19 March 2019

The big risk of a quick scan — and what Alipay will do about it

At first, vested interests were blamed for the abrupt ban on QR codes but revelations of dangers lurking in quick-response-code payments suggest the central bank may have had a point in clamping down on the transactions.

The People’s Bank of China suddenly announced last month that it was barring virtual credit card and QR code payments for now, affecting service providers like Tencent’s (00700.HK) Tenpay and Alibaba Group’s Alipay.

Some called it unfair and saw the shadowy hand of rivals — state-owned brick-and-mortar lenders and domestic bank card organization UnionPay — wielding influence behind the scenes. 

But media reports are surfacing of digital thieves stealing cash from e-wallets, prompting some Alipay and Tenpay users to realize just how vulnerable they are.

China Central Television last week aired the case of an Alipay user who suffered hefty losses from her Alipay-linked bank account after scanning a phishing QR code with her smartphone. The code apparently contained a Trojan horse virus that could intercept or steal personal information such as a user’s password or ID card number.

The report also said the China Consumers’ Association has received more than 10,000 complaints of third-party payment disputes since the start of the year.

Before the central bank clampdown, Alipay and Tenpay were striding into the offline payment domain, upgrading electronic fund transfer at point of sale (EFTPOS) devices to support QR codes and e-wallet payments.

Major device suppliers like Newland Computer (000997.CN) and Zhengtong Electronics (002197.CN) reportedly launched a new series of QR code-enabled EFTPOS devices. New Tenpay-backed equipment can generate QR codes for each transaction for customers to scan via their WeChat app before inputting passwords and confirming their purchase.

The process is designed to be easy, swift and flawless, albeit with the potential danger of malicious QR codes and Trojan horse viruses.

Experts told the Economic Observer that it’s easy to download applications to generate QR codes, and that QR code-enabled EFTPOS devices are not under the scrutiny of semi-governmental organizations like UnionPay. That means there are big risks for on-the-go buyers who seldom think before scanning.

Alipay has responded by encrypting all of its QR codes and stripping them of sensitive user’s information. The company says that after the code is scanned, the Alipay application will first verify its source before carrying out payment instructions. And the final payment process can only be made through Alipay’s backend servers.

For QR codes from unknown sources, Alipay will automatically disable the “redirect and download” function to eliminate risks.

Alipay and Tenpay also plan to promote the new “QR code for vendors to scan” method. Both platforms work on applications that can generate a unique QR code for the shop owner to scan and authorize Alipay or Tenpay to deduct the agreed amount of money from the customer’s account on behalf of the seller.

Despite the ban, some of the virtual changes are already in real-world play. 

Guangdong-based convenience store chain operator Meiyijia {美宜佳} is now testing the new, more secure way of payment with Alipay at its 5,500 stores in 17 cities.

– Contact the writer at [email protected]



EJ Insight writer

EJI Weekly Newsletter

Please click here to unsubscribe