Hacker News new | past | comments | ask | show | jobs | submit login
QR Code Degenerators: Unmasking a Crypto Scam (zengo.com)
49 points by haasted 54 days ago | hide | past | web | favorite | 22 comments

Given how ubiquitous QR Codes are these days (I received a letter from my county to pay my property tax via QR code!), it's mind-boggling to me why Google and Apple don't simply add add native QR scanning to Android and iOS. Why force us to navigate the minefield of third-party apps for something so easily done in-house?

iOS >= 11 has a native QR code reader in the camera.


EDIT: 12 -> 11 iOS version correction

News to me, thanks! Now I can tell my parents to scrub whatever crap they grabbed from the appstore.

That support document doesn't elaborate the types of codes it can scan, here are the ones I'm aware of:

    URLs -> Safari
    Locations -> Maps
    Contacts -> Contacts
    WiFi SSID/password -> Join network

To reduce confusion more: The QR scanner only works on the camera accessed via the lock screen, but not from the actual "Camera.app"

Just tested and this is not the case. In iOS 12 and iPad OS 13 it definitely works in the camera app launched from home screen.

iOS 11 added this, actually.

QR scanning is in the top menu of Android on my phone ( next to settings, flashlight, mobile data and wifi)

OEM specific I believe. Newer Samsung devices have it as part of the Camera app. Previously, it was an option of Samsung Internet browser.

Google lens can do this too.

I find I have to walk people through it, so iOS/Android ui designers have work to do to make it more discoverable

Hello There, this is not about a QR code scanner being into the phone, but the tool that is used to generate those QR. IOS has a native QR reader. Maybe Google and Apple could include a QR generator and improve the reader in a way that makes it easy to verify and read what is scanned

They do. This is a scam involving generation of QR codes, not reading of QR codes.

I have a qr generator website that has been active for 10 years or more, during the last few years I have had random emails asking me to sell it. I've decline because I don't want to lose the domain, maybe some of these buyers are motivated by this, not plastering it with AdSense which I always thought.

I don’t doubt it. I’d never heard of this scam before, but it seems obvious in retrospect.

A simple approach:


Change size as needed.

Plenty of QR code generators, and QR code readers, aren't associated directly with cryptocurrency. It's not hard to create and verify a QR code using software that isn't associated with bitcoin, and so doesn't have a target painted on it for cybercreeps.

The important part is to verify your QR code is correct.

Even if a site isn't branded for cryptography they just have to sit and wait for input that looks like a bitcoin address. They can be old a reputable too - but if somebody buys that website (as has been done with other websites/browser extensions, also another user in this thread reports receiving such offers) there would be no way to know.

Doesn't that sort of reasoning make non-crypto QR resources a good target?

They could behave correctly until they see a wallet address, etc., so creating and verifying using separate means is essential.

That's for that kind of things I don't trust Google anymore.

Personnal experience : my landowner wanted me to buy a pair of MBT shoes and found a site named mbtsolde.com (equivalent in english to mbtsales) which offered mbt shoes at high discount. Upon payment, the site proposed no paypal or the usual gateways present on french/belgian e-commerce but instead only traditional credit card (mastercard and the like).

I signified to my land owner I didn't trust the site, adding paypal was a good indication about the trust you could grant to an e-commerce. After further searching, I discovered MBT shoes were subject to scams by chinese companies impersonnating specialised MBT stores and that the issues was nearly ten years old.

For privacy concern I don't use (or rarely) google anymore directly and use instead searx, a open source metasearch engine providing anonymized results of a hundred classic and specialized search engine, like yandex, yahoo, bing, qwant, faroo, google, but also torrent site search engine, wikipedia and other specialised sites...

It took me again 2 other searches with words like "fake mbt shoes" and "how to recognize fake mbt ?" to finally find the real official MBT site and its european shop on a subdomain, on a YANDEX search result. The site even inform the visitor it put in place a certification to recognize authentic shoes and get informed of the official local dealer where to buy mbt shoes. On the Google side, most search result were either scam sites, scam blog posts advertizing scam sites pretending to inform visitor about fake MBT shoes and amazon search results about MBT shoes (which has an endemic counterfeit products issue).

I saw a Shark Tank episode where Chris Sacca described QR codes as the herpes of the Internet. I don't have the same sense of loathing for it that he does, but that phrase stuck in my mind.

I guess most of the alternatives are just as insecure and annoying, or worse. NFC isn't really any better, for instance. Logins and touchscreens are no fun, either.

Hello Everyone. Thanks to whoever posted this. Please post questions about this. We were happy to share it with the community

Ouriel Ohayon CEO, ZenGo

How many wallets are scams on github/app store? That’s the real question

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact