yesterday, i came across this thread where the op mainly elaborated about a scam case on facebook groups where someone has uploaded a fake duitnow qr to raise donation for masjid jamek sultan abdul.
currently for sedekahje, we already have around 700+ qrs in our directory from various sources. the sources are from my own effort, as well as contributions from the community. the contribution channels are mainly through google form, github repository pull requests, and my close circle of friends who personally reached out to me to contribute.
these qrs, before being added into the directory, are being verified and validated first. the qrs are being scanned manually by me using mae, or by a few contributors i trust.
how did we verify the qr? for example, currently in mae, after you scan a qr and enter the amount, before clicking on pay, the apps will show you the merchant name. thats the information that we have used to confirm that the qr is indeed belongs to the institution.
however, this verification method is no longer valid because based on the twitter thread mentioned above, a scammer can edit the merchant name. meaning that, the scammer can generate his own qr via the merchant's app but change the merchant name to any name he wants, and in this case - masjid jamek sultan abdul.
whats worse is that, even if you, as the end user, have made the payment, the receipt will still show masjid jamek sultan abdul as the merchant, where the money is actually being transferred into the perpetrator's account.
i hope maybank/ duitnow/ paynet will look into this matter and fix the loophole, as this is a serious issue. as for now, im currently developing an admin panel so that any future submissions will have to go through the admin's approval in the system, rather than having to review it in several channels like google form and github pr.