Fake QR code for parking scam

Skyfloater · 13-10-2024 4:34pm #1

There's a scam going around, where fake QR code stickers are being placed on parking machines over the real ones.

Please check before you use a QR code to pay for your parking in future.

Fishdoodle · 13-10-2024 4:37pm

This has been happening in the UK for quite a while. First Ive heard of it in Ireland.

kippy · 13-10-2024 6:39pm

Its been a concern of mine, a very easy scam to put in place.

Mike3549 · 13-10-2024 6:42pm

Just saw a video with a fake qr code sticker, reported it happened in bray

Skyfloater · 13-10-2024 7:08pm

https://www.boards.ie/discussion/comment/122715477#Comment_122715477

That was the video I saw, it's good to spread the word.

Overheal · 13-10-2024 8:07pm

the meter owners will want to go to an engraved QR code or something to combat this probably. Familiar with engraved QR codes on engineered parts like motors etc. Will take you right to their documentation, it’s great. It would be harder to scam people parking if they knew to look for an actual engraved/stamped QR on the meter than a cheap sticker anyone can come along and change or spoof.

MrMusician18 · 13-10-2024 8:21pm

https://www.boards.ie/discussion/comment/122715813#Comment_122715813

Forget QR codes. A simple direction to use the app is all that's needed

Mrs OBumble · 13-10-2024 8:25pm

QR codes are scammy. End of.

PixelCrafter · 13-10-2024 10:02pm

QR codes are mostly totally pointless. You can search the info far faster and more reliably

highpitcheric · 14-10-2024 6:45pm

Game.

CASH.

LambshankRedemption · 14-10-2024 7:12pm

Remember to always Query before you QR.

Having a usable app would get around this particular problem.

Atlantic Dawn · 14-10-2024 7:18pm

A woman was supposed to have lost €1k over it, surely that amount would have required authentication on her phone to approve and she would have assumed that something was up at the approval stage for that amount, it was Greystones, not Dublin Airport she was parking in 😁

beachhead · 15-10-2024 5:24am

Greystones is rolling in it.But e1,000 an hour hasn't arrived in Ireland.Yet.

LambshankRedemption · 15-10-2024 8:27am

https://www.boards.ie/discussion/comment/122719662#Comment_122719662

Some people just click Next/Approve/Confirm without reading what the messages say.

It used to be:

Click NEXT

and we will then take 1k from your bank account.

Nowadays it's

We will now take 1k from your bank

Click next

And people still focus on the 'next' and click on that ignoring the very long warning message.

Sleepy · 15-10-2024 9:18am

How is this not easily traced? Surely the payment can be reversed and the con artists identified and prosecuted?

Cordell · 15-10-2024 11:19am

https://www.boards.ie/discussion/comment/122721396#Comment_122721396

Of course it's not, it's no use pretending that this is not yet another scam operation originating from foreign and likely 3rd world countries like India, just like the Revenue, Amazon and Revolut phone call scams.

LambshankRedemption · 15-10-2024 11:34am

https://www.boards.ie/discussion/comment/122721396#Comment_122721396

Let me preface this by saying I work in IT Security.

The first time I ever saw a QR code, it's potential for abuse was obvious to me. If I had that idea, Im sure people all over the world had the same idea.

I don't really get your focus on whether this is a homegrown scam or an imported scam. What difference does it make?

silverharp · 15-10-2024 11:34am

https://www.boards.ie/discussion/comment/122721422#Comment_122721422

I miss the old days of the Nigerian Prince ;-) , the phone scammers are just a pain. Wait till they figure out how use AI….

LambshankRedemption · 15-10-2024 12:05pm

https://www.boards.ie/discussion/comment/122721472#Comment_122721472

I have news for you, AI is already being leveraged.

Cordell · 15-10-2024 12:27pm

https://www.boards.ie/discussion/comment/122721467#Comment_122721467

QR code is no different than a link sent via email or text, there's nothing inherently unsafe about it, it's just an encoding standard. There are however multiple opportunities for security measures to block the end result of people being parted with their money and/or personal information.

And the origin of the scam is important only when it comes to law enforcement shutting them down and getting your money back, both with zero chance of happening for typical foreign operations.

Cordell · 15-10-2024 12:30pm

https://www.boards.ie/discussion/comment/122721472#Comment_122721472

the phone scammers are just a pain

No, they aren't a pain to me, they offer me the only opportunity to use the P words without shame or guilt :) That's why I dread the day that it won't be a human on the other end.

Glaceon · 15-10-2024 12:33pm

https://www.boards.ie/discussion/comment/122721581#Comment_122721581

Just came across this article today, an AI voice being used in scam calls…

https://sammitrovic.com/infosec/gmail-account-takeover-super-realistic-ai-scam-call/

purplefields · 15-10-2024 12:47pm

https://www.boards.ie/discussion/comment/122721663#Comment_122721663

Are 'P' words incestuous hindi words? That's what I do. Keep them on the phone for 30minutes and then throw in a madarchod.

I guess that's all finished now with AI.

Cordell · 15-10-2024 12:54pm

https://www.boards.ie/discussion/comment/122721731#Comment_122721731

Are 'P' words incestuous hindi words?

No, they are racist English words, as I'm a simple man.

silverharp · 15-10-2024 1:20pm

https://www.boards.ie/discussion/comment/122721663#Comment_122721663

I do have some fun sometimes saying things like what would their parents think……. A few even ask what they think they should do instead or they even ring me back.

Del2005 · 15-10-2024 1:38pm

https://www.boards.ie/discussion/comment/122715873#Comment_122715873

The QR code is usually the link to the app or the website.

Saying just use the App is no good as I've no idea what app or website is needed if I just arrived in a town, it's fine for a local or regular but occasional visitors need information. I just went to the Play Store for the Dublin Parking App and it gave me a Cork Parking App as a option.

JVince · 15-10-2024 1:54pm

https://www.boards.ie/discussion/comment/122720763#Comment_122720763

Funny, you will find its most likely local.

See the scammers arrested in Drogheda for money fraud. All but one were Irish.

Yeah Right · 15-10-2024 3:32pm

https://www.boards.ie/discussion/comment/122715887#Comment_122715887

What? That's a ridiculous statement to make. QR codes are a tool. Are barcodes scammy? Or anything else that you can scan to find out information, are they scammy two?

The total possible number of codes is 1 followed by about 7 thousand zeroes. The number of 'scammy' QR codes generated must be a miniscule fraction of 1%. Labelling them all scammy is the same as labelling every person on the planet scammy because one person's eyelash scammed you.

Not only is your claim ridiculous, it's not even accurate.

MrMusician18 · 15-10-2024 3:45pm

a option

Telling users to search for "Payzone" app in your app store is far more preferable than a QR code.

Del2005 · 15-10-2024 4:39pm

https://www.boards.ie/discussion/comment/122722595#Comment_122722595

An even better option would be "Tap Here" on a piece of equipment near my parking place that used to take coins.

What is with the push to everything needing an app when every card has contactless paying. We are going away from apps or dedicated cards for public transport and just tapping our cards, we should do the same for everything else.

kirving · 15-10-2024 5:09pm

https://www.boards.ie/discussion/comment/122721467#Comment_122721467

100%. It's all too easy to blame the end user, but I put 99% of blame on Payzone, who NEVER should have used a QR code in the first place. Totally reckless idiots IMO.

I use QR (well, datamatrix codes) from time to time in an industrial setting, to specifically force people not to write down an number which they can easily get wrong (like 0/O, or a badly printed 8 looking like a 9). I'm adding a layer of confusion to force compliance later - but that doesn't work with the general public and payment links.

A QR code very often first goes through some link shortener services, or has a strange URL to begin with, so it would be of no surprise, even to me, who uses them a decent amount, to see my phone be redirected from one webpage to the next. A scammers bread and butter.

QR's add a layer of abstraction which makes it so much easier to inject a fake link. Any IT security person knows this **** backwards. The banks know it too. They drill home that they will never send you a link. And yet Payzone thought it was OK to send you a link camouflaged by means of a QR code. This was totally foreseeable.

Actually, I went back and checked my Twitter, and over 5 years ago, I complained them about their **** app, that:

didn't allow screenshots (what were they hiding),
the fact that they always wanted a minimum balance in the app
no way to turn off auto top-up
no notification of the top-up happening when you went below the limt
that you couldn't delete your payment method (really!)
that there was no notification that a text message would cost 20c

I think most of the above has changed by now, but in hindsight, I should have pushed it further with the NTA (I guess?), but the fact that a single one of those items got past internal testing, and then presumably acceptance testing by the county councils (lol, who am I kidding..) who contract Payzone to provide that service - tells me that they have never had a handle on good practice when it comes to their customers money.