How to prevent Payment Pointer fraud

https://shkspr.mobi/blog/2025/03/how-to-prevent-payment-pointer-fraud/

There's a new Web Standard in town! Meet WebMonetization - it aims to be a low effort way to help users passively pay website owners.

The pitch is simple. A website owner places a single new line in their HTML's <head> - something like this:

<link rel="monetization" href="https://wallet.example.com/edent" />

That address is a "Payment Pointer". As a user browses the web, their browser takes note of all the sites they've visited. At the end of the month, the funds in the user's digital wallet are split proportionally between the sites which have enabled WebMonetization. The user's budget is under their control and there are various technical measures to stop websites hijacking funds.

This could be revolutionary0.

But there are some interesting fraud angles to consider. Let me give you a couple of examples.

Pointer Hijacking

Suppose I hacked into a popular site like BBC.co.uk and surreptitiously included my link in their HTML. Even if I was successful for just a few minutes, I could syphon off a significant amount of money.

At the moment, the WebMonetization plugin only looks at the page's HTML to find payment pointers. There's no way to say "This site doesn't use WebMonetization" or an out-of-band way to signal which Payment Pointer is correct. Obviously there are lots of ways to profit from hacking a website - but most of them are ostentatious or require the user to interact. This is subtle and silent.

How long would it take you to notice that a single meta element had snuck into some complex markup? When you discover it, what can you do? Money sent to that wallet can be transferred out in an instant. You might be able to get the wallet provider to freeze the funds or suspend the account, but that may not get you any money back.

Similarly, a Web Extension like Honey could re-write the page's source code to remove or change an existing payment pointer.

Possible Solutions

Perhaps the username associated with a Payment Pointer should be that of the website it uses? something like href="https://wallet.example.com/shkspr.mobi"

That's superficially attractive, but comes with issues. I might have several domains - do I want to create a pointer for each of them?

There's also a legitimate use-case for having my pointer on someone else's site. Suppose I write a guest article for someone - their website might contain:

<link rel="monetization" href="https://wallet.example.com/edent" /><link rel="monetization" href="https://wallet.coin_base.biz/BigSite" />

Which would allow us to split the revenue.

Similarly, a site like GitHub might let me use my Payment Pointer when people are visiting my specific page.

So, perhaps site owners should add a .well-known directive which lists acceptable Pointers? Well, if I have the ability to add arbitrary HTML to a site, I might also be able to upload files. So it isn't particularly robust protection.

Alright, what are other ways typically used to prove the legitimacy of data? DNS maybe? As the popular meme goes:

@atax1a@infosec.exchange

mx alex tax1a - 2020 (5)

@jwz @grumpybozo just one more public key in a TXT record, that'll fix email, just gotta add one more TXT record bro

198 5 8520:49 - Sun 23 March 2025

Someone with the ability to publish on a website is less likely to have access to DNS records. So having (yet another) DNS record could provide some protection. But DNS is tricky to get right, annoying to update, and a pain to repeatedly configure if you're constantly adding and removing legitimate users.

Reputation Hijacking

Suppose the propaganda experts in The People's Republic of Blefuscu decide to launch a fake site for your favourite political cause. It contains all sorts of horrible lies about a political candidate and tarnishes the reputation of something you hold dear. The sneaky tricksters put in a Payment Pointer which is the same as the legitimate site.

"This must be an official site," people say. "Look! It even funnels money to the same wallet as the other official sites!"

There's no way to disclaim money sent to you. Perhaps a political opponent operates an illegal Bonsai Kitten farm - but puts your Payment Pointer on it.

"I don't squash kittens into jars!" You cry as they drag you away. The police are unconvinced "Then why are you profiting from it?"

Possible Solutions

A wallet provider needs to be able to list which sites are your sites.

You log in to your wallet provider and fill in a list of websites you want your Payment Pointer to work on. Add your blog, your recipe site, your homemade video forum etc. When a user browses a website, they see the Payment Pointer and ask it for a list of valid sites. If "BonsaiKitten.biz" isn't on there, no payment is sent.

Much like OAuth, there is an administrative hassle to this. You may need to regularly update the sites you use, and hope that your forgetfulness doesn't cost you in lost income.

Final Thoughts

I'm moderately excited about WebMonetization. If it lives up to its promises, it could unleash a new wave of sustainable creativity across the web. If it is easier to make micropayments or donations to sites you like, without being subject to the invasive tracking of adverts, that would be brilliant.

The problems I've identified above are (I hope) minor. Someone sending you money without your consent may be concerning, but there's not much of an economic incentive to enrich your foes.

Think I'm wrong? Reckon you've found another fraudulent avenue? Want to argue about whether this is a likely problem? Stick a comment in the box.

0. To be fair, Coil tried this in 2020 and it didn't take off. But the new standard has a lot less cryptocurrency bollocks, so maybe it'll work this time? ↩︎