Scammers are putting fake QR codes on parking meters in California

Originally published at: Scammers are putting fake QR codes on parking meters in California - Boing Boing

…

QR codes are so easy to scam like this, I don’t know how they made a comeback. As far as I can tell, the best security practice is just “never ever scan any QR code”.

I hate that the parking meters in Pasadena require you to download an effing app in order to use them. Grrr. Just no. Thank goodness that my FIL has dedicated visitor parking at his condo complex.

I’ve been pretty miffed that more and more places are popping up where they’ve been getting rid of machines and now have payment over the phone as the only method. Not only does it create opportunities for this type of scam, but it’s discriminatory towards anyone who doesn’t carry a modern phone with service in that area and a data plan. A couple months ago I parked at a visitor center for the Pearl Harbor National Memorial and pay-by-phone was the only option, which seems especially bad considering it was a government-run Memorial that was disproportionately visited by older folks (who may not be the most tech-savvy) and by tourists who may not have coverage in that area.

I think the credit card companies can up the game by using (or providing to trusted parties) some “lockout” credit card numbers that freeze out any merchant account, and create a camera-ready seizure order for that merchant’s collected funds, when it is not the intended merchant. (I am thinking a parking enforcement entity that would use for “official purposes” that would pay the fees (in monopoly money equivalent) except for any unintended merchant.)

This doesn’t make them any more likable; far from it; but one ‘feature’ that makes the very popular is the fact that it’s way easier to extend tracking links into the real world when you have a mechanism that makes entering some ghastly base64 salad of a URL easy; and makes entering the entire thing blind somewhere between ‘very much the lowest friction option’ and ‘practically mandatory’ depending on the implementation of the QR reader.

If the user needs to type it out you basically have to use a short, sensible, bland URL. No way are you getting someone to accurately enter a paragraph worth of UTM parameters or whatnot; and some cryptic link shortener thing is going to be much harder than just domainname.tld

With QR codes, though, the granularity with which you can track which code people scan is limited only by the economics of the printing process you are using: if there’s a tooling cost per-change you are going to have to do them in batches; but if you are using one of the lower volume arrangements where it’s just a per-page cost generating unique URLs for each and every one is technically trivial.

I’m not giving any of the adtech vermin a link; but “QR code analytics” will bring up a bevy of people extolling the tracking virtues of the format.

It’s my suspicion that this is the reason why you sometimes see QR codes in place of normal text in frankly incongruous places(art museum signage? Because you could print the QR code that directs me to the artist’s statement on your website but not print the artist’s statement on a little placard?). Sometimes you do just need to make a text string reliably machine readable(as with the original inventory/part tracking use case; or TOTP pairing or whatnot); but there are a lot more cases where you don’t need it; but some brand manager or sales analyst or KPI junkie is getting the shakes just thinking about another way to quantify the target’s behavior.

I, admittedly…may be more than a trifle bitter about how we can’t even keep some of our own communications people from using superfluous QR codes against employees at the same time we have an upsurge in phishing attempts using QR codes to obfuscate their payloads or get targets to look at them on unmanaged devices with tiny screens where it’s way easier to dodge security measures or verify URLs and certs…

Be careful everyone, this is not just in California, this scam has been popping up all round the UK in the last six months or so.

The ‘convenience’ of having to use one of a seeming myriad number of piss poor apps to do something that used to be possible in a few seconds with a simple machine makes this enshitification all too appealing to scammers.

And good luck trying to get a useful response from any of the ‘legitimate’ parking companies when their wretched app fails to work. The only thing they seem to be able to do quickly and reliably is issuing parking penalty notices. They are right down there with Ticketmaster for being companies you can’t help dealing with, but really wish didn’t exist.

This topic was automatically closed after 5 days. New replies are no longer allowed.