Some years ago I wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally-signing tags (although I did also note that no-one used it) whereas anyone could easily create bogus QR codes.vI said at the time that you could “imagine a situation in which a powerful player like Apple, using Passbook, forces a scheme for digitally-signing QR codes and sets up a structure for key and certificate management”. I also suggested, in connection with a couple of projects that my colleagues were working on at the time, that mobile operators do the same, at least until NFC inevitable replaced QR.
While I have no inside information on the subject, I do expect a future iPhone (and, for that matter, iPad) to have NFC. NFC is a convenience technology, and Apple loves convenience
I also noted that some surveys showed NFC generated better results for merchants, but only once consumers could get it working. As Osama Bedier, then head of Google Wallet, pointed out, this is was some barrier because of the amount of “futz” it took to get NFC working. Well, only a few years later iPhones do indeed have NFC but QR is everywhere. QR codes became popular precisely because any app could read them, precisely because anyone can use them, precisely because there is no security infrastructure, precisely because there is no futz. The result in China, where there was little card infrastructure in place beforehand, was the near-ubiquity of QR in the world’s biggest mobile payments market.
"Ogilvy & Maher and Ipsos concluded in a survey of China’s mobile payment market that ‘[Chinese] mobile payment has permeated all aspects of life and changed basic, everyday habits.’"
It seemed to me that thought fraud would be an inevitable consequence of the QR-centric approach, and so it turned out. Last year I read in the South China Morning Post that in March 2017 some 90m Yuan were stolen via QR code scams in Guangdong alone (a suspect in one case was found to have replaced merchants legitimate bar codes with fake ones that embedded a virus to steal personal information) and that in China, a quarter of viruses and trojans were coming in via QR.
Now, while even the man who invented QR codes says that they are an interim technology, there’s no denying that they are here to stay. Hence it makes sense to find a way to make them more secure, and the obvious way to do this is two-factor authentication (2FA). It turns out that the Chinese regulators have come to the same conclusion and have implemented the equivalent of the European Union (EU) Second Payment Services Directive (PSD2) Regulatory Technical* Standards** (RTS) on Secure Customer Authentication (SCA).
"Under new rules released by the People’s Bank of China [in December 2017], all transactions over 500 yuan (US$76) will be subject to additional levels of verification. As the transaction value passes each trigger point – 1,000 yuan, 5,000 yuan and unlimited – so the security checks will increase."
This makes obvious sense. Just as in the UK we have contactless for low-value payments but 2FA for higher-value payments (ie, chip and PIN for cards or CDCVM for mobile), so QR will be used for low-value payments but 2FA will be required for higher-value payments. Of course, in the Chinese system, QR works just as well on-line as in-person whereas in our system we don’t use chip and PIN online (but should do - ApplePay in-browser is easy and safe) so we still have some way to go to catch up with leading edge of fintech.
* Not “technical” in the sense that you or I would mean it.
** Not “standards” in the sense that you or I would mean it.