[devy]

I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.

Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.

Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.

[xp84]

But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.

Not that I like this thing at all. But using a QR isn’t exactly why it sucks.

[olyjohn]

It's a URL that you can't read. It's literally exactly what we tell people to not do to be secure. LOOK AT THE FUCKING URL BEFORE YOU VISIT THE SITE.

[shye]

No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).

[xp84]

IDK about how you scan them, but when I scan one with my camera, I see the top domain part (e.g. it would show 'ycombinator.com' for a link to this page) and have to tap that to open the link. So, that not only satisfies the "can look at" part, but also neutralizes some of the deceptive URL tricks like the ol' `google.com-secure-signin.php-sfd7sdfj.xyz/login.html`.

[PeterStuer]

Whoever told you that is the same person that advocated complex password rules with montly resets and no repeats.

[olyjohn]

If you really think that's true, I have some QR codes for you to scan.

[orf]

Please, share them.

[jeroenhd]

Right! Let me check the URL before clicking the "confirm your account" link!

https://rt434.mjt.lu/lnk/GN2PVLyAIiUHuMqkGcjHkjkcRBtF/zJfB7p...

Oh wait, never mind. I guess I won't be signing up for electricity, then?

Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.

If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.

[olyjohn]

What's the point of confirmation or user interaction, when nobody knows how to read a URL, and they just click the goddamn accept button?

[jeroenhd]

The user doesn't need to know the exact URL to confirm an interaction they've just started.

The point of the confirmation is 10% account creation and 90% confirming that the user knows their own email address and can type it in correctly. That's actually more challenging to the wider audience than you might think.

[alfanick]

> Oh wait, never mind. I guess I won't be signing up for electricity, then?

You ~~will~~ should be picking up your phone and calling the electrical company to confirm and to tell them their links are nonsense. Couldn't bother with AI agent on phone, or 60 min waiting queue to a human? Fuck it, don't pay the bill, figure it out later.

[xp84]

This advice sounds like nonsense. CS has neither knowledge of what layers of enterpriseware has wrapped their links, nor the domains that software uses, nor any control over those decisions by software engineering or marketing (or perhaps even more removed, some third-party electricity account management platform that they buy as a service).

You certainly could operate on policies like this, but I think most people prefer to spend their time differently instead of arguing with strangers who don't have any way to solve your problem.

[jeroenhd]

Their customer support people don't know what I mean and they especially don't have any power to change this.

The problem isn't paying the bills (I can't recall the last time I ever needed to do that manually), the problem is that pretty much every service uses trackers and shorteners. The only way to opt out is to opt out of society.

Maybe I should, but this "read the link before you click" advice isn't just geared towards hardcore privacy advocates. It hasn't worked in ages. It also doesn't help that companies like Outlook rewrite links to make them redirect through their malware scanners as well.

[a2128]

2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this

[gwerbin]

Companies were doing this all along. The 2020s will be remembered as the decade when we realized, too late, that the world began ending in the 2010s.

[classified]

Unregulated greed doesn't care if every user gets robbed and their identity stolen.

[shit_game]

Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.

[dunder_cat]

Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.

As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.