2021 / Awareness

Criminals use fake QR codes on parking meters to divert payments

Criminals use fake QR codes on parking meters to divert payments

Fake QR codes are being placed on parking meters in the States to divert payments. Yet cities don’t even have QR codes in place for payment processing. The first cases have surfaced in Austin, Houston and San Antonio. It is to be expected that this method will find its way to Europe.

A QR code cannot be seen for its seriousness. Often long URLs are hidden behind the white or black small squares. So long that no one could reasonably be expected to type them. But it is a challenge to provide the QR code with a quality feature to verify its authenticity of the issuer.

The typical cat-and-mouse game now reaches QR codes in parking lots

Criminals are always one step ahead. That doesn’t mean you won’t get caught – rather, it means that attention will be drawn to problems that no one thought of during development. With electromobility on the rise, parking meters becoming networked, and other features being made available, such as solving parking issues by texting the city, the inhibition to scan QR codes to make a payment is decreasing.

Fake QR codes were discovered at over 100 pay stations in the city of San Antonio. In Austin, the wrong QR codes were spotted at 29 of 900 pay stations. This was also presented in the official press release. Those who scanned the code were directed to a “Quick Pay Parking” website. The domain “passportlab[.]com” is now offline. With these 9 tips you can recognize dubious websites. However, it is not possible to determine how many fell for the scam.

You are currently viewing a placeholder content from Default. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information

Affected cities do not use QR codes for payment processing at all

It was made especially easy for the criminals by the fact that there is no way to make the payment through this channel. So there was no need to paste over or remove QR codes – they simply weren’t there. This circumstance has made it quite simple. After all, only a few seconds are needed to apply the codes. The cities’ recommendation is to forgo QR code payments. On the other hand, the money should be paid directly, preferably in cash.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.