Scammers are sticking QR Codes on parking meters in Austin, Texas. The victim scans the QR code using a smartphone and is taken to a fake parking payment site.
Personally, I think a better scam would be to follow clampers (parking boot in US), find cars that have been clamped and replace the release notice instructions with your own version and payment QR code.
What's the defense against this for the average person? Every city has a different parking app or site, there's no way for someone to know like with their bank.
Very little defense for the average user if the site looks good enough on mobile. Police should be able to trace the flow of money, but the scammers are probably using dodgy overseas processing for payments.
The solution is to have a unique ID for the parking area instead of a QR code, and you enter the ID into the official parking app for the city. There is no way to direct money to anything but city coffers with this approach. This is already what many municipalities do.
I don’t know why people are throwing their hands up at technology and using quarters when the apps are much more convenient (especially since you can remotely extend your parking time).
> I don’t know why people are throwing their hands up at technology and using quarters when the apps are much more convenient (especially since you can remotely extend your parking time).
Because popping a quarter into the machine is much more convenient for most people than downloading a questionable app, typing in your license plate, address, and credit credit card.
I'd be willing to bet the number of people who need to remotely extend their parking time by app instead of feeding the meter are vastly outnumbered by the people who just want to park downtown for 30 minutes to grab a sandwich and move on with their day.
I don't want to have an app installed just for that. I'd prefer to do it over the web or contactless/dedicated smartcard system, by far.
Not to mention it locks out anything that isn't Android or iOS compatible. It's a niche market, but even Android was basically devoid of apps at one point because everyone was targeting the iPhone.
many scams look just like legitimate incompetent services, or legitimate well crafted services.
there is a meme going around about how scammers target gullible people to filter out more skeptical people, but really thats just one segment of the population.
Would the average user raise a chargeback for €/$ 5 of parking fees? Even if the scam results in them getting a parking ticket, the cost of the parking ticket isn't subject to a chargeback, only the scammed parking fee itself.
I don't know and who cares what the average user would do. Thats the defense. It depends on the user experience, chargebacks aren't hard and can be done attempted with just the click of a button for some user's banks.
>Personally, I think a better scam would be to follow clampers (parking boot in US), find cars that have been clamped and replace the release notice instructions with your own version and payment QR code.
Sell a service that cuts the boot off for half the price.
The irony of this is that the last legit parking meter service I registered for was hacked and all my personal info and license plate are now in a public database. (Can't remember the name right now, but it's in the haveibeenpwned list).
The opaqueness of QR codes for public uses like this is a problem. I was musing on this on a restaurant patio recently, that used the "QR code to view our menu" sticker things. It would be no work at all to slap new code stickers on all the outside tables. The potential for actual malice is maybe low there, but mischief is easy (ads for a competitor restaurant, PETA website at a BBQ place, autoplay fart noises, just general gross-out website, etc.)
I suppose the builtin Android and iOS code readers will have to get a confirmation step at some point. The classic problem of convenience vs. security.
The last time I traveled on the east coast I'd amassed _at least_ four separate "apps" on my phone from four different municipalities.
Each one wants my address and license plate number. Most want my credit card, too.
Each app looks and behaves like it was designed by an intern.
Each app wants to send me notifications on my phone (Ok, I guess if you're concerned about the meter running out).
Some of the apps accept payment, others don't (you have to go to the kiosk in the garage to pay). None of the municipalities I visited allowed cash payment.
Now apparently we need to worry about Phishing QR codes as well.
Is all of this worth not having to run out to the meter and feed it once in a while?
20 comments
[ 4.6 ms ] story [ 52.3 ms ] threadPersonally, I think a better scam would be to follow clampers (parking boot in US), find cars that have been clamped and replace the release notice instructions with your own version and payment QR code.
Keep quarters in your car and pockets. Sounds stone-aged. But it worked in 2000 and 2010 also.
I don’t know why people are throwing their hands up at technology and using quarters when the apps are much more convenient (especially since you can remotely extend your parking time).
Because popping a quarter into the machine is much more convenient for most people than downloading a questionable app, typing in your license plate, address, and credit credit card.
I'd be willing to bet the number of people who need to remotely extend their parking time by app instead of feeding the meter are vastly outnumbered by the people who just want to park downtown for 30 minutes to grab a sandwich and move on with their day.
Not to mention it locks out anything that isn't Android or iOS compatible. It's a niche market, but even Android was basically devoid of apps at one point because everyone was targeting the iPhone.
many scams look just like legitimate incompetent services, or legitimate well crafted services.
there is a meme going around about how scammers target gullible people to filter out more skeptical people, but really thats just one segment of the population.
Sell a service that cuts the boot off for half the price.
I suppose the builtin Android and iOS code readers will have to get a confirmation step at some point. The classic problem of convenience vs. security.
Reminds me of this blog on redirecting qr code links with cleverly made transparent overlays to change a few blocks in the code.
Each one wants my address and license plate number. Most want my credit card, too.
Each app looks and behaves like it was designed by an intern.
Each app wants to send me notifications on my phone (Ok, I guess if you're concerned about the meter running out).
Some of the apps accept payment, others don't (you have to go to the kiosk in the garage to pay). None of the municipalities I visited allowed cash payment.
Now apparently we need to worry about Phishing QR codes as well.
Is all of this worth not having to run out to the meter and feed it once in a while?