> If you're going to do a scam like that on a business level, there's a lot of logistics involved. A mom and pop shop isn't going to be a suitable target, so you're going to be targeting a franchise where you can easily move operations to reduce costs. You have to spend a bunch of time building out a fake website. You have to put multiple boots on the ground to go around changing hundreds of QR codes to improve hit rates.
Yea, this happens already. For example, the finance department at my company was recently phished for a significant amount of funds. How? Someone broke into the payment company that issues the invoices for a company that we use and got their customer list and then started phishing all their clients.
They emailed my finance department, said the account number had changed, even used the same bank, and got us to send a payment for an invoice to that new account. Bank happily paid them out. Nuts. Now we have to try to claw the money back, but I don't think we can get it without long legal proceedings against the bank. Imagine though, having the balls to open a bank account after having broken into a company.
The people in the finance department felt awful and surprised that this could even happen to them. Since then, they've now increased the security 1000x and require voice verification and what not...
My point is, just like you say, you can't trust the trust. The only way this would have worked is if QR codes could only be generated by a trusted third party for all QR codes. Even still, it wouldn't work because I could fake the trusted third party.
You have a nice dream, and it gets me thinking that a "LetsEncrypt for QR codes" might be an interesting business service, but it would require a huge amount of convincing people to use you as well as marketing dollars to get the word out. I still don't think it'll stop everything.
They emailed my finance department, said the account number had changed, even used the same bank, and got us to send a payment for an invoice to that new account. Bank happily paid them out. Nuts. Now we have to try to claw the money back, but I don't think we can get it without long legal proceedings against the bank. Imagine though, having the balls to open a bank account after having broken into a company.
The people in the finance department felt awful and surprised that this could even happen to them. Since then, they've now increased the security 1000x and require voice verification and what not...
My point is, just like you say, you can't trust the trust. The only way this would have worked is if QR codes could only be generated by a trusted third party for all QR codes. Even still, it wouldn't work because I could fake the trusted third party.
You have a nice dream, and it gets me thinking that a "LetsEncrypt for QR codes" might be an interesting business service, but it would require a huge amount of convincing people to use you as well as marketing dollars to get the word out. I still don't think it'll stop everything.