[HN Gopher] QR code scammers hitting on-street parking in Texas ...
___________________________________________________________________
QR code scammers hitting on-street parking in Texas cities
Author : ethotool
Score : 111 points
Date : 2022-01-05 21:09 UTC (1 hours ago)
(HTM) web link (www.click2houston.com)
(TXT) w3m dump (www.click2houston.com)
| AlotOfReading wrote:
| From a certain perspective, is this even morally wrong? The way
| these meters are always justified is that they help to shape
| behavior in urban areas and allocate limited space efficiently.
| It doesn't really matter _who_ gets the money as long as people
| are paying. Moreover, if the city is in any way hurt by the loss
| of revenue there 's already an inherent conflict of interest in
| city planning.
|
| Sure, scammers are bad, meter maids could incorrectly cite
| vehicles, and it's highly likely the scammers are doing more than
| just collecting the fees, but I don't find the basic premise that
| terrible.
| cma wrote:
| It is better for it to go to the common good than be burnt up
| in a sticker-over war that would eventually spill over into a
| violent territory war.
| megablast wrote:
| If they are charging a lot more for parking, this is a good.
| Parking is such a waste of space, and far too cheap.
| colinmhayes wrote:
| Houston's got plenty of parking. Agree parking is generally
| too cheap, but their zoning laws went crazy with parking
| requirements and the spots aren't going away anytime soon.
| dahart wrote:
| > Moreover, if the city is in any way hurt by the loss of
| revenue there's already an inherent conflict of interest in
| city planning.
|
| It's strange to frame this as us vs them. Revenue lost by the
| city is coming out of _your_ pocket. Don't you have a vested
| interest in not having scammers drain your city's income? I do.
| It definitely matters who gets the money, if you aren't
| singularly focused on the behavioral results of drivers having
| to pay for parking.
|
| It's also strange to use language suggesting the city couldn't
| possibly be damaged by the loss of revenue. Enforcement efforts
| are trying to be net positive, cover their costs, and
| contribute any remainder to other public works.
| AlotOfReading wrote:
| Revenue lost by parking meters _may_ be coming out of your
| pocket. It depends on the city and their contract with the
| meter company. If you 're in Chicago for example, 100% of
| revenue for the next 60-odd years goes to a private company
| and the city pays them for lost revenue every time they shut
| a street down for repairs.
|
| The contract in chicago also reportedly contained
| stipulations that the city wouldn't install certain types of
| infrastructure that might affect parking revenues like bike
| lanes. That's the sort of conflict-of-interest I was talking
| about.
|
| In general, of course I agree that metered parking can be a
| great solution to many issues. I would just prefer that the
| money actually go to the city rather than terrible private
| companies.
| kfarr wrote:
| Good point. There are even laws on the books in certain
| states/cities that they can only charge up to the amount it
| costs them to provide the service and collect fees. So from the
| city's perspective it's not a horrible outcome.
| hanoz wrote:
| I think the way QR codes have been used these last two years has
| left a lot of people with the impression that they're some kind
| of magical portal through the internet to some trustworthy
| source.
| ChrisMarshallNY wrote:
| I agree.
|
| I made a comment about how ads are being "stickered."
| ejb999 wrote:
| I remember, many years ago, a story of someone who took a whole
| pile of blank deposit slips from the banks, and MICR encoded his
| account number along the bottom - when customers came in to make
| a deposit and the slip was scanned electronically, anything
| handwritten by the customer was over-ridden by the pre-printed
| account number - don't know how much they got away with, but
| clever none-the-less.
|
| If there is something to be exploited somewhere, someone will
| find it.
| dhosek wrote:
| I remember reading about this back in the day. I'm thinking
| this was sometime in the 90s
| frob wrote:
| I've noticed a similar thing on rentable bikes in SF and NYC.
| People don't put the qr code over the existing bike one, but they
| put it near enough that your QR reader might pick it up by
| mistake and open up the order site for a pizza chain.
| Fortunately, when I'm using the bike app directly, these codes
| are ignored, but new users don't necessarily have the app yet.
| JoblessWonder wrote:
| The scam website is passportlab.xyz (Thanks for including the URL
| in the news article... I guess?)
|
| Looks like it is registered with Google Domains. Hosted at
| 76.76.21.21 (vercel.com). They use magic.link to send a URL. They
| are using Stripe to process payments. Any one of these could lead
| to the perpetrator. But I doubt anyone will ever be arrested.
|
| (It looks like Stripe might have shut them down already though.)
| jakear wrote:
| Given this is going through traditional payment infrastructure it
| should be easy enough to follow the money, no?
| NortySpock wrote:
| Yeah, and you can follow the money all the way to the crypto
| wallet where it was converted to something harder to track or
| harder to revert transactions on...
| jakear wrote:
| Sure, but that still introduces at least one nameable real
| world entity that can officials can convince to stop
| processing transactions.
| heywire wrote:
| Are they even processing a payment, or are they just capturing
| your account number to sell?
| jakear wrote:
| Good point. I hate web3 as much as the next HN'er but "buy
| things and engage in recurring subscriptions via easily-
| canceled smart contracts without giving your full account
| details to a random third party" is a compelling proposition.
| post_break wrote:
| You could wash this fast with gift cards like microsoft support
| scammers. What's funny though is the amount is so low. Maybe at
| the most $5-10 a person. I can't imagine you getting a large
| sum of money through this before being shut down.
| colinmhayes wrote:
| I assume everyone is paying with credit cards, so I don't see
| how gift cards would help. The scammers probably live in a
| country with lax law enforcement with regards to hacking, so
| they can just deposit the money into their account when the
| credit card company sends it.
| post_break wrote:
| You get money from the payment processor then cash out into
| gift cards. It's a lot harder to track a gift card vs it
| going to a bank account. You then churn the gift card into
| cash at a discount rate using a gift card reselling
| website.
| colinmhayes wrote:
| Can you buy gift cards without depositing the money into
| an account you control? Once it's in the account just buy
| crypto or whatever. I thought the gift card scams happen
| because credit card companies refuse to pay out to
| companies that get accused of scamming.
| aspenmayer wrote:
| There are sites and apps that sell gift cards for crypto,
| and converting fiat to crypto is already pretty easy.
| er4hn wrote:
| There's a meta question here of the feedback loop.
|
| If I pay via coins / credit card the parking meter will tell me
| "Okay, you have XY minutes left." If I pay via the app, does the
| meter update as well? If I pay via the scam app... presumably
| there is no feedback loop, though people may not realize this.
|
| As a second order effect, wouldn't it make sense to investigate
| the domain and find the owners? Assuming they are paying some
| other party to put these stickers up the owners of the domain are
| the real problem. Telling residents to educate each other feels
| similar to the trope of you are a "victim of identity theft" when
| Equifax loses your personal details.
| JoblessWonder wrote:
| The scam website is passportlab.xyz (Thanks for including the
| URL in the news article I guess?)
|
| Looks like it is registered with Google Domains. They use
| magic.link to send a URL. They are using Stripe to process
| payments. Any one of these could lead to the perpetrator.
|
| (It looks like Stripe might have shut them down already
| though.)
| dcdc123 wrote:
| I imagine they are using pay stations rather than meters. If
| that is the case I don't think people would ever look at it
| after paying via app.
| post_break wrote:
| It goes off your license plate. They scan it as they go. There
| is no meter.
| ents wrote:
| My cities app tells you time remaining and will send a
| notification, all via App.
| macNchz wrote:
| There's another QR-swapping scam running in NYC these days after
| the Citibike bike sharing system switched from typing a code at
| the dock to scanning a QR on the bike itself.
|
| People will take the barcode from one bike and put it on others,
| meaning when someone comes to unlock a bike, it actually unlocks
| the scammer's bike. By the time the victim realizes why the bike
| they're scanning won't unlock, the scammer has ridden away.
| spockz wrote:
| How does this even pay out? Do they use this "trick" to get a
| free ride and return the bike somewhere, do they steal the bike
| and keep it or do they sell it? Seems like a pretty handson and
| risky thing to do.
| LiquidSky wrote:
| I thought you had to be within a certain distance of a dock to
| unlock. Are you saying the scammer is standing there at the
| dock waiting for a mark to come along and unknowingly unlock
| one for them?
| detaro wrote:
| yes: https://apnews.com/article/lifestyle-nyc-state-
| wire-34d4ecd5...
| ChrisMarshallNY wrote:
| I used to see these types of things, all the time, on the Long
| Island Railroad.
|
| The trains have these big posters, which are ads. They rotate,
| like, once a month, or so.
|
| Most of these ads have QR codes, to their sites.
|
| I often see that the QR code is a sticker, which means a scammer
| placed it over the real one.
| bellyfullofbac wrote:
| I've thought of QR-encoding the URL to the Rick Roll video and
| "pranking" people trying to scan ads.
|
| Here come the righteous downvotes; to defend myself, I never
| went through with it, and they were ads to promote the city's
| iniative to invite the corrupt organization the International
| Olympic Committee so they could feast on our tax money.
| flax wrote:
| A couple of years ago, I was bored at REI while waiting for
| something and decided to actually scan the NFC on the
| packaging of some sealskinz gloves. To my surprise, the NFC
| tag was still writable.
|
| So, if you bought gloves at an REI in Bellevue Washington,
| and got rickrolled by the NFC packaging, that was me.
| voakbasda wrote:
| I think this would be a great way to educate the public about
| not trusting a QR code they find in public, without first
| double-checking it. Better than learning the hard way.
| post_break wrote:
| I'm really surprised this hasn't happened sooner. Parking along
| the seawall in galveston used to be free. Now you pay with a
| smart meter. I saw it coming a mile away because all the smart
| meters had QR codes to download the app. Only takes a smart
| person to build a web app that looks similar, with a paypal link,
| ask what meter you're at, send an email that you're good for X
| minutes, etc.
| weej wrote:
| >> saw it coming a mile away
|
| You're telling me. (not so humble brag) I developed a software
| solution and 3 patents granted over 10 years ago to stop these
| kind of shenanigans. Ahead of our time.
|
| *Unfortunately, matrix barcodes may sometimes reference
| malicious websites, which may be used to steal confidential
| information (e.g., user credentials or credit card numbers) as
| part of a phishing attack or exploit vulnerabilities in mobile
| web browser software that may allow malware to be downloaded to
| a user's mobile computing device. Furthermore, some legitimate
| Internet resources (through the use of spam, comment posts,
| etc.) may be used to redirect users to malicious websites.
| Accordingly, the instant disclosure identifies a need for
| systems and methods for providing security information about
| quick response codes.*
|
| https://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=...
| cortesoft wrote:
| > with a paypal link
|
| Getting the money would be hard, and you would be easy to
| track.
|
| They would probably be better off just collecting the credit
| card info and selling it.
| dhosek wrote:
| If I were doing this, I would make a clone of the legitimate
| site, collect their info and pay for the parking on the real
| site, but save the credit card number for sale on the black
| market. I'd imagine one could find any number of sites where
| this could be hosted anonymously (or slip it into a hacked
| site's service). If you slap QR code stickers over legitimate
| ones it could be months before anyone noticed.
| post_break wrote:
| Someone found their stripe api key. All they would have to do
| is buy gift cards using the funds to wash it.
| allenu wrote:
| I agree. I can't believe I had never thought that a public QR
| code may be untrustable until now. This is going to make me a
| bit more paranoid now when scanning them for parking purposes.
| post_break wrote:
| NFC is another one. Slap a metal stick over the real one and
| put your bad NFC on top of it.
| hotpotamus wrote:
| Remember when we told people not to click on random links in
| email?
| dvtrn wrote:
| I remember it vividly. Because I had to tell someone not to
| do it this morning.
|
| And twice last week. Few times the month before that.
|
| Even configured Exchange to give people a "report suspected
| phishing" button in their outlook clients.
|
| They keep on clickin'.
|
| (Each time was a different person btw)
| ectopod wrote:
| It's quite rare now for links in a commercial email to
| actually go to the company the email is from. Most links
| are random looking click-tracking garbage.
|
| Normal people can't tell good links from bad. The only
| way to stop people clicking them is to have your MTA
| erase them. Which isn't ideal.
| deltarholamda wrote:
| According to the Codified Laws of System Administrators,
| you are now authorized to start lopping off fingers.
| spockz wrote:
| I think they will still be clicking with their noses in
| that case. It never ceases to amaze me how many people
| think. "Oh hey that interesting/cool <click>". Or "hey
| how did they know I needed this?"
| kingcharles wrote:
| Headstick is the way to go once your sysadmin has taken
| all your digits. Gotta click 'em all!
|
| https://www.youtube.com/watch?v=Rz2HpGC9vbw
| amelius wrote:
| > Only takes a smart person to build a web app that looks
| similar (...)
|
| Smart person? Sounds more like a person looking for trouble.
| rossdavidh wrote:
| Smart enough to do it, dumb enough to do it also. It's more
| common than it seems like it ought to be.
| bellyfullofbac wrote:
| Of course there's the "follow the money" issue, I wonder if
| it's doable using a payment provider in a dubious country,
| or if Visa/Mastercard would just chargeback, leaving the
| payment provider to be mad at you (but hopefully they did
| poor KYC so they'd have no power to send their henchmen to
| you).
|
| Maybe the fake app can say "Now you need to go to
| walmart.com to buy a gift card and enter that gift card
| code's to pay for parking", but that would filter out a lot
| of people who was looking for convenience in the first
| place. If I were consulting for this criminal, I'd say "You
| need to get to their greed by offering them a big prize,
| e.g. 1 year free parking in $CITY...".
| upofadown wrote:
| Identity management again...
|
| I guess you could have the city's public ID in your phone and
| then the city could just sign their QR codes ... or not in this
| case...
| peter303 wrote:
| A number of governments claim to have solved the problem in
| virtual licenses and vaccine passports. But I could guess ways
| to fake that too.
| joshellington wrote:
| Wow, they're using Stripe for payments. Here's their API key:
| pk_live_1vI9jQQVPUd9XXtXEXxRBMDL
|
| Just reported them through the generic Stripe contact form (all I
| could quickly find).
| bredren wrote:
| My first question was how they were collecting these "high
| risk" payments.
|
| In general, Stripe describes a 7-14 day payout schedule, but
| has shorter ones for many countries.
|
| Presumably it takes a fair amount of identity info to get to
| the 2 business day accelerated payout speed available to low-
| risk businesses in the US.
|
| https://stripe.com/docs/payouts#payout-schedule
| tzs wrote:
| > Anyone who sees someone tampering with a pay station and is not
| a badged City of Houston employee should call 911.
|
| From the Houston police department's 911 information page [1]:
|
| > Call 9-1-1 to report a life or death emergency that requires an
| immediate response from police, fire, or ambulance personnel.
|
| ...
|
| > Do not use 9-1-1 for non-emergency situations -- this causes a
| delay in answering emergency calls.
|
| [1] https://www.houstontx.gov/police/contact/911.htm
| 1123581321 wrote:
| Nice. I am aware 911 should be used for some non-lethal but
| urgent situations now, but it was funny and frustrating
| figuring out which ones. For example, I'd call in a stalled car
| and get told by 911 to call non-emergency, and next time by
| non-emergency to call 911, in the same city. And non-emergency
| would sometimes tell me they dispatched someone and other times
| ask me what I thought should happen, again for the same
| problem.
|
| They must think they're stuck with fools for constituents. :)
| MR4D wrote:
| Per the City of Houston [0]: " _Dial (713) 884-3131 to request
| non-emergency police service for locations within the city
| limits of Houston._ "
|
| For what it's worth, Click2Houston is widely known for ad-
| ridden clickbait masquerading as news. They used to be good,
| but now they just suck.
|
| Also, calling 911 in Houston really sucks. Good luck getting a
| response within 30 minutes unless it's active gun related (and
| even then, I've personally waited nearly an hour after
| reporting gunshots in my neighborhood). Not the cops fault -
| they're generally ok, but the city management is poor.
|
| [0] - https://www.houstontx.gov/police/contact/index.htm
| monksy wrote:
| > Anyone who sees someone tampering with a pay station and is
| not a badged City of Houston employee
|
| This is a crime in progress. That's why 911 is being
| recommended. (Yes this can vary from place ot place) 311 is
| about reporting that has happened non-crime related a time
| ago.. 911 is something that is/just happened.
|
| But yes, their messaging is terrible. I'm sure that they're
| just saying "don't call 911 because your sister is being a
| pain"
| MarvinYork wrote:
| dhosek wrote:
| I once had a drunk person ringing my doorbell when I lived
| near downtown. It wasn't an emergency so I called 311. The
| person listened to what I had to say, said hold on and
| transferred me. The next person I spoke to said, "911
| operator, what's your emergency?"
| Scoundreller wrote:
| Reminds me of when there was a police press release about 2
| guys that broke into a parking garage and drove around the
| carts like an underground game of Mario Kart and stole one.
|
| Then I realized it was technically a government building and
| then it all made sense, because cars and bikes get stolen daily
| without a peep.
| raymondh wrote:
| Can anyone with an understanding of cash transfers work explain
| how this is possible?
|
| I cannot fathom how scammers get away with this. The police have
| the QR code, the URL, and the cash going out of one account into
| another. How is it possible that these people don't get caught
| and locked up immediately?
| Findecanor wrote:
| Accounts that receive money transfers for criminals have often
| been hijacked, or set up using hijacked credentials.
| heywire wrote:
| Why wouldn't they just capture the card number and sell it?
| bredren wrote:
| Depending on the implementation, it could be they are doing
| that. And the stripe charges are just to keep the scheme
| going longer.
| kyletns wrote:
| If they set up payments through a provider outside the US I
| don't see how a local police force is going to be able to track
| those payments.
| colinmhayes wrote:
| The website is probably in Russia I guess. Unless they catch
| someone putting the qr sticker on there's no link to the US.
| JoeAltmaier wrote:
| This is why we can't have nice things :(
|
| Maybe some indirect system would defeat this, where the real QR
| code only works if you have a cookie registered some other way -
| a phone app or something... and the fake one can't scrape that...
| mastazi wrote:
| Maybe if they didn't have a "pay by app" scheme as seen in one of
| the pictures, people would be less likely to fall into this
| scheme. I'm not sure why government agencies should require
| people to download an app just to pay a parking fee instead of
| making things as frictionless as possible (I live in Australia,
| we have the same issue here)
| csydas wrote:
| I think they just did the system backwards; the meter/parking
| placard should just have an etched and URL + branding for the
| app and the posts at parking spots should just be some UID for
| parking spots the system has registered. The main app/site
| should let you scan and auto-fill the data, but it'll wait for
| you to confirm you got it right.
|
| Scammers can still put fake stickers/posters/whatever up, but
| the QR scanner shouldn't trigger an action, it should just
| provide some static location data when it comes to some payment
| action.
|
| I think it's just a really poorly thought out system that
| didn't really research how other successful implementations of
| QR codes work.
| jjnoakes wrote:
| Maybe I'm dense but couldn't an attacker just put a qr code
| sticker over every space that all pointed to their own space?
| Then everyone would be paying for the attacker's parking.
|
| I suppose this is harder to pull off with a lower benefit,
| and a higher chance of getting caught (i.e. fast acting law
| enforcement would know which car was in the free space).
|
| To mitigate this, you might need space numbers posted. This
| is easy to verify that each space is different. But at this
| point, why even have a QR code?
| Ekaros wrote:
| In Finland from my experience the app is most frictionless way.
| And one of the few apps I actually like to use. I have two
| downloaded on my phone, I enable location. Wait for it to get
| general area, it has my credit card and plate number store. I
| set time and start it. Then when I get back to car I can just
| stop there and get billed exact time. No dealing with coins or
| paying at meter or guessing how long will I take.
| brewdad wrote:
| Once you've used the app once, payment becomes quite
| frictionless with an app. Without the app, I need to locate the
| pay station. Wait for anyone ahead of me already at the pay
| station. Then determine if it's the old type that issues a
| paper window ticket or the newer type that uses your license
| plate. If it's the new type, I have to enter my license plate
| info, taking care to remember not to transpose the two digits
| that always trip me up. If it's the old type, I have to wait
| for the ticket to print then return to my vehicle and place it
| in the proper spot in my door window sill taking care not to
| let it fall out when I close the door. Then I have to remember
| what time I need to move my car or add more time and return to
| the pay station to do so.
|
| With the app, I have to do all of that once and the app
| remembers everything for me. If I am driving my wife's car, I
| don't have to try to remember her plate number. I can pay for
| my parking while walking to wherever I am going and I'll get a
| notification 5 minutes before my payment expires and can add
| time right where I stand at that moment. Parking apps can be
| great though it is annoying that every town seems to have their
| own app or payment provider.
| reaperducer wrote:
| _I 'm not sure why government agencies should require people to
| download an app just to pay a parking fee instead of making
| things as frictionless as possible (I live in Australia, we
| have the same issue here)_
|
| In some cities the parking meters are run by a private company.
|
| Chicago, for example, leased its parking meters to an
| Australian company. (Or Spanish. I forget, one got the parking
| meters the other got the Skyway) In exchange for an up-front
| payment to the city, the private company gets to run the
| parking meters almost any way they want.
|
| This includes raising prices.
|
| Or worse, in the Chicago example, the parking meter company
| successfully sued the city and now Chicago isn't allowed to
| permit the construction of any new public parking garages in
| the downtown core, because that would hurt the parking meter
| business. The only new garages that are permitted are for new
| residential buildings and a calculated number of spaces
| exclusively for office buildings for hotels.
| colinmhayes wrote:
| Abu Dhabi owns the parking rights in Chicago. Personally I
| think having a private company control parking
| rates/enforcement makes sense because parking costs should be
| much higher than they currently are but that's not
| politically viable. By pawning the bad press onto some
| company politicians can avoid the downsides while pricing
| parking properly. Unfortunately Chicago is full of corrupt
| politicians who negotiated an unbelievably bad deal for the
| city, agreed that the biggest problem is that the city can
| never get rid of street parking or add garages.
| emptybottle wrote:
| Some train parking lot systems would be vulnerable to this too.
|
| I've parked in lots where you enter the parking spot number and
| payment into a website. There is no physical confirmation, and it
| would be trivial to put a QR code on the parking information
| sign.
|
| Especially because typically people are walking into the station
| while paying, and not standing in front of the sign double
| checking the details.
|
| Insult to injury, the UI on the legit system is so bad and slow
| that scammers wouldn't even need to try to replicate what exists.
| Basically anything else would be an improvement.
| meatroll wrote:
| I replace public QR codes with stickers to meatspin.com
|
| I did it for the lulz but now I think it may be a public service,
| getting people to blindly trust these things a little less
| trevcanhuman wrote:
| Anyone else thought the title said _scanners_ instead of
| scammers? Was a little surprised when I reread the title.
___________________________________________________________________
(page generated 2022-01-05 23:00 UTC)