25 comments

[ 3.8 ms ] story [ 59.6 ms ] thread
What is a solution to this? QR codes can never be trusted therefore you must use a trusted app? ie "download the official Redondo Beach Parking app on the app store"? QR code generated on an LCD or ePaper display on the meter?
Can't a QR code be digitally signed ?
Yes but where should we put the public key?
Hard-code it in a parking app ? At a trusted URL that a parking app can access over HTTPS ?
If it's your first time in the city how do you know to get the parking app when a fake sticker tells you to go to www.fakesite.com?
Signage at the edge of town ? Some cities use those to radio stations/frequencies that (for example) inform people about traffic and weather.
Wanna know how I know you're at least as old as I am ;)

People use maps on their phone for weather and traffic these days, along for music.

More so, signage is mostly useless. The problem is the world is covered in advertisements so much to the point that we all have our "AdBlock for Brains" coping mechanisms, that commonly lead us to bouncing off a door then realizing it says "use other door" and people asking why we didn't see it when every other square inch of the door is covered it words saying "Buy this addictive drug" or "Eat this sugar filled crap"

Simply put this is a much harder problem to solve then one would expect as we've allowed marketers to buy up all of our attention.

Last I was in the states, these kinds of signs are still up here & there. But heck yeah, maybe the stations are MIA and nobody has even noticed.
Maybe we could have somebody from the city attend the parking lot.

Then the Parking Attendor would be the person to get the QR code from.

How would you know that they are who they claim to be?

There is an urban legend in my city that a person claiming to be a parking attendant worked outside the zoo for 20 years, pretending to work for either the local government or the zoo, collecting parking fees from visitors.

https://www.snopes.com/fact-check/fake-parking-attendant/

This is, of course, false - but there is no practical way for regular people to verify that people in a public place are who they claim to be.

Similarly, I was with a friend who parked at the far end of a parking lot that had a McDonalds at the other end. When we came back there was a car boot on the car, I wanted to speak with a general manager to confirm they were "Enforcing the parking lot of McD's customers only", they said we could talk with the shift manager (who they may or may not be working with separately). My friend just wanted his car and paid them without checking anything with a credit card - on their phone+square device (or whatever that portable cc reader is). It was sketchy and I hadn't seen them there before. I am not even sure that is legal tbh, but didn't have time to work through it with him/them.
> Authorities warned people not to scan the code, as it might install a virus on their phone.

Well, surely they have no idea how the above would work, but imagine a fake QR code prompting you to "Download the official app" but it's malware instead.

BTW, does Apple take 30% of the parking fee if you pay using an iPhone app?

IIRC, the 30% fee is only for digital goods & services
Trusted app from app store seems reasonable enough. How it works here, get app, insert plate number, payment details. Park, get location, set time and press start. When you come back press stop and it will automatically only charge for however long you parked.
"To use this app you must turn on contact sharing, location sharing, audio sharing, camera sharing....."
The solution is to just pay the machine I think. Why go online at all? In Santa Monica, the meters on the street all let you pay by card or tap, and the beach controlled lots you just enter your space and pay the machine.
for my local meters not in Santa Monica, the convenience is to be ably to refill the meter without having to go back outside to fill out, but instead fill the meter from an Internet connected device.
That’s my method, too, when I can. I was in Park City, UT, a few years ago - and the parking meters were broken. The app was the only way to pay.
A trusted domain for the parking authority, linked to from a known trusted domain for the city website. Of course, this assumes the parking authority can handle their domain renewals (they probably can't).
The LIRR QR codes change every few seconds, on the App. But you do need an App.
Perfect crime for a budding international criminal.

Clone the real site, possibly with a redirect to the real site after "payment fails". Post an ad on Craigslist asking for someone to update the parking meter codes to the new site, while posing as someone from the parking company, since they are often privately owned. Provide stickers that can be printed on.

Ghost them after a day of work is done unless they are willing to accept crypto as payment.

They’ll need to switch to NFC eventually.
San Francisco did, but put the cheapest NFC stickers they could find on the meters. Maybe one in 10 worked