Scammers Put Fake QR Codes On Parking Meters To Intercept Parkers' Payments (arstechnica.com) 45
An anonymous reader quotes a report from Ars Technica: Scammers in a few big Texas cities have been putting fake QR codes on parking meters to trick people into paying the fraudsters. Parking enforcement officers recently found stickers with fraudulent QR codes on pay stations in Austin, Houston, and San Antonio. San Antonio police warned the public of the scam on December 20, saying that "people attempting to pay for parking using those QR codes may have been directed to a fraudulent website and submitted payment to a fraudulent vendor." Similar scams were then found in Austin and Houston.
The fake QR codes reportedly directed people to a "Quick Pay Parking" website at the domain passportlab.xyz, which is now offline. It's not clear how many people -- if any -- were tricked into paying the fraudsters. "We don't use QR codes at all for this very reason, because they are easy to fake or place on the devices," Austin parking division manager Jason Redfern told KXAN. "And we heard from industry leaders that this would be a possibility." Austin accepts payments directly at the meter with coins or credit or with the Park ATX mobile payment app. [...] Houston officials found five meters with fake QR codes and removed the stickers, according to KPRC 2. While the scam seems to have been centered in Texas, it could be repeated anywhere. If you see a QR code on a parking meter, ignore it and make sure you pay the city directly.
The fake QR codes reportedly directed people to a "Quick Pay Parking" website at the domain passportlab.xyz, which is now offline. It's not clear how many people -- if any -- were tricked into paying the fraudsters. "We don't use QR codes at all for this very reason, because they are easy to fake or place on the devices," Austin parking division manager Jason Redfern told KXAN. "And we heard from industry leaders that this would be a possibility." Austin accepts payments directly at the meter with coins or credit or with the Park ATX mobile payment app. [...] Houston officials found five meters with fake QR codes and removed the stickers, according to KPRC 2. While the scam seems to have been centered in Texas, it could be repeated anywhere. If you see a QR code on a parking meter, ignore it and make sure you pay the city directly.
can you get out of an ticket if you used the fake (Score:3)
can you get out of an ticket if you used the fake one?
Re: (Score:2)
First time [dealing with the government]. Huh?
https://1.bp.blogspot.com/-F_r... [blogspot.com]
Re:can you get out of an ticket if you used the fa (Score:5, Interesting)
can you get out of an ticket if you used the fake one?
Probably, but it'll still cost you. For example:
Here in Seattle, they care so much about the climate that they actively penalize you for riding a 125cc 4-Stroke motor scooter that gets 80MPG.
See, you have to pay the exact same parking rate as an SUV, but you are not allowed to use the entire parking space. Instead, you have to park perpendicular to the curb, at the end of the space so a car can share the space. So, exact same price for 1/10th the space. That'll teach people to drive a 180lb vehicle instead of a 7,000lb behemoth!
But wait, there's more.
Drivers put their tickets inside of their vehicles so it can be seen through the window. Two wheeler, on the other hand, have to tape it to the headlight, where anyone can take it, and put it in their car ... free parking!
Happened all the time for me.
Oh, and if you get a ticket for not having a sticker, because yours was stolen?
Well, you are free to take a day off from work, bring you bank statement to court, and show them that you really did pay. You have to do that EACH TIME your sticker gets swiped and you get a ticket.
Makes driving an automobile look WAY more attractive, and most people do. Because Seattle is VERY worried about Climate Change! Extremely worried! So very, very worried!
So, I imagine they will be able to get out of the fine, but typically only a traffic judge has the power to throw a fine out ... so let's hope they have some vacation saved up.
Re: (Score:2)
Re: (Score:2)
In PA (including Philly), their system uses the car's plate (paired with the zone) to check if you paid for parking. So attendants can simply look up the car's plate to check if you paid for parking, no waste of paper needed.
Re: (Score:2)
It's Parkmobile/meterUP, and that's how it works. But if you get a not-quite technically savvy person and QR code on the meter/sign instead of entering the URL from the sign/meter, you could confuse people.
This is what the sign looks like in Philly [philapark.org].
Re: (Score:2)
Here in Seattle, they care so much about the climate that they actively penalize you for riding a 125cc 4-Stroke motor scooter that gets 80MPG.
And that's a good thing, because while you are focusing only on MPG and by extension CO2 emissions, your 125cc 4-stroke motor scooter is orders of magnitude worse than other motor vehicle emissions in ways that directly effect the health of people.
The "environment" is more complicated than the single number you reduced it down to.
Re: (Score:2)
>125cc 4-stroke motor scooter is orders of magnitude worse than other motor vehicle emissions in ways that directly effect the health of people
I don't think that's the case. What do you mean?
https://www.newscientist.com/l... [newscientist.com]
https://www.futurity.org/auto-... [futurity.org]
https://www.ncbi.nlm.nih.gov/p... [nih.gov]
Re: (Score:2)
It's not much different where I live. I got a couple of parking tickets on my motorcycle that I never knew about until I got mailed a warning/summons/whatever about an unpaid parking ticket.
Turns out, without a windshield wiper there's no real great place to put a parking ticket and they can blow away and you never know you got one.
I had to contest them both just to pay only the initial fine and not the fine + late penalty. However, I beat one them completely because the meter person wrote a non-existent
Re: (Score:2)
That's why meters were a quarter and the fine was $20 or so. Now it's a whole lot more of course.
It's all about making money off people who usually don't have any to spare.
Re: (Score:2)
I can easily remember when parking violations were cheap enough that you could kind of justify the fine as just a convenience fee. Even in college, it seemed low enough that I just ate the tickets.
Misused QR Codes (Score:3)
QR codes are not for public consumption.
Re: (Score:3)
Misused QR codes. QR codes are not for public consumption.
I think this kind of vulnerability is independent of QR codes. Imagine there was just a sign at the parking lot telling you to download the QuickPay parking app and type in location code 21379. Someone could replace it with a sign that tells you to download the HastyPay parking app and type in location code 21379, except they wrote HastyPay to siphon money to their own account. (Such a sign would let you track down the authors by their app store registration, similar to tracking down the QR code authors fro
Re:Misused QR Codes (Score:5, Informative)
That's why QR codes aren't used - the places that run the meters KNOW they are a serious vulnerability because anyone can sticker over the real code.
The meter already takes cash and credit cards, and pay by app or website is available if you go to the thing on the meter (don't trust it if it's a sticker and not with the placard).
Also, the meters I use almost never rely on a tag you stick under the window - the tag you get is your receipt. Instead, you punch in the stall number you're parked at, or more commonly, your license plate number. Saves having to go back to your card to stick the tag in, or if you're a motorcycle, having the tag stolen.
An attendant simply walks around the lot and types in license plate numbers or stall numbers and their smartphone tells them if you're legally parked or not.
Very simple, very efficient, and you keep the slip in case you get a ticket because it's your official receipt.
Re: (Score:2)
Why would then even need to type in the license plate numbes? Just a bit of ANPR would do the trick. I also imagine they can get a list of spaces that should be free too..
Re: (Score:2)
Why would then even need to type in the license plate numbes?
So you can't sell your all day pass to the next person.
Re: (Score:2)
The parking meters on my street generate QR codes on the screen; I used one just yesterday to get the receipt for my parking. They don't even offer paper receipts any more - the parking inspectors have a device which I think just scans number plates and looks to see if there's a registered parking payment for that plate.
I can't pay via QR yet but I imagine that will be a feature they'll add soon.
Re: (Score:2)
Misused QR codes. QR codes are not for public consumption.
I think this kind of vulnerability is independent of QR codes. Imagine there was just a sign at the parking lot telling you to download the QuickPay parking app and type in location code 21379. Someone could replace it with a sign that tells you to download the HastyPay parking app and type in location code 21379, except they wrote HastyPay to siphon money to their own account.
A police officer or a parking attendant is at least capable of noticing that the sign has the wrong name on it if it is in plain English though. QR codes are completely opaque to the casual observer.
Re: (Score:3)
Is there any way to handle this that isn't vulnerable to these kinds of attacks? Anyone can make a sticker that says "go to www.fakeparkingpayment.com to pay", it doesn't have to be a QR code. The thing they stick it on doesn't even have to accept online payments.
A more harmless prank.. (Score:1)
..is putting fake NFC logo stickers on things that don't actually accept Apple/Android Pay, such as old coke vending machines.
Re: (Score:2)
Not that harmless. Someone comes along and thinks he's buying a coke and enters his credit card information onto a scam site.
Re: (Score:2)
Re: (Score:1)
I'm talking about a sticker with the NFC logo on it, not an actual NFC tag. There's nothing malicious about that, other than it will waste someone's time if they're really hell bent on trying to pay using their phone.
Re: (Score:2)
It's harmless enough if your QR code points here [youtube.com].
Re: (Score:2)
>1.13 billion views
Yeah, that URL might be worth getting a few hundred stickers professionally made.
Re: (Score:2)
I'm in awe how 2/2 (so far) replies to this comment managed to exchange NFC logo for QR code...
I guess "What does he mean when he says words" is a question everyone answers in their own way.
TL;DR: if you see a QR code, ignore it (Score:4, Insightful)
Unless you're the type that clicks on links in emails.
And no, I don't read restaurant menus on my phone, either.
Re: (Score:2)
Why? Are you so worried about links on the internet that after clicking one you blindly then do everything it says on the page? Are you worried the words shown on a QR based restaurant menu are going to install malware in your brain or something?
Abstinence is stupid. You're basically saying the internet is full of dangerous places so everyone should turn off their modems.
Re: (Score:3)
I have yet to see a restaurant website that has an "okay" mobile phone experience.
Our town just introduced those shit Bird scooters (Score:3)
Re: (Score:1)
I'd assume it would just be more profitable to steal the scooters. They apparently can be turned back into normal scooters with some inexpensive parts.
Re: (Score:2)
Re: (Score:2)
You'd need to goof up quite a bit to fall for a scam there. Those QR codes are scanned by the Bird phone app and are rather useless otherwise.
Seems possible... (Score:1)
Those QR codes are scanned by the Bird phone app and are rather useless otherwise.
Sure the real ones are, but the replacement QR code could be a link to the BadBird website that would ask you to pay to unlock the scooter... people who had not used the scooters before might not realize they should download the app (especially if that instruction had been covered up).
It wouldn't get anyone who had the Bird app and was used to using the scooter, but any new user would be vulnerable.
Watching until the end (Score:2)
Re:Watching until the end (Score:4, Funny)
If more people used Bitcoin, this would probably be a pretty common scam.
1. Stick a "Pay HERE with Bitcoin!" sticker on a gas pump/EV charger/parking meter/etc. with a Bitcoin wallet address.
2. Wait.
3. Profit!
You gotta admit (Score:3)
It's a bit clever, but I'd be mad if I ran into this
Idiots! (Score:2)
If they had simply made the system actually pay the parking meter then they could add a small amount of overhead (a "processing fee") and it would have been legal!
Why warn people? (Score:4, Funny)
They can fine all the conned ones.
TX PE is full of shit (Score:2)
We use QR codes to pay for parking here in California, there are no scams, and when implemented correctly it works far better than any other method.
There's adequate signage, and the meter responds immediately when paid.
If you paid for a parking meter via QR and the meter doesn't activate, you can call your card issuer and charge back the transaction. That would get the fraudster's merchant account shutdown in no time.
The QR based apps are insanely cool and absolutely useful, if only because you can extend y