I tried the Cart Recovery demo, pretty slick! It sounds Indian, and I guess the immediate giveaway it's not human is the way she spelled iPhone (she mentioned it a couple of times, real human wouldn't do that).
Not sure how the voice compares with "generic" solution e.g. from Google. Can those generic solutions sound like a "local"? E.g. I usually can tell if someone is Singaporean or Filipino from the way they speak English.
And that's the problem -- all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.
this is why QR codes, especially ones with complicated encoded uris, are a security problem. they're very hard for leypeople to audit before doing the wrong thing
No. You don't scan the QR with your camera or whatever. You open the app and scan it inside there. And there's no website. Only mobile apps in devices where attestation and full device/SIM binding is possible are allowed. The SIM has to match the one you register with your bank as well. And once you register (which involves 2FA with your bank), the device/app identity is frozen. And then there is a transaction-time secret which is your 6 digit UPI pin. Obviously, just knowing someone's PIN is useless - I know all my close friends PINs. Its just 6 digits after all. Even 4 is allowed. This is checked at the end of the line in the bank's server.
Client only talks to the payment service provider server which checks attestation, And only those few approved PSPs can talk to the NPCI server. And only the NPCI server can talk to banks.
The core code used by all the PSPs is the same, there is a common SDK that they have to use to be approved. There is a common test suite for the server side as well, that each PSP has to pass for certification.
PSPs like Google pay that aren't banks themselves, are called TPAPs, and they have to first partner with a willing bank. And you get TPAP client -> TPAP server -> partner bank server -> NPCI in the chain above. This is mostly for regulatory reasons.
Client side security though, relies on
1) app when registering sends an SMS to the bank, the bank uses the telecom-network side ID (and not the number in the SMS body), and checks that this number is attached to the bank.
2) play integrity/device attestation
Attaching a SIM to a bank requires in person KYC, so does buying a SIM.
So to break it you need
1) play integrity exploit on the targets phone + getting them to actually install your app and getting your app on the play store
Or 2) a SIM swap attack on the target, which involves KYC/biometric forging/in person social engineering at the telecom providers shop.
Even if you SIM swap, the bank will check with the telco if you recently got a new SIM and restrict high value transactions for a while. The telco themselves will have a cooldown period. Some banks you can make you do in person KYC again at the bank's side. My bank requires this when you replace SIMs.
Similarly when you change phones, you get stricter limits for a while. Because the device fingerprint changes (with the SIM being the same).
You can do all that and get... 1000$. And there are per month limits, etc, which you can tweak yourself with your bank.
Of course there is the purely scammer route, where you scam someone into paying you money, authorising it themself. For these things there is usual risk-based stuff. The payee name you as the scammer give the victim has to match the one in your scammer bank account. And merchant payments / individual payments are differentiated, so the user gets visual indication that they are paying a person and not a company. And so on.. here obviously it is defense in depth and not cryptographic defense, since the user is the one authorising.
True, but in general the QR -> link thing you mentioned is genuinely a nightmare. Especially when it also passes through a URL shortener first. I've seen that happen all the time. They use these QR code SaaS things that put their own short URL in the actual QR. This lets you change the URL even after you've sent the QR to others. But phishing-wise it's a nightmare as you can imagine.
> all i have to do is come up with a website that looks enough like your banking app, and get you to scan the uri to that website, and that'll trick you into giving me your pin.
It is not how any of this works. But sure, keep up the uninformed fear mongering.
I am Indian and I think what you are saying is correct. It opens up the banking app or in our case UPI providers app so like Google pay, Phonepe,paytm, Bhim UPI and other such apps.
Another thing is lead time. I built an app (https://signagesync.app/) to "multi-chromecast" websites and videos to Android TV, macOS, Windows and hopefully Samsung TV as well.
"Hopefully", because it took me literally 2 months waiting for the reviewer to test my app after it's submitted (to be fair, they did say "expect 6-8 weeks" upfront). They found some issues (crashes), so it was rejected, but I lost interest in resubmitting.
"The ruling applies to his so-called "Liberation Day" tariffs, but not individual tariffs he's imposed on specific countries or products " -- So what's gonna happen next?
For countries that negotiated special treatment, they'll be stuck with a (now worse) deal?
For other countries, they'll return to the previous deal (non-tariff)?
So I am far from an expert, but I saw that Capital Economics (a Macroeconomic analysis firm) put out a note saying that Trump still had power under Section 122 of the Trade Act of 1974. But there are three catches for that. First, it only lasts for 150 days unless Congress votes to approve them. Second, that it has to apply to all countries equally: meaning that it can't be used to give some countries a break if they sign a deal, so all of the deals are going to be unenforcable on America's end. Third, it caps the tariff rate at 15%.
Like with refunds, this is a mess of Trump's own making, and now we get to figure it out.
They've already voted once that a day isn't a day to avoid having to maintain some of his emergency declarations so I don't think that 150 day timer will actually end up running.
This is one of the things that drives me nuts about certain conservatives here in Canada who have been crying that Carney just "needs to make deal" (on some realpolitik basis) -- that would have been completely insanely bad bargaining. Everyone knew this court date was coming (and also that there's midterms this year). Why on earth would Canada show its belly to Trump when Trump himself was potentially about to be de-fanged? Why ink an unfavourable deal and then find two years later that we're stuck with it while the US political arena has changed?
Super Bowl ads, in particular, really are their own thing. People will even watch them later, discuss, share, etc.
There are some people who have more interest in the Super Bowl for the ads than the sport.
So I'd say it's not money flushed down the bowl.
Random fun fact: 20ish years ago, I used to work at a web hosting company that had superbowlads.com (iirc) as a customer. I'm not surprised it's no longer an actual site, though: I speculatively doubt NFL lawyers would've left it alone.
Hmm, maybe for countries with strong consumer protection, yes.
I lost 3 credit cards INSIDE an airplane (hello AirAsia!). I only realized it when I turned on my phone while queuing at immigration and was bombarded with dozens of "Successful transaction" messages. That's ~30min from stepping off the airplane. When I checked my statements, I saw dozens of physical transactions (swipes/taps) with different merchants in different cities from the airport.
All 3 cards have different PINs. All require a PIN for transactions above ~USD200. Yet the banks rejected my disputes because "it's a physical transaction, so you must be the one doing it." Apparently, they all think I could fly to different cities, buy different items, and fly back to wait in immigration, all in 30 minutes.
OpenClaw made the headlines everywhere (including here), but I feel like I'm missing something obvious: cost. Since 99% of us won't have the capital for a local LLM, we'll end up paying Open AI etc.
How much should we budget for the LLM? Would "standard" plan suffice?
Or is cost not important because "bro it's still cheaper than hiring Silicon Valley engineer!"
I signed up for openrouter to play with openclaw (in a fresh vm), I added a few $, but wow, does it burn through those quickly. (And I even used a pretty cheap model, deepseek v3.2).
Not sure how the voice compares with "generic" solution e.g. from Google. Can those generic solutions sound like a "local"? E.g. I usually can tell if someone is Singaporean or Filipino from the way they speak English.
reply