Changsha, China – A mobile phone vendor in Changsha, Hunan province, recently fell victim to a sophisticated remote skimming scam, losing thousands of yuan through her Alipay account despite never relinquishing physical possession of her phone. The incident, highlighted in a recent announcement by Hunan police, underscores the growing threat of QR code-based fraud and the importance of heightened vigilance among mobile payment users.
The victim, identified as Ms. Zhao, received a friend request on her phone from an individual claiming to be interested in purchasing a mobile phone. After agreeing on a model and price, the purported buyer requested to pay via Alipay. Ms. Zhao provided her Alipay QR code, but the scammer then claimed to be experiencing difficulties with the payment process. They proposed a video call, offering to guide Ms. Zhao through the transaction.
During the video call, the scammer instructed Ms. Zhao to navigate to the Receive/Pay page within her Alipay app. Unbeknownst to Ms. Zhao, the scammer was exploiting a crucial vulnerability in the Alipay interface. When the Receive/Pay page is opened, the default display is the Payment Code (付款码), used for making payments. Users must manually switch to the Receive Code (收款码) to receive funds.
Capitalizing on this brief window of opportunity, the scammer surreptitiously captured a screenshot or photograph of Ms. Zhao’s Payment Code. Leveraging the common practice of enabling password-free payments, the scammer then used the stolen Payment Code to directly debit Ms. Zhao’s account.
Moments after the video call ended, Ms. Zhao received two payment notifications: one for 999 yuan and another for 499 yuan. By the time she realized she had been defrauded, the scammer had blocked her contact.
Police investigations revealed that the stolen funds were transferred to a convenience store account in Guangzhou. A subsequent investigation led to the identification of a criminal gang, led by a suspect named Huang, operating across Hunan and Guangdong provinces. A coordinated operation resulted in the arrest of Huang and six other suspects in cities including Guangzhou, Foshan, and Chenzhou. Authorities have linked the gang to over 200 similar cases nationwide, with total illicit gains exceeding one million yuan.
The Vulnerability: Payment Code vs. Receive Code
The scam highlights a critical security flaw in the Alipay interface. The default display of the Payment Code upon opening the Receive/Pay page creates a window of vulnerability that can be exploited by fraudsters. This is further exacerbated by the widespread use of password-free payments, which allows transactions to be completed without additional authentication.
Protecting Yourself: Alipay’s Payment Code Privacy Protection
To mitigate the risk of remote skimming, Alipay offers a Payment Code Privacy Protection feature. When enabled, this feature hides the barcode of the Payment Code by default. Users must manually click Display Payment Code before making a payment, adding an extra layer of security.
Moving Forward: A Call for Enhanced Security Measures
This incident serves as a stark reminder of the evolving sophistication of digital fraud. While users must remain vigilant and adopt available security measures, platform providers like Alipay also bear a responsibility to enhance their security protocols and user interface design to minimize vulnerabilities. This includes exploring options such as:
- Reversing the Default Display: Consider making the Receive Code the default display on the Receive/Pay page.
- Mandatory Authentication: Implement mandatory authentication for all transactions above a certain threshold, even with password-free payments enabled.
- Enhanced User Education: Conduct more comprehensive user education campaigns to raise awareness about the risks of QR code fraud and the importance of enabling security features.
By working together, users and platform providers can create a safer and more secure digital payment environment.
References:
- IT之家. (2025, February 15). 收款变付款,长沙一商户被“隔空”盗刷支付宝上千元 [Collection becomes payment, a Changsha merchant was remotely stolen thousands of yuan from Alipay]. Retrieved from [Insert Original IT之家 Article Link Here – Since a real link wasn’t provided, I’m leaving this placeholder].
Views: 0