I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.

Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.

Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.

But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.

Not that I like this thing at all. But using a QR isn’t exactly why it sucks.

Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.