You could wash this fast with gift cards like microsoft support scammers. What's funny though is the amount is so low. Maybe at the most $5-10 a person. I can't imagine you getting a large sum of money through this before being shut down.
I assume everyone is paying with credit cards, so I don't see how gift cards would help. The scammers probably live in a country with lax law enforcement with regards to hacking, so they can just deposit the money into their account when the credit card company sends it.
You get money from the payment processor then cash out into gift cards. It's a lot harder to track a gift card vs it going to a bank account. You then churn the gift card into cash at a discount rate using a gift card reselling website.
Can you buy gift cards without depositing the money into an account you control? Once it's in the account just buy crypto or whatever. I thought the gift card scams happen because credit card companies refuse to pay out to companies that get accused of scamming.
Yeah, and you can follow the money all the way to the crypto wallet where it was converted to something harder to track or harder to revert transactions on...
Good point. I hate web3 as much as the next HN’er but “buy things and engage in recurring subscriptions via easily-canceled smart contracts without giving your full account details to a random third party” is a compelling proposition.
There's a meta question here of the feedback loop.
If I pay via coins / credit card the parking meter will tell me "Okay, you have XY minutes left." If I pay via the app, does the meter update as well? If I pay via the scam app... presumably there is no feedback loop, though people may not realize this.
As a second order effect, wouldn't it make sense to investigate the domain and find the owners? Assuming they are paying some other party to put these stickers up the owners of the domain are the real problem. Telling residents to educate each other feels similar to the trope of you are a "victim of identity theft" when Equifax loses your personal details.
The scam website is passportlab.xyz (Thanks for including the URL in the news article I guess?)
Looks like it is registered with Google Domains. They use magic.link to send a URL. They are using Stripe to process payments. Any one of these could lead to the perpetrator.
(It looks like Stripe might have shut them down already though.)
I'm really surprised this hasn't happened sooner. Parking along the seawall in galveston used to be free. Now you pay with a smart meter. I saw it coming a mile away because all the smart meters had QR codes to download the app. Only takes a smart person to build a web app that looks similar, with a paypal link, ask what meter you're at, send an email that you're good for X minutes, etc.
I agree. I can't believe I had never thought that a public QR code may be untrustable until now. This is going to make me a bit more paranoid now when scanning them for parking purposes.
I think they will still be clicking with their noses in that case. It never ceases to amaze me how many people think. “Oh hey that interesting/cool <click>”. Or “hey how did they know I needed this?”
There are companies providing fake phishing messages as a service. Use those and attach penalties for repeat idiots. If they don't care about putting the company at risk, they might at least think about putting their own employment at risk.
Edit following the comments: maybe reversing the approach would work, by attaching monetary rewards to correctly reporting phishing emails? That would encourage everyone to be extra suspicious and report anything that looks amiss for the chance of getting some extra cash while avoiding the negatives of firing people on sight.
That’s a good way to ensure everyone hates ITSec for punishing them despite having failed to provide an environment which is secure enough to survive someone clicking on a link in an email. That makes it less likely that people will report suspicious activity and gives a successful attacker a way to blackmail someone.
This time is much better spent securing the environment: spend the money on Yubikeys, lock down your default browser or use an isolation system, beef up your network filtering, etc. — things which can actually work and won’t make your users think you’re just trying to get them fired.
The problem I see with locking things down is that you can't lock down things that the user requires for their job. If the user legitimately needs access to some sensitive information for example, it's just a matter of time before they can be tricked by an attacker into doing something stupid with it. Yubikeys would solve the problem of the user giving away their credentials to the sensitive data but wouldn't stop the user directly giving away said sensitive data. Locking down is also a blacklist approach where you can miss something and it will be exploited when an attacker eventually gets lucky. I'd rather be the one getting lucky and catching those users early than waiting for an attacker to catch them.
I guess instead of a penalty a more user-friendly way would be to attach monetary rewards to reporting phishing emails? That would incentivize reporting anything that looks even just slightly suspicious, which is probably a better outcome from a security point of view even with false positives.
We use one of those services, too, and you have to use a very light touch. Just using them at all makes people paranoid. If there are people you find who pose a risk, yes, you should do something about that, but terrorizing your workforce is a terrible idea for multiple reasons.
> putting their own employment at risk
Even looking at it amorally, that only really works in declining industries where people don't have a choice. Do that to engineers in a hot economy, and I suspect you'll be employing only the otherwise-unemployable soon.
About two years ago, where I worked really amplified up their phisting testing, and after the first batch when SO MANY PEOPLE failed (I heard the number was around 60%), they pushed out a new HR policy that included a suspension/termination for repeated offenders.
Less than 3 months later, HR was begging people to click the link in their email to set up their benefits for the year, because they had a 0% click-through rate.
Depending on the size and culture of the company I feel like that's a pretty risky proposition unless you've got senior leadership really chomping at the bit right after a major incident. It's quite likely someone pretty high up in the company will fall for the fake phishing and then you've got a bunch of politics in your lap.
This happens at my work but if you click on a link you need to do a phishing awareness training module. I think this is an effective approach because it doesn't seek to punish anyone but instead train them to be more aware.
In fairness, how many times per day do they get legitimate messages which have unsolicited attachments or user-hostile opaque click-tracking links? Most places would have much easier phishing training if there weren’t so many exceptions.
Because security isn’t a priority at most organizations and outsourcing further diffuses accountability.
This is why I would usually focus on things like WebAuthn (making phishing much harder) or locking down the default browser environment more so it takes more than one click to cause a major problem. That doesn’t prevent social engineering, of course, but that requires a lot more work and gives more time for other safeguards to work.
A lot of the HR-y systems and other things being not hosted on-prem and moved to salesforce or something means a lot of random click-through links in legitimate emails, e.g. to take some "totally anonymous survey" at work or vote on some questions for the next "roundtable with the VPs". So many of these companies have URLs that are not related to their domain for these short links, and it just leaves me scratching my head. clicktrack.legitdomain.com was eschewed for your shortlinks in favor of link-track-service.net?
Of course there's the "follow the money" issue, I wonder if it's doable using a payment provider in a dubious country, or if Visa/Mastercard would just chargeback, leaving the payment provider to be mad at you (but hopefully they did poor KYC so they'd have no power to send their henchmen to you).
Maybe the fake app can say "Now you need to go to walmart.com to buy a gift card and enter that gift card code's to pay for parking", but that would filter out a lot of people who was looking for convenience in the first place. If I were consulting for this criminal, I'd say "You need to get to their greed by offering them a big prize, e.g. 1 year free parking in $CITY...".
The truth is that even though it's technically possible to follow the money and all the paper trail is there, in some countries law enforcement doesn't seem to be bothered to investigate things at all (even when reported by a bank for fraud/money laundering suspicions) from my experience.
These scammers are either smart and done everything anonymously, or too stupid to understand how this can all be tracked, but unfortunately this stupidity does often end up paying off.
I'd be very surprised if a Stripe API key can be used to easily extract funds. I don't think you can directly buy gift cards/vouchers, and adding a new bank account is probably possible but would require manual verification which would blow up the attempt before it succeeds.
Sorry I should have been more clear. They are using stripe to process these payments, someone found their api key and reported them as fraud just now. They were using stripe with a bank account.
If I were doing this, I would make a clone of the legitimate site, collect their info and pay for the parking on the real site, but save the credit card number for sale on the black market. I'd imagine one could find any number of sites where this could be hosted anonymously (or slip it into a hacked site's service). If you slap QR code stickers over legitimate ones it could be months before anyone noticed.
It can still trivially be tracked by the card networks as people start reporting large fraudulent charges and card details aren't worth the hassle unless you're literally getting thousands of them (via PoS malware or similar automated means). The other commenters' idea of raising the price a little bit and pocketing the difference is more likely to last and net more money in the long run as less people would question and bother disputing a slight surcharge.
I think the idea is you silently harvest the numbers for a while and build up a stockpile before cashing them in. If you wanted to flee the country before getting your payday you might be pretty safe.
I endorse absolutely none of this, just to be clear.
Send the legit information and payment through to the city via the API of the mobile app. Raise the price and keep the difference.
The best scam is the one that isn't detected. There's a story about a guy who collected £3 from every visitor to the Bristol Zoo car park here in the UK. Supposedly he did it for nearly two decades. Car park was free. No idea if it's real.
One that's totally out in the open is US entry visas. If you're from outside the US, you have to fill in a government form that looks pretty old school. There are "services" that look better and turn up in searches, and will simply forward your info. I ended up using one by accident and luckily they simply paid it back immediately when I emailed them, but my hunch is most people don't detect it or don't bother to try to claw back the money.
If you have valid card info and a cardholder attempting to buy something in real-time, why not just proxy their card details and any verification (3D-Secure, etc) directly to a gift card/cryptocurrency exchange/etc? I'm sure it'll net way more than selling the card details as it effectively bypasses the 3D-Secure step which typically protects against card-not-present fraud.
You're telling me. (not so humble brag) I developed a software solution and 3 patents granted over 10 years ago to stop these kind of shenanigans. Ahead of our time.
*Unfortunately, matrix barcodes may sometimes reference malicious websites, which may be used to steal confidential information (e.g., user credentials or credit card numbers) as part of a phishing attack or exploit vulnerabilities in mobile web browser software that may allow malware to be downloaded to a user's mobile computing device. Furthermore, some legitimate Internet resources (through the use of spam, comment posts, etc.) may be used to redirect users to malicious websites. Accordingly, the instant disclosure identifies a need for systems and methods for providing security information about quick response codes.*
Maybe if they didn't have a "pay by app" scheme as seen in one of the pictures, people would be less likely to fall into this scheme. I'm not sure why government agencies should require people to download an app just to pay a parking fee instead of making things as frictionless as possible (I live in Australia, we have the same issue here)
I think they just did the system backwards; the meter/parking placard should just have an etched and URL + branding for the app and the posts at parking spots should just be some UID for parking spots the system has registered. The main app/site should let you scan and auto-fill the data, but it'll wait for you to confirm you got it right.
Scammers can still put fake stickers/posters/whatever up, but the QR scanner shouldn't trigger an action, it should just provide some static location data when it comes to some payment action.
I think it's just a really poorly thought out system that didn't really research how other successful implementations of QR codes work.
Maybe I'm dense but couldn't an attacker just put a qr code sticker over every space that all pointed to their own space? Then everyone would be paying for the attacker's parking.
I suppose this is harder to pull off with a lower benefit, and a higher chance of getting caught (i.e. fast acting law enforcement would know which car was in the free space).
To mitigate this, you might need space numbers posted. This is easy to verify that each space is different. But at this point, why even have a QR code?
In Finland from my experience the app is most frictionless way. And one of the few apps I actually like to use. I have two downloaded on my phone, I enable location. Wait for it to get general area, it has my credit card and plate number store. I set time and start it. Then when I get back to car I can just stop there and get billed exact time. No dealing with coins or paying at meter or guessing how long will I take.
Once you've used the app once, payment becomes quite frictionless with an app. Without the app, I need to locate the pay station. Wait for anyone ahead of me already at the pay station. Then determine if it's the old type that issues a paper window ticket or the newer type that uses your license plate. If it's the new type, I have to enter my license plate info, taking care to remember not to transpose the two digits that always trip me up. If it's the old type, I have to wait for the ticket to print then return to my vehicle and place it in the proper spot in my door window sill taking care not to let it fall out when I close the door. Then I have to remember what time I need to move my car or add more time and return to the pay station to do so.
With the app, I have to do all of that once and the app remembers everything for me. If I am driving my wife's car, I don't have to try to remember her plate number. I can pay for my parking while walking to wherever I am going and I'll get a notification 5 minutes before my payment expires and can add time right where I stand at that moment. Parking apps can be great though it is annoying that every town seems to have their own app or payment provider.
The problem is installing the app, that's the part I don't want. All you said applies to the case in which the app is installed.
Edit: just to elaborate a bit further in case it's not clear: should people who don't have a smartphone, or their smartphone is broken, or maybe they forgot the charger home, still be allowed to park their vehicle in a public area? Isn't there a higher standard in terms of accessibility requirements, when you are providing a public service?
I got banned from my local parking app for "violating the terms and conditions". Though to my knowledge I used the app as a normal user would and to this day I'm mystified about what event caused the ban.
Thankfully there are still kiosks that accept physical credit cards so I am able to legally park my car. It's a lucky thing I have a credit card that hasn't been banned because there no longer seems to be any way to pay with quarters.
I'm not sure why government agencies should require people to download an app just to pay a parking fee instead of making things as frictionless as possible (I live in Australia, we have the same issue here)
In some cities the parking meters are run by a private company.
Chicago, for example, leased its parking meters to an Australian company. (Or Spanish. I forget, one got the parking meters the other got the Skyway) In exchange for an up-front payment to the city, the private company gets to run the parking meters almost any way they want.
This includes raising prices.
Or worse, in the Chicago example, the parking meter company successfully sued the city and now Chicago isn't allowed to permit the construction of any new public parking garages in the downtown core, because that would hurt the parking meter business. The only new garages that are permitted are for new residential buildings and a calculated number of spaces exclusively for office buildings for hotels.
Abu Dhabi owns the parking rights in Chicago. Personally I think having a private company control parking rates/enforcement makes sense because parking costs should be much higher than they currently are but that's not politically viable. By pawning the bad press onto some company politicians can avoid the downsides while pricing parking properly. Unfortunately Chicago is full of corrupt politicians who negotiated an unbelievably bad deal for the city, agreed that the biggest problem is that the city can never get rid of street parking or add garages.
Yeah, ideally the city would have kept controlling parking but charge equivalent (or higher!) rates, but then the next election that would all disappear...
If I can't pay for parking with cash, I'm not parking there. In fact, it just encourages me to find a different place where the parking is actually still free.
Some train parking lot systems would be vulnerable to this too.
I've parked in lots where you enter the parking spot number and payment into a website. There is no physical confirmation, and it would be trivial to put a QR code on the parking information sign.
Especially because typically people are walking into the station while paying, and not standing in front of the sign double checking the details.
Insult to injury, the UI on the legit system is so bad and slow that scammers wouldn't even need to try to replicate what exists. Basically anything else would be an improvement.
From a certain perspective, is this even morally wrong? The way these meters are always justified is that they help to shape behavior in urban areas and allocate limited space efficiently. It doesn't really matter who gets the money as long as people are paying. Moreover, if the city is in any way hurt by the loss of revenue there's already an inherent conflict of interest in city planning.
Sure, scammers are bad, meter maids could incorrectly cite vehicles, and it's highly likely the scammers are doing more than just collecting the fees, but I don't find the basic premise that terrible.
Houston's got plenty of parking. Agree parking is generally too cheap, but their zoning laws went crazy with parking requirements and the spots aren't going away anytime soon.
> Moreover, if the city is in any way hurt by the loss of revenue there's already an inherent conflict of interest in city planning.
It’s strange to frame this as us vs them. Revenue lost by the city is coming out of your pocket. Don’t you have a vested interest in not having scammers drain your city’s income? I do. It definitely matters who gets the money, if you aren’t singularly focused on the behavioral results of drivers having to pay for parking.
It’s also strange to use language suggesting the city couldn’t possibly be damaged by the loss of revenue. Enforcement efforts are trying to be net positive, cover their costs, and contribute any remainder to other public works.
Revenue lost by parking meters may be coming out of your pocket. It depends on the city and their contract with the meter company. If you're in Chicago for example, 100% of revenue for the next 60-odd years goes to a private company and the city pays them for lost revenue every time they shut a street down for repairs.
The contract in chicago also reportedly contained stipulations that the city wouldn't install certain types of infrastructure that might affect parking revenues like bike lanes. That's the sort of conflict-of-interest I was talking about.
In general, of course I agree that metered parking can be a great solution to many issues. I would just prefer that the money actually go to the city rather than terrible private companies.
> the city pays them for lost revenue every time they shut a street down for repairs.
Right. And that money comes from taxes, right? It’s plausible under the scenario you’re describing that fake QR codes could end up costing the city as well; contractor may argue the city is responsible for enforcing & cleaning QR graffiti. (I have no idea whether that’s the case in reality, just imagining ways it’s possible that you are paying for scammers even though you don’t think so.)
The regulatory capture sucks, especially if a meter contractor is preventing bikes lanes. The city needs to resist such stipulations, but I realize this kind of shit happens all the time. I wonder why the contractor would have such leverage; I would think the city’s in the stronger position. I agree with you, I wish the money were going directly to the city rather than for-profit businesses, especially when those businesses are draining city revenue on a larger scale than some QR hackers.
Good point. There are even laws on the books in certain states/cities that they can only charge up to the amount it costs them to provide the service and collect fees. So from the city’s perspective it’s not a horrible outcome.
> It doesn't really matter who gets the money as long as people are paying.
May as well just not pay the scammers at all then, and now the allocation strategy is just "first come, first serve, stay forever, try to avoid police".
I think the way QR codes have been used these last two years has left a lot of people with the impression that they're some kind of magical portal through the internet to some trustworthy source.
This is a great idea for pranks! Although real people who go to restaurants and don't spend their time on Reddit may not know what a rickroll is.
It could be funnier to replace the menu with a slightly fake one and see what happens when people try to order things that don't exist (but could reasonably be thought to exist).
I love that -- thanks! I have a lot of sympathy for what motivated restaurants to adopt QR code menus, but as a patron I hate 'em. If this prank is done at scale it can help drive the restaurants back to real menus.
To be clear, this was a joke and I don't actually do this, though I'm also not a fan of qr menus (other than it's amusing watching tables of less tech savvy folk attempt to use them).
I've noticed a similar thing on rentable bikes in SF and NYC. People don't put the qr code over the existing bike one, but they put it near enough that your QR reader might pick it up by mistake and open up the order site for a pizza chain. Fortunately, when I'm using the bike app directly, these codes are ignored, but new users don't necessarily have the app yet.
There's another QR-swapping scam running in NYC these days after the Citibike bike sharing system switched from typing a code at the dock to scanning a QR on the bike itself.
People will take the barcode from one bike and put it on others, meaning when someone comes to unlock a bike, it actually unlocks the scammer's bike. By the time the victim realizes why the bike they're scanning won't unlock, the scammer has ridden away.
I thought you had to be within a certain distance of a dock to unlock. Are you saying the scammer is standing there at the dock waiting for a mark to come along and unknowingly unlock one for them?
How does this even pay out? Do they use this “trick” to get a free ride and return the bike somewhere, do they steal the bike and keep it or do they sell it? Seems like a pretty handson and risky thing to do.
I've thought of QR-encoding the URL to the Rick Roll video and "pranking" people trying to scan ads.
Here come the righteous downvotes; to defend myself, I never went through with it, and they were ads to promote the city's iniative to invite the corrupt organization the International Olympic Committee so they could feast on our tax money.
I think this would be a great way to educate the public about not trusting a QR code they find in public, without first double-checking it. Better than learning the hard way.
A couple of years ago, I was bored at REI while waiting for something and decided to actually scan the NFC on the packaging of some sealskinz gloves. To my surprise, the NFC tag was still writable.
So, if you bought gloves at an REI in Bellevue Washington, and got rickrolled by the NFC packaging, that was me.
Moreover, why should there have to be a real one? A QR sticker that's placed reasonably neatly could blend in practically anywhere, now that people expect to see them.
Reminds me of when there was a police press release about 2 guys that broke into a parking garage and drove around the carts like an underground game of Mario Kart and stole one.
Then I realized it was technically a government building and then it all made sense, because cars and bikes get stolen daily without a peep.
Nice. I am aware 911 should be used for some non-lethal but urgent situations now, but it was funny and frustrating figuring out which ones. For example, I’d call in a stalled car and get told by 911 to call non-emergency, and next time by non-emergency to call 911, in the same city. And non-emergency would sometimes tell me they dispatched someone and other times ask me what I thought should happen, again for the same problem.
They must think they’re stuck with fools for constituents. :)
> Anyone who sees someone tampering with a pay station and is not a badged City of Houston employee
This is a crime in progress. That's why 911 is being recommended. (Yes this can vary from place ot place) 311 is about reporting that has happened non-crime related a time ago.. 911 is something that is/just happened.
But yes, their messaging is terrible. I'm sure that they're just saying "don't call 911 because your sister is being a pain"
I once had a drunk person ringing my doorbell when I lived near downtown. It wasn't an emergency so I called 311. The person listened to what I had to say, said hold on and transferred me. The next person I spoke to said, "911 operator, what's your emergency?"
If you felt the person was a danger to themselves or others they were right to redirect you to 911.
Off-topic, but one of the symptoms of alcohol poisoning is confusion. If memory serves, a drunk, off-duty Texas cop once shot in to the wrong apartment, confusing it with their own home while thinking an intruder was present. The kind of erratic behavior you described is absolutely dangerous, especially in a place with as many guns as Texas.
You have to "had reason to believe" that they were "attempting to enter unlawfully and with force", that's not quite the same as them actually having done so.
Yeah, it generally wouldn’t be legal even in Texas. But i don’t think it will matter much to your dead body that the person who wrongly shot you in self-defense is serving jail time, hence the situation is still considered dangerous.
I have a vague recollection of a Black teenager shot for ringing the wrong doorbell and the white homeowner not being charged for the shooting. I'm thinking this was in Mississippi or Alabama maybe.
> If memory serves, a drunk, off-duty Texas cop once shot in to the wrong apartment, confusing it with their own home while thinking an intruder was present
Per the City of Houston [0]: "Dial (713) 884-3131 to request non-emergency police service for locations within the city limits of Houston."
For what it's worth, Click2Houston is widely known for ad-ridden clickbait masquerading as news. They used to be good, but now they just suck.
Also, calling 911 in Houston really sucks. Good luck getting a response within 30 minutes unless it's active gun related (and even then, I've personally waited nearly an hour after reporting gunshots in my neighborhood). Not the cops fault - they're generally ok, but the city management is poor.
If I call the non-emergency line in my city they always redirect me to 911, even for parking violations (like someone's car blocking you in)... it's a bit nuts.
Can anyone with an understanding of cash transfers work explain how this is possible?
I cannot fathom how scammers get away with this. The police have the QR code, the URL, and the cash going out of one account into another. How is it possible that these people don't get caught and locked up immediately?
In some locations law enforcement is overwhelmed/incompetent/doesn't care. I've seen much more money than that being stolen, reported to LE by the bank and end up being returned as LE didn't even bother responding.
“Earn $25/hr working in your city. Easy work, get started next week; you get paid the same day.” “We’re a contractor for the city and need to update the signage on parking meters to add these QR codes.”
I bet you could get plenty of marks to do the sticker work.
This is how political campaigns get people standing around with their signs around election time, anyway. They're getting like $20 to stand around during rush hour.
Door-to-door campaigners, protestors, petition signers, there's a massive shadow labor force of unnamed people getting paid cash for work no one wants to get caught paying for.
There's a burgeoning market for enough KYC data to open a US-based bank account at a bank that doesn't look all that closely. People were running PPP scams doing the same: KYC a US-based bank account, KYC a Coinbase account, exfiltrate to crypto, done.
Money laundering is the key here - you have it going out of one account to another one... registered in Micronesia that just happens to have been emptied yesterday and closed.
The QR code and URL (essentially the same piece of information) point to a server somewhere that could be some idiot running it on their personal real-name AWS account but is probably a dead end of the server host either being shifty/ignorant and accepting cash with no contact details or having given the server out to someone with entirely fraudulent contact details.
It's possible if they're greedy the money trail will be easy to follow, but if they're willing to lose a large proportion of their earnings passing it through some people that can launder money well then they'll probably get off scot free.
Simple, most police forces don’t have the skills or the interest in pursuing these types of crime. The lack of physical theft or injury, and the requirement to chase individuals by requesting digital evidence from banks etc, plus the small value of each individual crime (probably only $20), even if the aggregate amount stolen is large, and finally the fact the criminal is probably out of their physical jurisdiction, means police just don’t care.
As a result, if you’re stealing funds in a purely digital fashion, you can generally expect to be able to steal millions before anyone investigates you. You need to operating at a level where the FBI or, more likely, Secret Service takes an interest. QR codes on parking signs just doesn’t cut it.
I would be really surprised if the scam is taken down in just 14 days (without the media's attention), so they're typically able to get a couple of payouts at least.
Maybe this is just a single occurrence in a large scheme with lots more websites & separate payment providers.
In these cases it might be better to commit it to a public GitHub repo which has real-time secret scanning and partnerships with a lot of providers to immediately invalidate detected secrets.
I remember, many years ago, a story of someone who took a whole pile of blank deposit slips from the banks, and MICR encoded his account number along the bottom - when customers came in to make a deposit and the slip was scanned electronically, anything handwritten by the customer was over-ridden by the pre-printed account number - don't know how much they got away with, but clever none-the-less.
If there is something to be exploited somewhere, someone will find it.
The scam website is passportlab.xyz (Thanks for including the URL in the news article... I guess?)
Looks like it is registered with Google Domains. Hosted at 76.76.21.21 (vercel.com). They use magic.link to send a URL. They are using Stripe to process payments. Any one of these could lead to the perpetrator. But I doubt anyone will ever be arrested.
(It looks like Stripe might have shut them down already though.)
Maybe some indirect system would defeat this, where the real QR code only works if you have a cookie registered some other way - a phone app or something... and the fake one can't scrape that...
Meters generally already have a screen for showing remaining time. And the meter would have to be online if you can pay from an app, unless the meter is now just a pole with a sticker and everything including remaining time in in the app (Which is not the case for these meters).
Now that meters are moving from purely mechanical to electronic devices, the extra cost of the display and connectivity can be reduced by having a central pay station for a row of parking spaces. I believe I've seen some form of central pay station on some streets.
The problem is probably solvable if your customers already have the correct app.
The issue is if your customers are using the QR code to install your app. A scammer can change that QR code and hijack the customer's entire experience.
This is a real issue with QR codes. Some apps have implemented better options, including - crucially - the ability to revoke (disable) a code. Snapchat had Snapcodes which had some of these features built in for privacy.
Nothing about that would solve this, though. The QR code standard is open, and these are just stickers produced that generate a link for any QR code reader. There's nothing to revoke, and no central power that sits in between to perform said revocation.
I think there are several issues with the situation at hand:
1. The city should've provided a QR code payment solution along with an app to scan and vet those QR codes.
2. The parking app that includes a QR code scanner, only needs to interpret the information in the QR code (eg. location id + parking spot id), it doesn't need a full URL.
In China QR codes are ubiquitous. You can find them on menus in restaurants, when paying a cabbie for the ride, or a guy in the fresh market for vegetables, you can even buy toilet paper in a public toilet in the middle of the night using a QR code. The reason why there is no QR code fraud is because the payment is done through 1-2 apps which are able to detect fraudulent QR codes.
None of that would not help if scammer puts a sticker on top of all you just mentioned, that says: "To pay, scan this code with your camera app".
It would only deter people who already have the app since before, which is already the case, i assume most people just enter the Parking zone number by reading it from afar or using GPS from app, not by walking up to the machine and scan it.
164 comments
[ 4.1 ms ] story [ 227 ms ] threadIf I pay via coins / credit card the parking meter will tell me "Okay, you have XY minutes left." If I pay via the app, does the meter update as well? If I pay via the scam app... presumably there is no feedback loop, though people may not realize this.
As a second order effect, wouldn't it make sense to investigate the domain and find the owners? Assuming they are paying some other party to put these stickers up the owners of the domain are the real problem. Telling residents to educate each other feels similar to the trope of you are a "victim of identity theft" when Equifax loses your personal details.
Looks like it is registered with Google Domains. They use magic.link to send a URL. They are using Stripe to process payments. Any one of these could lead to the perpetrator.
(It looks like Stripe might have shut them down already though.)
And twice last week. Few times the month before that.
Even configured Exchange to give people a “report suspected phishing” button in their outlook clients.
They keep on clickin’.
(Each time was a different person btw)
https://www.youtube.com/watch?v=Rz2HpGC9vbw
Edit following the comments: maybe reversing the approach would work, by attaching monetary rewards to correctly reporting phishing emails? That would encourage everyone to be extra suspicious and report anything that looks amiss for the chance of getting some extra cash while avoiding the negatives of firing people on sight.
This time is much better spent securing the environment: spend the money on Yubikeys, lock down your default browser or use an isolation system, beef up your network filtering, etc. — things which can actually work and won’t make your users think you’re just trying to get them fired.
I guess instead of a penalty a more user-friendly way would be to attach monetary rewards to reporting phishing emails? That would incentivize reporting anything that looks even just slightly suspicious, which is probably a better outcome from a security point of view even with false positives.
We use one of those services, too, and you have to use a very light touch. Just using them at all makes people paranoid. If there are people you find who pose a risk, yes, you should do something about that, but terrorizing your workforce is a terrible idea for multiple reasons.
> putting their own employment at risk
Even looking at it amorally, that only really works in declining industries where people don't have a choice. Do that to engineers in a hot economy, and I suspect you'll be employing only the otherwise-unemployable soon.
Less than 3 months later, HR was begging people to click the link in their email to set up their benefits for the year, because they had a 0% click-through rate.
Hang up, look up, call back.
Turns out it was the link to our mandatory security training portal. Of all the people to get it wrong....
This is why I would usually focus on things like WebAuthn (making phishing much harder) or locking down the default browser environment more so it takes more than one click to cause a major problem. That doesn’t prevent social engineering, of course, but that requires a lot more work and gives more time for other safeguards to work.
Smart person? Sounds more like a person looking for trouble.
Maybe the fake app can say "Now you need to go to walmart.com to buy a gift card and enter that gift card code's to pay for parking", but that would filter out a lot of people who was looking for convenience in the first place. If I were consulting for this criminal, I'd say "You need to get to their greed by offering them a big prize, e.g. 1 year free parking in $CITY...".
These scammers are either smart and done everything anonymously, or too stupid to understand how this can all be tracked, but unfortunately this stupidity does often end up paying off.
Getting the money would be hard, and you would be easy to track.
They would probably be better off just collecting the credit card info and selling it.
I endorse absolutely none of this, just to be clear.
The best scam is the one that isn't detected. There's a story about a guy who collected £3 from every visitor to the Bristol Zoo car park here in the UK. Supposedly he did it for nearly two decades. Car park was free. No idea if it's real.
https://www.youtube.com/watch?v=FsWcc-9KMEc
This one's actually rather clever.
https://www.courthousenews.com/hertz-settles-flap-over-golde...
You're telling me. (not so humble brag) I developed a software solution and 3 patents granted over 10 years ago to stop these kind of shenanigans. Ahead of our time.
*Unfortunately, matrix barcodes may sometimes reference malicious websites, which may be used to steal confidential information (e.g., user credentials or credit card numbers) as part of a phishing attack or exploit vulnerabilities in mobile web browser software that may allow malware to be downloaded to a user's mobile computing device. Furthermore, some legitimate Internet resources (through the use of spam, comment posts, etc.) may be used to redirect users to malicious websites. Accordingly, the instant disclosure identifies a need for systems and methods for providing security information about quick response codes.*
https://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=...
Scammers can still put fake stickers/posters/whatever up, but the QR scanner shouldn't trigger an action, it should just provide some static location data when it comes to some payment action.
I think it's just a really poorly thought out system that didn't really research how other successful implementations of QR codes work.
I suppose this is harder to pull off with a lower benefit, and a higher chance of getting caught (i.e. fast acting law enforcement would know which car was in the free space).
To mitigate this, you might need space numbers posted. This is easy to verify that each space is different. But at this point, why even have a QR code?
It should not be an app. Or there could be an app in addition to other methods of paying.
Edit: the reason is accessibility and the fact that they are providing a public service https://news.ycombinator.com/item?id=29818536
With the app, I have to do all of that once and the app remembers everything for me. If I am driving my wife's car, I don't have to try to remember her plate number. I can pay for my parking while walking to wherever I am going and I'll get a notification 5 minutes before my payment expires and can add time right where I stand at that moment. Parking apps can be great though it is annoying that every town seems to have their own app or payment provider.
Edit: just to elaborate a bit further in case it's not clear: should people who don't have a smartphone, or their smartphone is broken, or maybe they forgot the charger home, still be allowed to park their vehicle in a public area? Isn't there a higher standard in terms of accessibility requirements, when you are providing a public service?
Thankfully there are still kiosks that accept physical credit cards so I am able to legally park my car. It's a lucky thing I have a credit card that hasn't been banned because there no longer seems to be any way to pay with quarters.
In some cities the parking meters are run by a private company.
Chicago, for example, leased its parking meters to an Australian company. (Or Spanish. I forget, one got the parking meters the other got the Skyway) In exchange for an up-front payment to the city, the private company gets to run the parking meters almost any way they want.
This includes raising prices.
Or worse, in the Chicago example, the parking meter company successfully sued the city and now Chicago isn't allowed to permit the construction of any new public parking garages in the downtown core, because that would hurt the parking meter business. The only new garages that are permitted are for new residential buildings and a calculated number of spaces exclusively for office buildings for hotels.
If city's hands are tied for more car-centric infrastructure, now they can spend that budget on bike lanes, citibikes, and other transit projects.
I've parked in lots where you enter the parking spot number and payment into a website. There is no physical confirmation, and it would be trivial to put a QR code on the parking information sign.
Especially because typically people are walking into the station while paying, and not standing in front of the sign double checking the details.
Insult to injury, the UI on the legit system is so bad and slow that scammers wouldn't even need to try to replicate what exists. Basically anything else would be an improvement.
Sure, scammers are bad, meter maids could incorrectly cite vehicles, and it's highly likely the scammers are doing more than just collecting the fees, but I don't find the basic premise that terrible.
It’s strange to frame this as us vs them. Revenue lost by the city is coming out of your pocket. Don’t you have a vested interest in not having scammers drain your city’s income? I do. It definitely matters who gets the money, if you aren’t singularly focused on the behavioral results of drivers having to pay for parking.
It’s also strange to use language suggesting the city couldn’t possibly be damaged by the loss of revenue. Enforcement efforts are trying to be net positive, cover their costs, and contribute any remainder to other public works.
The contract in chicago also reportedly contained stipulations that the city wouldn't install certain types of infrastructure that might affect parking revenues like bike lanes. That's the sort of conflict-of-interest I was talking about.
In general, of course I agree that metered parking can be a great solution to many issues. I would just prefer that the money actually go to the city rather than terrible private companies.
Right. And that money comes from taxes, right? It’s plausible under the scenario you’re describing that fake QR codes could end up costing the city as well; contractor may argue the city is responsible for enforcing & cleaning QR graffiti. (I have no idea whether that’s the case in reality, just imagining ways it’s possible that you are paying for scammers even though you don’t think so.)
The regulatory capture sucks, especially if a meter contractor is preventing bikes lanes. The city needs to resist such stipulations, but I realize this kind of shit happens all the time. I wonder why the contractor would have such leverage; I would think the city’s in the stronger position. I agree with you, I wish the money were going directly to the city rather than for-profit businesses, especially when those businesses are draining city revenue on a larger scale than some QR hackers.
May as well just not pay the scammers at all then, and now the allocation strategy is just "first come, first serve, stay forever, try to avoid police".
I made a comment about how ads are being "stickered."
It could be funnier to replace the menu with a slightly fake one and see what happens when people try to order things that don't exist (but could reasonably be thought to exist).
Or outrageous items. Let's experiment.
People will take the barcode from one bike and put it on others, meaning when someone comes to unlock a bike, it actually unlocks the scammer's bike. By the time the victim realizes why the bike they're scanning won't unlock, the scammer has ridden away.
The trains have these big posters, which are ads. They rotate, like, once a month, or so.
Most of these ads have QR codes, to their sites.
I often see that the QR code is a sticker, which means a scammer placed it over the real one.
Here come the righteous downvotes; to defend myself, I never went through with it, and they were ads to promote the city's iniative to invite the corrupt organization the International Olympic Committee so they could feast on our tax money.
So, if you bought gloves at an REI in Bellevue Washington, and got rickrolled by the NFC packaging, that was me.
From the Houston police department's 911 information page [1]:
> Call 9-1-1 to report a life or death emergency that requires an immediate response from police, fire, or ambulance personnel.
...
> Do not use 9-1-1 for non-emergency situations -- this causes a delay in answering emergency calls.
[1] https://www.houstontx.gov/police/contact/911.htm
Then I realized it was technically a government building and then it all made sense, because cars and bikes get stolen daily without a peep.
They must think they’re stuck with fools for constituents. :)
This is a crime in progress. That's why 911 is being recommended. (Yes this can vary from place ot place) 311 is about reporting that has happened non-crime related a time ago.. 911 is something that is/just happened.
But yes, their messaging is terrible. I'm sure that they're just saying "don't call 911 because your sister is being a pain"
If you felt the person was a danger to themselves or others they were right to redirect you to 911.
Off-topic, but one of the symptoms of alcohol poisoning is confusion. If memory serves, a drunk, off-duty Texas cop once shot in to the wrong apartment, confusing it with their own home while thinking an intruder was present. The kind of erratic behavior you described is absolutely dangerous, especially in a place with as many guns as Texas.
Not drunk, just said she was tired or overworked: https://en.m.wikipedia.org/wiki/Murder_of_Botham_Jean
For what it's worth, Click2Houston is widely known for ad-ridden clickbait masquerading as news. They used to be good, but now they just suck.
Also, calling 911 in Houston really sucks. Good luck getting a response within 30 minutes unless it's active gun related (and even then, I've personally waited nearly an hour after reporting gunshots in my neighborhood). Not the cops fault - they're generally ok, but the city management is poor.
[0] - https://www.houstontx.gov/police/contact/index.htm
I cannot fathom how scammers get away with this. The police have the QR code, the URL, and the cash going out of one account into another. How is it possible that these people don't get caught and locked up immediately?
I bet you could get plenty of marks to do the sticker work.
Door-to-door campaigners, protestors, petition signers, there's a massive shadow labor force of unnamed people getting paid cash for work no one wants to get caught paying for.
The QR code and URL (essentially the same piece of information) point to a server somewhere that could be some idiot running it on their personal real-name AWS account but is probably a dead end of the server host either being shifty/ignorant and accepting cash with no contact details or having given the server out to someone with entirely fraudulent contact details.
It's possible if they're greedy the money trail will be easy to follow, but if they're willing to lose a large proportion of their earnings passing it through some people that can launder money well then they'll probably get off scot free.
As a result, if you’re stealing funds in a purely digital fashion, you can generally expect to be able to steal millions before anyone investigates you. You need to operating at a level where the FBI or, more likely, Secret Service takes an interest. QR codes on parking signs just doesn’t cut it.
I guess you could have the city's public ID in your phone and then the city could just sign their QR codes ... or not in this case...
Just reported them through the generic Stripe contact form (all I could quickly find).
In general, Stripe describes a 7-14 day payout schedule, but has shorter ones for many countries.
Presumably it takes a fair amount of identity info to get to the 2 business day accelerated payout speed available to low-risk businesses in the US.
https://stripe.com/docs/payouts#payout-schedule
Maybe this is just a single occurrence in a large scheme with lots more websites & separate payment providers.
If there is something to be exploited somewhere, someone will find it.
Looks like it is registered with Google Domains. Hosted at 76.76.21.21 (vercel.com). They use magic.link to send a URL. They are using Stripe to process payments. Any one of these could lead to the perpetrator. But I doubt anyone will ever be arrested.
(It looks like Stripe might have shut them down already though.)
Maybe some indirect system would defeat this, where the real QR code only works if you have a cookie registered some other way - a phone app or something... and the fake one can't scrape that...
The issue is if your customers are using the QR code to install your app. A scammer can change that QR code and hijack the customer's entire experience.
I did it for the lulz but now I think it may be a public service, getting people to blindly trust these things a little less
1. The city should've provided a QR code payment solution along with an app to scan and vet those QR codes.
2. The parking app that includes a QR code scanner, only needs to interpret the information in the QR code (eg. location id + parking spot id), it doesn't need a full URL.
In China QR codes are ubiquitous. You can find them on menus in restaurants, when paying a cabbie for the ride, or a guy in the fresh market for vegetables, you can even buy toilet paper in a public toilet in the middle of the night using a QR code. The reason why there is no QR code fraud is because the payment is done through 1-2 apps which are able to detect fraudulent QR codes.
It would only deter people who already have the app since before, which is already the case, i assume most people just enter the Parking zone number by reading it from afar or using GPS from app, not by walking up to the machine and scan it.
They have to link back to an app on the app store, so they're more trustworthy.
Obviously that can be construed as a down side as well, and the app store isn't immune to scams, but it does give one layer of effective gating