not.bot Use Cases: Trust Surface
This document covers signed links, authorized agent verification, and peer-to-peer commerce. It is part of the not.bot use cases catalog; the Use Cases Index holds the full catalog and the mechanism definitions the use cases draw on.
The unifying property
Any physical surface presenting a digital action is a trust surface. Any commercial relationship where parties cannot verify each other is a trust surface. Any third party claiming authorization from a brand is a trust surface.
The "quishing" attack (sticking a malicious QR code over a legitimate one in a parking lot) works because the URL itself cannot be verified by the user. Marketplace fraud works because buyer and seller cannot verify each other. Counterfeit-good schemes work because consumers cannot verify the seller's authorization from the brand.
Signed links, signed credentials, and signed transactions convert the trust question from "is this real" (which the user cannot answer) to "is this signer who I expect" (which the user can).
Signed links and signed action prompts
Parking, transit, and metered payment QR codes
The canonical quishing target. Attackers stick fraudulent QR stickers over legitimate ones in parking lots and at meters. Drivers scan, "pay," and discover later that the operator never received payment. Cards get charged, sometimes recurring.
A signed link shows the city or operator as signer before the user follows the link. The signature surface is verifiable; the URL is not.
The business value: Cities and parking operators lose revenue and face customer complaints from quishing attacks. The fraud scales across thousands of meters and parking lots per city. A signed-link infrastructure protects revenue, reduces customer disputes, and eliminates the manual QR-code-inspection programs some cities have implemented in response.
Restaurant menu QR codes
Menu QR codes at tables let attackers redirect to fake ordering systems that capture payment information. The attack surface scaled during COVID-era contactless adoption and never went away.
Signed menu links display the restaurant as signer.
The business value: Restaurants operating digital ordering through QR codes face liability for payment fraud that occurs through substituted codes. Signed links protect customers and shield the restaurant from chargeback losses and reputational damage.
Wi-Fi connection QR codes
The fake hotspot vector. A QR code purporting to connect a guest to a hotel or coffee shop network connects them to an attacker's access point. From there the attacker captures credentials and intercepts traffic.
Signed Wi-Fi codes show the venue as signer.
The business value: Hotels, airports, and coffee chains that offer guest Wi-Fi carry liability when fake hotspots capture customer data on their premises. Signed Wi-Fi connection codes protect both the guest and the venue from a man-in-the-middle attack that is difficult to detect and costly to remediate.
Charity donation QR codes
A massive disaster-related fraud surface. Fake charity codes appear next to legitimate ones at events, in fliers, and on social media. Disaster events attract thousands of fraudulent solicitations within hours.
Signed donation links show the charity as signer. Donors verify before giving rather than after losing the donation.
The business value: Disaster-relief charities lose both donations (diverted to fraudsters) and donor confidence (the next time a disaster hits, donors hesitate). Signed donation links protect revenue and trust at the moment donors are most willing to give.
Crypto payment QR codes
Address swaps in crypto QR codes drain wallets. A user sees what looks like a payment request from a known counterparty and signs the transaction; the address in the QR was substituted.
A signed address with the recipient as signer prevents substitution. Verifiers confirm the signer matches the expected counterparty before approving the transaction.
The business value: Crypto address fraud is irreversible. Funds sent to a substituted address cannot be recovered. For exchanges, payment processors, and merchants accepting crypto, signed payment addresses eliminate the highest-severity fraud vector in the transaction flow.
Tip and service-worker payment codes
Workers' tip codes get replaced with fraudulent ones at points of sale. The customer pays the tip, the worker never sees it. The attack hits hardest at the lowest end of the wage scale where tips matter most.
Signed tip codes show the worker or employer as signer.
Event and conference signage
Conference QR codes for schedules, materials, and networking get spoofed at events. Attendees scan, expect the conference platform, and get phishing pages instead.
Signed signage codes show the organizer as signer.
Museum and tourist information codes
Information QR codes at attractions get replaced with malicious ones that direct to phishing or scam pages. Tourist destinations are vulnerable because visitors lack local context to recognize substitutions.
Signed codes show the institution as signer.
Vaccination and health-pass QR codes
Health pass spoofing during the COVID era was widespread. Forged passes appeared in every jurisdiction with a vaccine-mandate regime.
Signed health passes with the issuing authority as signer let venues verify before granting access. The signature carries the issuer's identity through the verification chain.
The business value: Public health authorities and venues enforcing health-pass requirements need a forgery-resistant credential. Signed health passes eliminate the photo-editing and QR-code-forging attacks that undermined every first-generation health-pass system deployed during COVID. The infrastructure is reusable for future public health requirements.
Real estate yard-sign QR codes
"Scan to schedule a tour" yard signs get cloned by attackers running fake listing schemes. Prospective buyers schedule tours, share contact information, and become marks for downstream scams.
Signed sign codes show the listing brokerage as signer.
The business value: Real estate brokerages invest in yard signs as a primary lead-generation channel. Fraudulent clones intercept those leads, costing the brokerage potential commissions and exposing prospective buyers to scam operations. Signed QR codes protect both the lead pipeline and the consumer.
Authorized agent verification
A Business DID issues a credential to another entity authorizing them to act as an agent. The agent displays the credential. Customers verify the chain before transacting.
The category-level business value: Counterfeiting and unauthorized representation cost brands over $500 billion per year worldwide (OECD). Authorized-agent credentials give brands a digital chain-of-custody mechanism that is verifiable by the end consumer, enforceable at scale, and revocable in real time. Each category below represents a slice of that market.
Manufacturer authorized repair
Manufacturer authorized-repair programs for phones and electronics, auto warranty service centers, appliance repair networks. The customer scans a credential at the storefront or website confirming the manufacturer authorized this provider for warranty work. Counterfeit "authorized" repair shops lose their cover.
The business value: Manufacturers spend millions on authorized-service-provider programs. Unauthorized repair shops that claim authorization damage the manufacturer's brand, void warranties, and expose customers to substandard parts. A verifiable credential gives consumers instant proof before they hand over their device, vehicle, or appliance.
Pharmaceutical authorized distributors
Counterfeit pharmaceuticals are a multi-billion-dollar global problem. The WHO estimates ten percent of medicines in low- and middle-income countries are substandard or falsified.
Pharmacy supply chain authentication via credentials issued by manufacturers to authorized wholesalers and dispensers gives consumers a verification path to the source. Most relevant for online pharmacy storefronts where consumers cannot inspect physical credentials.
The business value: The Drug Supply Chain Security Act (DSCSA) requires pharmaceutical traceability in the US. Verifiable distributor credentials complement serialization requirements by authenticating the distributor at each step, not just the package. Manufacturers that issue credentials to their authorized channel gain real-time visibility into distribution-chain integrity.
Software authorized resellers
Microsoft, Adobe, Autodesk, and other software vendors operate authorized reseller programs. Buyers verify the reseller credential before purchase to avoid grey-market and counterfeit license keys.
The business value: Grey-market software keys generate hundreds of millions in losses for software vendors and expose buyers to malware, licensing audits, and support denial. A verifiable reseller credential lets the buyer confirm authorization before purchase and gives the vendor enforcement data on unauthorized channels.
Authorized parts dealers
Counterfeit parts in aviation, automotive, and medical devices kill people. The FAA tracks suspected unapproved parts cases; the FDA tracks counterfeit medical devices. Both agencies struggle with detection.
OEM credentials issued to authorized parts distributors give buyers a verification path. Critical-safety industries can require credential verification at receipt.
The business value: A single counterfeit part in an aircraft engine or medical device can cause catastrophic failure. The liability exposure for OEMs, distributors, and end-users runs into the billions. Verifiable parts-dealer credentials reduce liability risk, satisfy regulatory traceability requirements, and give procurement teams confidence that the part is genuine before it enters the supply chain.
Franchise authentication
Is this storefront a real McDonald's, Subway, or 7-Eleven? Franchise credentials issued by the corporate parent to legitimate franchisees authenticate the location. Most relevant in jurisdictions where brand impersonation drives revenue without legal recourse for the brand.
Insurance authorized adjusters and approved contractors
Post-disaster fraud schemes flood affected areas with fake adjusters and contractors. Homeowners under stress sign agreements with people who claim insurance company authorization that does not exist.
Insurance company credentials issued to legitimate field staff and approved contractor networks give homeowners a verification path during the highest-stress moments.
The business value: Insurance fraud costs the industry over $300 billion per year across all lines (Coalition Against Insurance Fraud). Post-disaster impersonation of adjusters and contractors is among the most harmful and least detectable forms. Verifiable credentials protect both the homeowner and the insurer's reputation at a moment when trust matters most.
Authorized used-car dealers
Used-car superstores, vehicle-history certification services, and manufacturer certified pre-owned programs operate authorized dealer networks. Verifiable dealer credentials let buyers confirm the certification chain before driving off the lot.
Charity authorized fundraisers
Door-to-door and event-based fundraising scams are persistent. People claiming to fundraise for legitimate charities cannot prove the relationship.
Charity credentials issued to authorized fundraising staff and volunteer coordinators let donors verify before giving.
Realtor brokerage authentication
Real estate agents present credentials issued by their brokerage. Buyers and sellers verify before signing listing or buying agreements. Most useful for relocations where the consumer lacks local market knowledge.
Tax preparer authentication
Seasonal storefronts and pop-up tax preparers (often fraudulent) victimize lower-income filers each year. The IRS publishes warnings; the warnings reach a small fraction of those who need them.
Credentials issued by the national tax-preparation chains and IRS-recognized programs let filers verify before handing over W-2s and SSNs.
The business value: Fraudulent tax preparation costs the IRS billions in fraudulent refunds and costs victims their tax refunds and personal information. Verifiable preparer credentials give the filer a check that takes seconds, protects the IRS revenue base, and gives legitimate preparers a trust advantage over fraudulent competitors.
Marketplaces and peer-to-peer commerce
eBay, Etsy, Facebook Marketplace, Craigslist, OfferUp, Mercari, Poshmark, Reverb, StockX. Peer-to-peer commerce stacks several capabilities into one application.
The category-level business value: Online marketplaces generate over $3.5 trillion in annual GMV worldwide. Fraud, fake reviews, and seller anonymity are the primary barriers to growth. Trust correlates with transaction volume: platforms that buyers trust capture more spend. The properties below compose into a trust stack that no existing marketplace offers.
Verified seller and buyer identity
Both parties hold not.bot identities. The platform gets sybil resistance and verified humanness. Each party gets confidence that the counterparty is a real person with skin in the game.
Banned-seller enforcement that survives account recreation
A seller banned for fraud cannot create a new account under a different name to resume operations. The site pass enforces one-account-per-human at the platform level. Permanent bans persist.
The business value: eBay, Amazon, and Etsy all face the problem of banned sellers returning under new accounts. Each return costs the platform investigation resources, buyer losses, and trust erosion. Permanent bans that work reduce fraud loss, investigation cost, and the reputational damage that repeat-offender sellers inflict on the platform's brand.
Verified reviews tied to verified purchases
One review per human per purchased item. Eliminates review farming, paid-review services, and competitor sabotage campaigns. Restores signal value to ratings that have been hollowed out across most major platforms.
The business value: Amazon estimates that fake reviews cost the platform billions in misdirected consumer spending. Consumers who lose trust in reviews buy less or buy elsewhere. Verified reviews restore the recommendation signal that drives conversion, and they differentiate the platform that offers them from competitors still fighting the fake-review arms race.
Portable seller reputation
A reputation credential issued by one platform travels with the seller's identity. A seller with five years of clean history on eBay can present that credential when joining a new marketplace, removing the cold-start penalty for legitimate sellers.
The business value: Legitimate sellers face a cold-start penalty on each new platform: no reviews, no history, no buyer trust. This favors established sellers and makes it harder for new platforms to recruit quality supply. Portable reputation removes the cold-start barrier, accelerates new marketplace growth, and lets legitimate sellers earn premium pricing on day one instead of after months of rebuilding trust.
Counterfeit-listing prevention via authorized-reseller credentials
Listings for branded goods can carry the authorized-reseller credential from the manufacturer. Buyers verify the credential before purchase. Listings without the credential carry no implied authorization. Brands can issue credentials at scale through their Business DID infrastructure.
The business value: Counterfeit goods on marketplaces cost brands billions and expose platforms to legal liability (SHOP SAFE Act proposals, EU Digital Services Act obligations). Authorized-reseller credentials give the platform an automated way to distinguish legitimate listings from counterfeits, reducing brand-protection complaints and legal exposure while improving buyer confidence.
High-value transaction buyer verification
Buyers presenting income or credit credentials qualify for high-value purchases (collectibles, vehicles, jewelry) without the seller running their own credit checks. The buyer's privacy stays intact: the seller learns only that the qualification is met, not the underlying financial details.
In-person handoff mutual verification
Facebook Marketplace and Craigslist meetings carry real safety risks. Both parties verify the other's identity through not.bot before meeting. The meeting record itself can be signed by both parties, creating an audit trail if something goes wrong.
The business value: Safety concerns suppress transaction volume on in-person marketplaces. Users avoid high-value in-person transactions because they cannot verify the counterparty. Mutual verification unlocks categories of commerce (vehicles, furniture, high-value electronics) where buyer hesitation suppresses the platform's GMV.
Gig economy and on-demand services
Uber, Lyft, DoorDash, Instacart, TaskRabbit, Handy, Rover. Same mutual-verification model as marketplaces, with the in-person component amplifying every concern.
The category-level business value: The gig economy generates over $400 billion in annual revenue worldwide. Safety incidents and trust deficits are the primary regulatory and consumer barriers to growth. Platforms that prove their workers are verified humans with verified qualifications gain regulatory goodwill, consumer trust, and competitive differentiation.
Driver and customer mutual verification
Both parties verify before pickup. The driver confirms the customer is who the app claims. The customer confirms the driver and the vehicle match the trip assignment.
Background check status as qualifier credential
The platform issues the driver a credential confirming background check status. Customers can request the credential before accepting the ride or service. Workers can present platform-independent qualifications when joining new platforms.
The business value: Background check portability reduces the cost of multi-platform work for gig workers and reduces the platform's onboarding cost for workers who have already been verified elsewhere. Workers who can present a verified background credential join new platforms faster. Platforms that accept portable credentials recruit quality supply ahead of competitors still running multi-day background check processes.
Profile-to-person identity matching at handoff
The person who shows up matches the app profile. Addresses fake-driver scams that lure passengers into unauthorized vehicles by matching the make, model, and license plate displayed in the app.
The business value: Fake-driver scams have resulted in serious safety incidents, including assaults and kidnappings. Each incident carries liability exposure, media coverage, and regulatory scrutiny for the platform. Identity matching at handoff eliminates the attack vector where a non-driver intercepts a passenger by displaying a matching vehicle, converting a known safety risk into a verified encounter.