alt Hacker NewsI can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
Replies
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
Unregulated greed doesn't care if every user gets robbed and their identity stolen.
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.
Not that I like this thing at all. But using a QR isn’t exactly why it sucks.