Payment QR codes: a Potential for Abuse?

[Snowfire]

I have noticed that some QR codes presented by merchants for payment encode not only the destination address, but the amount of the transaction. This is, I am sure, meant to be a convenience for the buyer. However, it would be quite easy for an unscrupulous operator to encode some much higher amount than the legitimate price into the QR code, thus scamming an unwary customer. In a system wherein charges are difficult to reverse, and wherein many wallet programs lack a confirmation dialogue box, it would behoove all to be wary..

[1715388815]

1715388815

[1715388815]

1715388815

[1715388815]

1715388815

[casascius]

Fundamentally, I think it's silly to keep a wallet balance on a computer.  The way I see it, this is asking to get cleaned out.

For me, this would never trip me up, because I never have BTC online in any amount other than what I'm about to transact right then and there.  So if I'm about to spend 1 BTC and a merchant trips me up with a code that baits me into paying 100 BTC, I will see "insufficient funds".  That's because I will only have imported 1 (or slightly more than 1) BTC from paper wallets before making that transaction.

[Johnathan]

I have noticed that some QR codes presented by merchants for payment encode not only the destination address, but the amount of the transaction. This is, I am sure, meant to be a convenience for the buyer. However, it would be quite easy for an unscrupulous operator to encode some much higher amount than the legitimate price into the QR code, thus scamming an unwary customer. In a system wherein charges are difficult to reverse, and wherein many wallet programs lack a confirmation dialogue box, it would behoove all to be wary..

Can you show an example of this?

[Foxpup]

many wallet programs lack a confirmation dialogue box

Citation needed. No wallet software that I know of will execute a payment from a URI without clearly displaying the amount and address and requiring some form of confirmation from the user.

[oleganza]

An idea: the wallet app may keep in memory a collection of decrypted keys for a total amount "up to 10 BTC" (configurable), that can be used to pay without entering the password. If you want to pay more, you enter the password. So for regular small payments, you won't be bothered with a password and don't need to triple-check the amount. For larger payments, a password request will pop up which will make you more careful. So, if you are buying a sandwich for 34 BTC instead of 34 mBTC, then you will get an unexpected dialog box: "You are about to spend 34 000 mBTC, please confirm with a password". "mBTC" can be used to bring extra attention to the amount ("why is it so big?! ah, okay, it's correct"), but, admittedly, can be very confusing until people get used to mBTC in daily operations.

This is equivalent to using two separate wallets, but more convenient.

[TheButterZone]

I agree. The only place where I* encode amounts in my QR code is at http://pay.thebutterzone.com - so you see the exchange rate, put in the USD amount, it converts it to BTC and regens the QR. You can double-check the math if you want.

*or rather, my host, which does allow the setting of a commission, that I left at 0.

[blockbet.net]

One other kind of abuse with the QR codes is simply replacing the code with another one, without anyone noticing. Imagine a store cashier that has a QR code somewhere, an attacker will only need to distract the clerk for a second and then put a sticker of his own Bitcoin QR code on top of the store's QR code. No-one will know the difference until a few bitcoin have disappeared, and the thief will be gone by then.

I also really would like a system that would ask me for a password when dealing with large amounts. I need to maintain a fair number of bitcoins on my hot wallet, make a lot of transactions daily, and even if I'm very careful, it's only a matter of time when I'll accidentally send 17 bitcoins to somebody instead of 1.7.

[RodeoX]

Perhaps i am missing something? But wouldn't you see that your balance is incorrect as soon as you pay?

[TheButterZone]

QR code behind the register, or electronically displayed each time. Can't cover what you can't get at.

[Snowfire]

The QR code in question was used by Bitmit (note: I am not accusing them of anything; the amount encoded was in this case the correct one.) The wallet software was Andreas Schildbach's Android app. Perhaps a confirmation screen in said software would be a good patch.

I honestly don't see Bitcoin transactions happening in brick-and-mortar businesses. The time to clear a transaction is just too long. This is not a problem for online businesses, however.

[Mike Hearn]

There is a confirmation screen in that app, and there has always been one. How did you manage to go direct from scanning a QRcode to sending a transaction?

[ufmace]

The QR code in question was used by Bitmit (note: I am not accusing them of anything; the amount encoded was in this case the correct one.) The wallet software was Andreas Schildbach's Android app. Perhaps a confirmation screen in said software would be a good patch.

I honestly don't see Bitcoin transactions happening in brick-and-mortar businesses. The time to clear a transaction is just too long. This is not a problem for online businesses, however.

There's a nice bit about that in the Wiki:

https://en.bitcoin.it/wiki/Myths#Point_of_sale_with_bitcoins_isn.27t_possible_because_of_the_10_minute_wait_for_confirmation.

Basically, for purchases of modest value, it is considered reasonably safe to go through with the physical transaction without any confirmations, just watching for the transaction and any double-spends. Getting away with a double-spend in those conditions is difficult enough that nobody would bother to do it just for something worth significantly less than, say, the current block reward.

[qwk]

tl;dr: people don't care about fraud with petty cash.


Just wanted to toss in my own 0.02 btc:

A while ago i spent a couple weeks in Hong Kong, and got used to a nifty little thingy called the Octopus Card.
Basically, a contact-less prepaid debit card for petty cash. You could use that thing just about anywhere, the underground, busses, McDonald's, vending machines, you name it.

And you know what? Nobody, literally not a single person (including myself) ever bothered even looking at what amount got charged. With minor amounts, you just don't care, the comfort of "it just works" outweighs whatever risk of fraud there might have been.

[Herodes]

I have noticed that some QR codes presented by merchants for payment encode not only the destination address, but the amount of the transaction. This is, I am sure, meant to be a convenience for the buyer. However, it would be quite easy for an unscrupulous operator to encode some much higher amount than the legitimate price into the QR code, thus scamming an unwary customer. In a system wherein charges are difficult to reverse, and wherein many wallet programs lack a confirmation dialogue box, it would behoove all to be wary..

A customer should always double check his receipt before he leaves to make sure everything is right.