[HN Gopher] QR code scammers hitting on-street parking in Texas ... ___________________________________________________________________ QR code scammers hitting on-street parking in Texas cities Author : ethotool Score : 111 points Date : 2022-01-05 21:09 UTC (1 hours ago) (HTM) web link (www.click2houston.com) (TXT) w3m dump (www.click2houston.com) | AlotOfReading wrote: | From a certain perspective, is this even morally wrong? The way | these meters are always justified is that they help to shape | behavior in urban areas and allocate limited space efficiently. | It doesn't really matter _who_ gets the money as long as people | are paying. Moreover, if the city is in any way hurt by the loss | of revenue there 's already an inherent conflict of interest in | city planning. | | Sure, scammers are bad, meter maids could incorrectly cite | vehicles, and it's highly likely the scammers are doing more than | just collecting the fees, but I don't find the basic premise that | terrible. | cma wrote: | It is better for it to go to the common good than be burnt up | in a sticker-over war that would eventually spill over into a | violent territory war. | megablast wrote: | If they are charging a lot more for parking, this is a good. | Parking is such a waste of space, and far too cheap. | colinmhayes wrote: | Houston's got plenty of parking. Agree parking is generally | too cheap, but their zoning laws went crazy with parking | requirements and the spots aren't going away anytime soon. | dahart wrote: | > Moreover, if the city is in any way hurt by the loss of | revenue there's already an inherent conflict of interest in | city planning. | | It's strange to frame this as us vs them. Revenue lost by the | city is coming out of _your_ pocket. Don't you have a vested | interest in not having scammers drain your city's income? I do. | It definitely matters who gets the money, if you aren't | singularly focused on the behavioral results of drivers having | to pay for parking. | | It's also strange to use language suggesting the city couldn't | possibly be damaged by the loss of revenue. Enforcement efforts | are trying to be net positive, cover their costs, and | contribute any remainder to other public works. | AlotOfReading wrote: | Revenue lost by parking meters _may_ be coming out of your | pocket. It depends on the city and their contract with the | meter company. If you 're in Chicago for example, 100% of | revenue for the next 60-odd years goes to a private company | and the city pays them for lost revenue every time they shut | a street down for repairs. | | The contract in chicago also reportedly contained | stipulations that the city wouldn't install certain types of | infrastructure that might affect parking revenues like bike | lanes. That's the sort of conflict-of-interest I was talking | about. | | In general, of course I agree that metered parking can be a | great solution to many issues. I would just prefer that the | money actually go to the city rather than terrible private | companies. | kfarr wrote: | Good point. There are even laws on the books in certain | states/cities that they can only charge up to the amount it | costs them to provide the service and collect fees. So from the | city's perspective it's not a horrible outcome. | hanoz wrote: | I think the way QR codes have been used these last two years has | left a lot of people with the impression that they're some kind | of magical portal through the internet to some trustworthy | source. | ChrisMarshallNY wrote: | I agree. | | I made a comment about how ads are being "stickered." | ejb999 wrote: | I remember, many years ago, a story of someone who took a whole | pile of blank deposit slips from the banks, and MICR encoded his | account number along the bottom - when customers came in to make | a deposit and the slip was scanned electronically, anything | handwritten by the customer was over-ridden by the pre-printed | account number - don't know how much they got away with, but | clever none-the-less. | | If there is something to be exploited somewhere, someone will | find it. | dhosek wrote: | I remember reading about this back in the day. I'm thinking | this was sometime in the 90s | frob wrote: | I've noticed a similar thing on rentable bikes in SF and NYC. | People don't put the qr code over the existing bike one, but they | put it near enough that your QR reader might pick it up by | mistake and open up the order site for a pizza chain. | Fortunately, when I'm using the bike app directly, these codes | are ignored, but new users don't necessarily have the app yet. | JoblessWonder wrote: | The scam website is passportlab.xyz (Thanks for including the URL | in the news article... I guess?) | | Looks like it is registered with Google Domains. Hosted at | 76.76.21.21 (vercel.com). They use magic.link to send a URL. They | are using Stripe to process payments. Any one of these could lead | to the perpetrator. But I doubt anyone will ever be arrested. | | (It looks like Stripe might have shut them down already though.) | jakear wrote: | Given this is going through traditional payment infrastructure it | should be easy enough to follow the money, no? | NortySpock wrote: | Yeah, and you can follow the money all the way to the crypto | wallet where it was converted to something harder to track or | harder to revert transactions on... | jakear wrote: | Sure, but that still introduces at least one nameable real | world entity that can officials can convince to stop | processing transactions. | heywire wrote: | Are they even processing a payment, or are they just capturing | your account number to sell? | jakear wrote: | Good point. I hate web3 as much as the next HN'er but "buy | things and engage in recurring subscriptions via easily- | canceled smart contracts without giving your full account | details to a random third party" is a compelling proposition. | post_break wrote: | You could wash this fast with gift cards like microsoft support | scammers. What's funny though is the amount is so low. Maybe at | the most $5-10 a person. I can't imagine you getting a large | sum of money through this before being shut down. | colinmhayes wrote: | I assume everyone is paying with credit cards, so I don't see | how gift cards would help. The scammers probably live in a | country with lax law enforcement with regards to hacking, so | they can just deposit the money into their account when the | credit card company sends it. | post_break wrote: | You get money from the payment processor then cash out into | gift cards. It's a lot harder to track a gift card vs it | going to a bank account. You then churn the gift card into | cash at a discount rate using a gift card reselling | website. | colinmhayes wrote: | Can you buy gift cards without depositing the money into | an account you control? Once it's in the account just buy | crypto or whatever. I thought the gift card scams happen | because credit card companies refuse to pay out to | companies that get accused of scamming. | aspenmayer wrote: | There are sites and apps that sell gift cards for crypto, | and converting fiat to crypto is already pretty easy. | er4hn wrote: | There's a meta question here of the feedback loop. | | If I pay via coins / credit card the parking meter will tell me | "Okay, you have XY minutes left." If I pay via the app, does the | meter update as well? If I pay via the scam app... presumably | there is no feedback loop, though people may not realize this. | | As a second order effect, wouldn't it make sense to investigate | the domain and find the owners? Assuming they are paying some | other party to put these stickers up the owners of the domain are | the real problem. Telling residents to educate each other feels | similar to the trope of you are a "victim of identity theft" when | Equifax loses your personal details. | JoblessWonder wrote: | The scam website is passportlab.xyz (Thanks for including the | URL in the news article I guess?) | | Looks like it is registered with Google Domains. They use | magic.link to send a URL. They are using Stripe to process | payments. Any one of these could lead to the perpetrator. | | (It looks like Stripe might have shut them down already | though.) | dcdc123 wrote: | I imagine they are using pay stations rather than meters. If | that is the case I don't think people would ever look at it | after paying via app. | post_break wrote: | It goes off your license plate. They scan it as they go. There | is no meter. | ents wrote: | My cities app tells you time remaining and will send a | notification, all via App. | macNchz wrote: | There's another QR-swapping scam running in NYC these days after | the Citibike bike sharing system switched from typing a code at | the dock to scanning a QR on the bike itself. | | People will take the barcode from one bike and put it on others, | meaning when someone comes to unlock a bike, it actually unlocks | the scammer's bike. By the time the victim realizes why the bike | they're scanning won't unlock, the scammer has ridden away. | spockz wrote: | How does this even pay out? Do they use this "trick" to get a | free ride and return the bike somewhere, do they steal the bike | and keep it or do they sell it? Seems like a pretty handson and | risky thing to do. | LiquidSky wrote: | I thought you had to be within a certain distance of a dock to | unlock. Are you saying the scammer is standing there at the | dock waiting for a mark to come along and unknowingly unlock | one for them? | detaro wrote: | yes: https://apnews.com/article/lifestyle-nyc-state- | wire-34d4ecd5... | ChrisMarshallNY wrote: | I used to see these types of things, all the time, on the Long | Island Railroad. | | The trains have these big posters, which are ads. They rotate, | like, once a month, or so. | | Most of these ads have QR codes, to their sites. | | I often see that the QR code is a sticker, which means a scammer | placed it over the real one. | bellyfullofbac wrote: | I've thought of QR-encoding the URL to the Rick Roll video and | "pranking" people trying to scan ads. | | Here come the righteous downvotes; to defend myself, I never | went through with it, and they were ads to promote the city's | iniative to invite the corrupt organization the International | Olympic Committee so they could feast on our tax money. | flax wrote: | A couple of years ago, I was bored at REI while waiting for | something and decided to actually scan the NFC on the | packaging of some sealskinz gloves. To my surprise, the NFC | tag was still writable. | | So, if you bought gloves at an REI in Bellevue Washington, | and got rickrolled by the NFC packaging, that was me. | voakbasda wrote: | I think this would be a great way to educate the public about | not trusting a QR code they find in public, without first | double-checking it. Better than learning the hard way. | post_break wrote: | I'm really surprised this hasn't happened sooner. Parking along | the seawall in galveston used to be free. Now you pay with a | smart meter. I saw it coming a mile away because all the smart | meters had QR codes to download the app. Only takes a smart | person to build a web app that looks similar, with a paypal link, | ask what meter you're at, send an email that you're good for X | minutes, etc. | weej wrote: | >> saw it coming a mile away | | You're telling me. (not so humble brag) I developed a software | solution and 3 patents granted over 10 years ago to stop these | kind of shenanigans. Ahead of our time. | | *Unfortunately, matrix barcodes may sometimes reference | malicious websites, which may be used to steal confidential | information (e.g., user credentials or credit card numbers) as | part of a phishing attack or exploit vulnerabilities in mobile | web browser software that may allow malware to be downloaded to | a user's mobile computing device. Furthermore, some legitimate | Internet resources (through the use of spam, comment posts, | etc.) may be used to redirect users to malicious websites. | Accordingly, the instant disclosure identifies a need for | systems and methods for providing security information about | quick response codes.* | | https://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=... | cortesoft wrote: | > with a paypal link | | Getting the money would be hard, and you would be easy to | track. | | They would probably be better off just collecting the credit | card info and selling it. | dhosek wrote: | If I were doing this, I would make a clone of the legitimate | site, collect their info and pay for the parking on the real | site, but save the credit card number for sale on the black | market. I'd imagine one could find any number of sites where | this could be hosted anonymously (or slip it into a hacked | site's service). If you slap QR code stickers over legitimate | ones it could be months before anyone noticed. | post_break wrote: | Someone found their stripe api key. All they would have to do | is buy gift cards using the funds to wash it. | allenu wrote: | I agree. I can't believe I had never thought that a public QR | code may be untrustable until now. This is going to make me a | bit more paranoid now when scanning them for parking purposes. | post_break wrote: | NFC is another one. Slap a metal stick over the real one and | put your bad NFC on top of it. | hotpotamus wrote: | Remember when we told people not to click on random links in | email? | dvtrn wrote: | I remember it vividly. Because I had to tell someone not to | do it this morning. | | And twice last week. Few times the month before that. | | Even configured Exchange to give people a "report suspected | phishing" button in their outlook clients. | | They keep on clickin'. | | (Each time was a different person btw) | ectopod wrote: | It's quite rare now for links in a commercial email to | actually go to the company the email is from. Most links | are random looking click-tracking garbage. | | Normal people can't tell good links from bad. The only | way to stop people clicking them is to have your MTA | erase them. Which isn't ideal. | deltarholamda wrote: | According to the Codified Laws of System Administrators, | you are now authorized to start lopping off fingers. | spockz wrote: | I think they will still be clicking with their noses in | that case. It never ceases to amaze me how many people | think. "Oh hey that interesting/cool <click>". Or "hey | how did they know I needed this?" | kingcharles wrote: | Headstick is the way to go once your sysadmin has taken | all your digits. Gotta click 'em all! | | https://www.youtube.com/watch?v=Rz2HpGC9vbw | amelius wrote: | > Only takes a smart person to build a web app that looks | similar (...) | | Smart person? Sounds more like a person looking for trouble. | rossdavidh wrote: | Smart enough to do it, dumb enough to do it also. It's more | common than it seems like it ought to be. | bellyfullofbac wrote: | Of course there's the "follow the money" issue, I wonder if | it's doable using a payment provider in a dubious country, | or if Visa/Mastercard would just chargeback, leaving the | payment provider to be mad at you (but hopefully they did | poor KYC so they'd have no power to send their henchmen to | you). | | Maybe the fake app can say "Now you need to go to | walmart.com to buy a gift card and enter that gift card | code's to pay for parking", but that would filter out a lot | of people who was looking for convenience in the first | place. If I were consulting for this criminal, I'd say "You | need to get to their greed by offering them a big prize, | e.g. 1 year free parking in $CITY...". | upofadown wrote: | Identity management again... | | I guess you could have the city's public ID in your phone and | then the city could just sign their QR codes ... or not in this | case... | peter303 wrote: | A number of governments claim to have solved the problem in | virtual licenses and vaccine passports. But I could guess ways | to fake that too. | joshellington wrote: | Wow, they're using Stripe for payments. Here's their API key: | pk_live_1vI9jQQVPUd9XXtXEXxRBMDL | | Just reported them through the generic Stripe contact form (all I | could quickly find). | bredren wrote: | My first question was how they were collecting these "high | risk" payments. | | In general, Stripe describes a 7-14 day payout schedule, but | has shorter ones for many countries. | | Presumably it takes a fair amount of identity info to get to | the 2 business day accelerated payout speed available to low- | risk businesses in the US. | | https://stripe.com/docs/payouts#payout-schedule | tzs wrote: | > Anyone who sees someone tampering with a pay station and is not | a badged City of Houston employee should call 911. | | From the Houston police department's 911 information page [1]: | | > Call 9-1-1 to report a life or death emergency that requires an | immediate response from police, fire, or ambulance personnel. | | ... | | > Do not use 9-1-1 for non-emergency situations -- this causes a | delay in answering emergency calls. | | [1] https://www.houstontx.gov/police/contact/911.htm | 1123581321 wrote: | Nice. I am aware 911 should be used for some non-lethal but | urgent situations now, but it was funny and frustrating | figuring out which ones. For example, I'd call in a stalled car | and get told by 911 to call non-emergency, and next time by | non-emergency to call 911, in the same city. And non-emergency | would sometimes tell me they dispatched someone and other times | ask me what I thought should happen, again for the same | problem. | | They must think they're stuck with fools for constituents. :) | MR4D wrote: | Per the City of Houston [0]: " _Dial (713) 884-3131 to request | non-emergency police service for locations within the city | limits of Houston._ " | | For what it's worth, Click2Houston is widely known for ad- | ridden clickbait masquerading as news. They used to be good, | but now they just suck. | | Also, calling 911 in Houston really sucks. Good luck getting a | response within 30 minutes unless it's active gun related (and | even then, I've personally waited nearly an hour after | reporting gunshots in my neighborhood). Not the cops fault - | they're generally ok, but the city management is poor. | | [0] - https://www.houstontx.gov/police/contact/index.htm | monksy wrote: | > Anyone who sees someone tampering with a pay station and is | not a badged City of Houston employee | | This is a crime in progress. That's why 911 is being | recommended. (Yes this can vary from place ot place) 311 is | about reporting that has happened non-crime related a time | ago.. 911 is something that is/just happened. | | But yes, their messaging is terrible. I'm sure that they're | just saying "don't call 911 because your sister is being a | pain" | MarvinYork wrote: | dhosek wrote: | I once had a drunk person ringing my doorbell when I lived | near downtown. It wasn't an emergency so I called 311. The | person listened to what I had to say, said hold on and | transferred me. The next person I spoke to said, "911 | operator, what's your emergency?" | Scoundreller wrote: | Reminds me of when there was a police press release about 2 | guys that broke into a parking garage and drove around the | carts like an underground game of Mario Kart and stole one. | | Then I realized it was technically a government building and | then it all made sense, because cars and bikes get stolen daily | without a peep. | raymondh wrote: | Can anyone with an understanding of cash transfers work explain | how this is possible? | | I cannot fathom how scammers get away with this. The police have | the QR code, the URL, and the cash going out of one account into | another. How is it possible that these people don't get caught | and locked up immediately? | Findecanor wrote: | Accounts that receive money transfers for criminals have often | been hijacked, or set up using hijacked credentials. | heywire wrote: | Why wouldn't they just capture the card number and sell it? | bredren wrote: | Depending on the implementation, it could be they are doing | that. And the stripe charges are just to keep the scheme | going longer. | kyletns wrote: | If they set up payments through a provider outside the US I | don't see how a local police force is going to be able to track | those payments. | colinmhayes wrote: | The website is probably in Russia I guess. Unless they catch | someone putting the qr sticker on there's no link to the US. | JoeAltmaier wrote: | This is why we can't have nice things :( | | Maybe some indirect system would defeat this, where the real QR | code only works if you have a cookie registered some other way - | a phone app or something... and the fake one can't scrape that... | mastazi wrote: | Maybe if they didn't have a "pay by app" scheme as seen in one of | the pictures, people would be less likely to fall into this | scheme. I'm not sure why government agencies should require | people to download an app just to pay a parking fee instead of | making things as frictionless as possible (I live in Australia, | we have the same issue here) | csydas wrote: | I think they just did the system backwards; the meter/parking | placard should just have an etched and URL + branding for the | app and the posts at parking spots should just be some UID for | parking spots the system has registered. The main app/site | should let you scan and auto-fill the data, but it'll wait for | you to confirm you got it right. | | Scammers can still put fake stickers/posters/whatever up, but | the QR scanner shouldn't trigger an action, it should just | provide some static location data when it comes to some payment | action. | | I think it's just a really poorly thought out system that | didn't really research how other successful implementations of | QR codes work. | jjnoakes wrote: | Maybe I'm dense but couldn't an attacker just put a qr code | sticker over every space that all pointed to their own space? | Then everyone would be paying for the attacker's parking. | | I suppose this is harder to pull off with a lower benefit, | and a higher chance of getting caught (i.e. fast acting law | enforcement would know which car was in the free space). | | To mitigate this, you might need space numbers posted. This | is easy to verify that each space is different. But at this | point, why even have a QR code? | Ekaros wrote: | In Finland from my experience the app is most frictionless way. | And one of the few apps I actually like to use. I have two | downloaded on my phone, I enable location. Wait for it to get | general area, it has my credit card and plate number store. I | set time and start it. Then when I get back to car I can just | stop there and get billed exact time. No dealing with coins or | paying at meter or guessing how long will I take. | brewdad wrote: | Once you've used the app once, payment becomes quite | frictionless with an app. Without the app, I need to locate the | pay station. Wait for anyone ahead of me already at the pay | station. Then determine if it's the old type that issues a | paper window ticket or the newer type that uses your license | plate. If it's the new type, I have to enter my license plate | info, taking care to remember not to transpose the two digits | that always trip me up. If it's the old type, I have to wait | for the ticket to print then return to my vehicle and place it | in the proper spot in my door window sill taking care not to | let it fall out when I close the door. Then I have to remember | what time I need to move my car or add more time and return to | the pay station to do so. | | With the app, I have to do all of that once and the app | remembers everything for me. If I am driving my wife's car, I | don't have to try to remember her plate number. I can pay for | my parking while walking to wherever I am going and I'll get a | notification 5 minutes before my payment expires and can add | time right where I stand at that moment. Parking apps can be | great though it is annoying that every town seems to have their | own app or payment provider. | reaperducer wrote: | _I 'm not sure why government agencies should require people to | download an app just to pay a parking fee instead of making | things as frictionless as possible (I live in Australia, we | have the same issue here)_ | | In some cities the parking meters are run by a private company. | | Chicago, for example, leased its parking meters to an | Australian company. (Or Spanish. I forget, one got the parking | meters the other got the Skyway) In exchange for an up-front | payment to the city, the private company gets to run the | parking meters almost any way they want. | | This includes raising prices. | | Or worse, in the Chicago example, the parking meter company | successfully sued the city and now Chicago isn't allowed to | permit the construction of any new public parking garages in | the downtown core, because that would hurt the parking meter | business. The only new garages that are permitted are for new | residential buildings and a calculated number of spaces | exclusively for office buildings for hotels. | colinmhayes wrote: | Abu Dhabi owns the parking rights in Chicago. Personally I | think having a private company control parking | rates/enforcement makes sense because parking costs should be | much higher than they currently are but that's not | politically viable. By pawning the bad press onto some | company politicians can avoid the downsides while pricing | parking properly. Unfortunately Chicago is full of corrupt | politicians who negotiated an unbelievably bad deal for the | city, agreed that the biggest problem is that the city can | never get rid of street parking or add garages. | emptybottle wrote: | Some train parking lot systems would be vulnerable to this too. | | I've parked in lots where you enter the parking spot number and | payment into a website. There is no physical confirmation, and it | would be trivial to put a QR code on the parking information | sign. | | Especially because typically people are walking into the station | while paying, and not standing in front of the sign double | checking the details. | | Insult to injury, the UI on the legit system is so bad and slow | that scammers wouldn't even need to try to replicate what exists. | Basically anything else would be an improvement. | meatroll wrote: | I replace public QR codes with stickers to meatspin.com | | I did it for the lulz but now I think it may be a public service, | getting people to blindly trust these things a little less | trevcanhuman wrote: | Anyone else thought the title said _scanners_ instead of | scammers? Was a little surprised when I reread the title. ___________________________________________________________________ (page generated 2022-01-05 23:00 UTC)