Suggestion to reduce QR code scams

Vazyriqx

• July 06, 2022 19:02
• Edited

The problem:

When you scan a QR code there is no further validation other than a Yes, log me in" button. This allows users to skip through the warning with little to no thought about what the QR code does. Since the login button is highlighted blue it encourages the users to "autopilot" through the screen without reading the warnings.

 

The suggestion:

Instead of a simple log me in button There should be a checkbox selection for how you got the QR code. one option is "From another user or bot" and the other option is "Discord login page" (With appropriate localisation changes). That way a user is required to read the options. If they select from a bot or user they can be given an appropriate warning about what it does

 

Image of current QR code login screen for reference

4

• 

  Star

  • July 06, 2022 22:27

  I had a similar idea but it was too block any attempts to login with a QR code if both clients are im different locations (5-15 miles?) so if someone tries to use a QR code to get into a account they won’t be able to as there not in the same location as the account holder.

  0
• 

  Vazyriqx

  • July 06, 2022 22:55

  The problem with that lies in it requires either both devices to be on and allow GPS which is not always the case or you need to be connected from the same IP which can make using VPN's a pain to use. It would work but it would be sacrificing too much QoL for security.

  0
• 

  Star

  • July 06, 2022 23:11

  The vpn issue yes. However couldn’t you just reference the IP addresses of both devices to the public data bases of IP addresses and be able to know the general location (I.e. the city or town) and basically disallow attempts from more then 20 miles away?

  If anything that would be better then using the gps of the device and would be overkill for this idea. I think all you’d need is just the general location.

  (I mean in reality the chances of a bad actor and a user being in the same city is quite low)

  (please correct this if I’m wrong) 

  -1
• 

  Vazyriqx

  • July 06, 2022 23:18

  Yes and no. Geolocation by IP's is not precise to say the least and even if they were it would be overkill because the except for some rare edge cases both devices are going to be on the same network so it would be far simpler just to check if both devices are from the same IP. And for the VPN issue there is just nothing you can do unless they are using a VPN to the same location. As I said before it would work. However, it is overkill.

  0
• 

  Star

  • July 07, 2022 00:40

  The issue I would see with checking the exact location is privacy. I am unsure but does discord privacy policy allow it to log the exact location of specific devices? If not that would have to be added to it for this feature to be Able to exist. 
  obviously yes geolocation by ip is not accurate. But for this it wouldn’t have to be extremely accurate.

  i think our ideas on this differ a little. I feel it should look at the location and ideally have a accuracy of under 20-40 miles. Now ofc someone who lives in the same area could then still use the qr code login for bad purposes. However! That would only be a small fraction of users. The majority of them would be safe from this type of scam.

   

  i do 100% think your idea is better, sure there’s edge cases where the IP addresses are different but for the most part it’ll be the same. It’s just as I said idk if discords privacy policy will allow for logging of exact location (as I said hence why for thst reason geolocation might be better or might not.)

  yea it’s all overkill. However why not? People misusing the QR code login feature is really bad. The fact it only takes a few clicks for u to accidentally give someone ur account. 

  as I’ve said this would mostly eliminate that misuse. And you also can’t forget that when people use this to get into peoples accounts they can buy server boosts and nitro gifts (if a payment method is connected) they can see the billing address. And email and phone number. This could become extremely dangerous. 
  
  

  i see it as a recipe for disaster. How long will it be intill a teenager accidentally scans a QR code and it logs someone into there discord. What if then that person finds the phone number connected to the account or the billing address. It could become extremely dangerous very very quickly..

   

  in my eyes it’s not overkill. It’s not just security it’s for safety. 

  sorry for the little bit of a rant I wanted to show why it is overkill but why it’s worth it to have a security feature like this

  -1

Please sign in to leave a comment.