the methods you describe?

"In response to queries, the Cyber Security Agency of Singapore (CSA) said SingCERT has not received reports of malicious QR codes in Singapore."

So not a single case in tens of millions transactions. Seems like no point in posting since it isn't actually a problem in practice.

It is also clear that it is only really a problem for the vendor, who doesn't receive the money, not the customer, who already has the service/product.

> So not a single case in tens of millions transactions

Citation needed. And I doubt it given that it's working since Monday.

Also to take into account that Singapore is basically a city, so as a sample it's not very representative.

Singapore has been using QR codes for years, not just since Monday.

The one we're talking about is since Monday. There are others in place, displayed in tablets/screens, dynamically generated and cryptographically secure. This is printed, like the fraud-ridden Chinese codes, so it's vulnerable to the "sticker attack".

i'm from Singapore, what QR code transaction are you talking about? Never heard of it. Are you confusing us with China/WeChat?

And then the users walks up to the nearest ATM, inserts his card and enters his code.

I noticed that the QR Code for this payment method is unusually large. The underlying text string is quite long compared to the strings for things like Bitcoin addresses, social media profile URLs, etc.

The article observes that there is considerable metadata encoded in the QR code itself, as opposed to, say, a single hash that needs to be xross-checked with a unified database.

The bigger announcement along side the launch of SGQR is the openning up of FAST, electronic inter-bank transfer, to fintech and non-banks companies.

I'm currently using NETSPay [1] in Singapore to do e-transactions.

It's a bit cumbersome at the moment; most shops assume I'm using NFC to pay (which I think is the default option) but my cheap Xiaomi android phone doesn't have NFC, so I have to ask them to print out or display the QR code for me to scan using the app.

Other than that, it works: once scanned, the transaction completes within seconds.

[1] https://www.nets.com.sg/consumer/products/netspay

You should explicitly say that you wish to pay by "NETS QR". Otherwise they assume you mean by card or NFC.

Ideally the merchants only need a bank account, not to sign up with all these apps that try to control the market. The client would use inter-banking payments to send the money and voila.

except payment apps are not only for payment. With wechat you can order in restaurants as well by sending the qr code of your table. Paiement is only one way the smartphone is entering the shopping experience but it’s very likely those apps will enable much much more than what a banking app will.

A city states, gotta do what city states do: https://en.wikipedia.org/wiki/SPQR

SPQR refers to something totally different.. the article is on SGQR, the newly adopted QR code for e-payment in Singapore

gotato, potato

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact