Criminals use fake QR codes on parking meters to divert payments

M.Sc. Chris Wojzechowski (IT-Risk Manager, IT-Grundschutz Practitioner (TÜV)

Criminals use fake QR codes on parking meters to divert payments

Fake QR codes are being placed on parking meters in the States to divert payments. Yet cities don’t even have QR codes in place for payment processing. The first cases have surfaced in Austin, Houston and San Antonio. It is to be expected that this method will find its way to Europe.

A QR code cannot be seen for its seriousness. Often long URLs are hidden behind the white or black small squares. So long that no one could reasonably be expected to type them. But it is a challenge to provide the QR code with a quality feature to verify its authenticity of the issuer.

The typical cat-and-mouse game now reaches QR codes in parking lots

Criminals are always one step ahead. That doesn’t mean you won’t get caught – rather, it means that attention will be drawn to problems that no one thought of during development. With electromobility on the rise, parking meters becoming networked, and other features being made available, such as solving parking issues by texting the city, the inhibition to scan QR codes to make a payment is decreasing.

Fake QR codes were discovered at over 100 pay stations in the city of San Antonio. In Austin, the wrong QR codes were spotted at 29 of 900 pay stations. This was also presented in the official press release. Those who scanned the code were directed to a “Quick Pay Parking” website. The domain “passportlab[.]com” is now offline. With these 9 tips you can recognize dubious websites. However, it is not possible to determine how many fell for the scam.

Affected cities do not use QR codes for payment processing at all

It was made especially easy for the criminals by the fact that there is no way to make the payment through this channel. So there was no need to paste over or remove QR codes – they simply weren’t there. This circumstance has made it quite simple. After all, only a few seconds are needed to apply the codes. The cities’ recommendation is to forgo QR code payments. On the other hand, the money should be paid directly, preferably in cash.

Photo of author

M.Sc. Chris Wojzechowski (IT-Risk Manager, IT-Grundschutz Practitioner (TÜV)

My name is Chris Wojzechowski and I am one of two managing directors of AWARE7 GmbH. Our butter & bread business is performing penetration tests. We are also committed to a broad understanding of IT security in Europe and for this reason we offer the majority of our products free of charge.