QR code scammers
By Parking Australia CEO Stuart Norman, featuring comments from Smarter City’s Michael Doherty.
Police in San Antonio and Austin Texas found fraudulent QR codes stickers on parking meters as part of a scam. The QR codes took the parkers to an alternate website for payment. Coverage of this story has gone global, with many calling for an end to QR codes out of fear of phishing schemes.
However, Parking Australia believes that this occurrence highlights the need for both business and consumers to be aware and not alarmed when using QR codes to pay for their parking. Regular users are encouraged to use the parking apps to scan QR codes as opposed to in-built device cameras, as this adds complete protection against fraudulent scams.
Parkers usually commence a session for their vehicle by:
- Typing in a zone number or
- Calling a number and keying in a zone number on a phone keypad
- Selecting a zone from a list
- Selecting a zone area on a map
- Scanning a multipurpose QR code on signage placed within the zone
QR codes are multipurpose, with the code containing zone information as well as a web address (URL). They can take the parker to a company hosted webpage to register as a new member, directing the user to their app store when the code is scanned with their smartphone or a QR code app. They can also rapidly commence a parking session for an existing user when the QR code is scanned with the appropriate parking app for that area.
Parking Australia asked Michael Doherty, Head of Business Development at Smarter City Solutions to provide some insights into the issue. He said “The underlying information or URL that a QR code placed on a parking meter may look something like http://cellopark.com.au/qr/1000200. When scanned with a generic camera app a web page hosted at that address will take the new member to the store appropriate for their device, potentially with some information screens to assist the journey. The signup process is typically inside the secure app with appropriate encryption techniques applied to credit card information etc.”
“When scanned with the parking app, the app checks to ensure that the QR code being scanned is in fact a QR code for the purpose of parking. This is achieved thanks to the fact that the QR code contains a domain name that the app company owns and by its very nature is unique to the company. If a parking app scans a QR code intended for a different purpose (like state government Covid check-in, or fraudulent phishing site for example) the app displays a message indicating that the code scanned is not the right one.”
“If a city with QR codes for parking apps on all of their meters one day found the QR codes to be replaced or vandalised, regular users of the system would instantly know that the app company’s QR code had been replaced, thanks to messages popping up on every app users smartphone screen.”
“Assuming that the fraudsters would never be able to get a copy-cat or phishing app through the rigorous checks that Apple and Google place on the content of their respective stores, I can assume that in the case of these U.S. cities, the scammers simply set up a site that looked official and made the unsuspecting victims (possibly new to the city and its parking regime) believe that they had selected an amount of parking time and paid via a mobile web portal”
“The interesting comment made in the news around this was that some of the cities did not believe that QR codes offered enough security and had elected not to offer them as a method to commence app-based parking. Ironically it was that decision that left the proverbial door open for the bad guys to fill the QR code void. Had the motoring public been using the super-fast method of starting a session from the official launch day, this phishing exercise would likely have never happened.”
Media coverage on overseas QR code scams: Scammers are putting QR code stickers on parking meters to trick people into paying them (businessinsider.com.au)
Image credit: Noam Galai/Getty Images, sourced from Business Insider