Criminals use fake QR codes on parking meters to divert payments
Criminals use fake QR codes to redirect payments. From the parking meter to the charging station, the problem can arise.
Chris Wojzechowski Geschäftsführender Gesellschafter TL;DR
Criminals in Austin, Houston, and San Antonio placed fake QR code stickers on parking meters, redirecting payments to a fraudulent website. The attack was particularly simple because the affected cities did not use QR codes for parking payments at all - there was nothing to replace, just new stickers to add. Over 100 pay stations were affected in San Antonio and 29 of 900 in Austin. The cities advise against QR code payments at parking meters and recommend paying directly, preferably in cash. The same method is applicable to EV charging stations and other payment terminals.
Table of Contents (2 sections)
Fake QR codes are being placed on parking meters in the States to divert payments. Yet cities don't even have QR codes in place for payment processing. The first cases have surfaced in Austin, Houston and San Antonio. It is to be expected that this method will find its way to Europe.
A QR code cannot be seen for its seriousness. Often long URLs are hidden behind the white or black small squares. So long that no one could reasonably be expected to type them. But it is a challenge to provide the QR code with a quality feature to verify its authenticity of the issuer.
The typical cat-and-mouse game now reaches QR codes in parking lots
Criminals are always one step ahead. That doesn't mean you won't get caught - rather, it means that attention will be drawn to problems that no one thought of during development. With electromobility on the rise, parking meters becoming networked, and other features being made available, such as solving parking issues by texting the city, the inhibition to scan QR codes to make a payment is decreasing.
Fake QR codes were discovered at over 100 pay stations in the city of San Antonio. In Austin, the wrong QR codes were spotted at 29 of 900 pay stations. This was also presented in the official press release. Those who scanned the code were directed to a "Quick Pay Parking" website. The domain "passportlab[.]com" is now offline. With these 9 tips you can recognize dubious websites. However, it is not possible to determine how many fell for the scam.
https://twitter.com/SATXPolice/status/1473025923951775755
Affected cities do not use QR codes for payment processing at all
It was made especially easy for the criminals by the fact that there is no way to make the payment through this channel. So there was no need to paste over or remove QR codes - they simply weren't there. This circumstance has made it quite simple. After all, only a few seconds are needed to apply the codes. The cities' recommendation is to forgo QR code payments. On the other hand, the money should be paid directly, preferably in cash.
Monthly Threat Report
Chris Wojzechowski bewertet einmal im Monat die aktuelle Bedrohungslage aus Sicht eines Informationssicherheitsexperten. Sein 30-köpfiges Team ist näher an realen Cyberbedrohungen dran als kaum jemand sonst - mit konkreten Handlungsempfehlungen, die Sie am nächsten Morgen umsetzen können.
Bestseller-Autor (Wiley-VCH) · M.Sc. Internet-Sicherheit · Bekannt aus Handelsblatt & WamS
Zuletzt behandelt
1x im Monat · Kein Spam · Jederzeit abbestellbar · Datenschutz
Next Step
Our certified security experts will advise you on the topics covered in this article — free and without obligation.
Free · 30 minutes · No obligation
