First of all. The story bellow is done by my own payment as it's an experiment. Also it just work.
Also, I will provide a very simple solution for such system. Please don't miss it.
The story began in an evening, I went to Pacific Coffee as normal with my friends, since we would more prefer the Coffee quality there(😀 personally).
When I paid with my client app, by a QR code to be scanned. Exactly the same idea you just came up, I was wondering, the bar code itself will be changed or not. I immediatly send my friend a screen cap with that QR code, and asked him to pay for my Coffee by using it. And you bet what? It worked! Therefore, my second plan was going to be begun.
The next day, we went there as usual. This time queued at third place, just behind my another friend. When he was taking out the phone, opened up the app, hold in the air and was ready to be scanned, I took a picture. That picture is not very clear, very close up to his phone screen, just bare enough for a QR decode software to recognize the string behind that code. Part 1 Done.
I told my friend to take 50 dollar from me and promise him I can use his account to buy a cup of coffee by using his account. He chose to not to trust me... Sure, then, good luck man.
🏗🏗🏗 I start the Part Two. I opened up Xcode and mock a Pacific Coffee app, the QR code section can be render from any string I inject in a backdoor.
💰💰💰 Yet another day, we went to coffee shop again, and guess what, I made it. The transact finish as normal as it does. The only different is, nothing. No one noticed, even my friend. I went to him since he was looking for chance to beat me by yesterday's talk. So I ask him to take a close look to his account balance, then he finally realised the promise I've made was already done.
I hack💥 the Pacific Coffee payment system by an almost naive approach. But the fact is, lot of similar payment system can be hacked by using similar level hack. It's because the lack of security concern (or dirty cheap fast approch). We live in a peaceful world for so long therefore we almost all forget how to protect ourselves.
Alright, story ended. Time to like and share to your friend, warn them to secure their phone screen, I mean true. I will give a common and simple solution for such offline passive payment system. But it's already too long, so please see my next update. I will post it after the weekend.(Maybe 3 days after if more than 200 people love to know)