Comments

Eliot January 10, 2022 7:27 AM

Interesting, Bruce. Out here in Switzerland most of us use apps like ParkingPay, which has a back end account structure and location awareness so that you don’t actually scan anything. Now of course it is the case that apps have the opportunity to abuse their users, as Serge Egelman has repeatedly demonstrated. So… is the parking app more of a risk than being defrauded by a bogus QR code? Let’s hope that location awareness is only available to them when I use the app.

null clam January 10, 2022 8:02 AM

Toll roads in some places just take a look at your car as it runs on through and send you a bill at the end of the month.

Ted January 10, 2022 8:08 AM

Austin’s Transportation Dept has provided further guidance to parkers on this situation:

Never use a QR code to pay to park on Austin city streets. Use the Park ATX app or pay directly at a pay station. More info: austintexas.gov/paidparking

Although, IMO, the paid parking instructions are simpler in the tweet than they are on the website.

https://twitter.com/austinmobility/status/1478137648753659909

Clive Robinson January 10, 2022 8:32 AM

@ Bruce,

… warning about QR codes … that take people to fraudulent payment sites.

Begs a simple question,

How do users “verify” QR code is “genuine”?

After all what is to stop me setting up a fake site, and printing new stickers to put over the QR codes that appear to send a user to a valid site to download the “ATX App”. But actually down loads a “credential” or other “PPI” stealing App, that still makes correct payment to the Austin system but alows me to collect to sell user details in some manner…

Austin would get the money, the user would not get any “We will drag your lazy hass through court unless you pay $1000 immediately” type letters.

And I would have lots of nice data to re-package and market…

Thus the simple question of “verification” which is very hard to answer, unless you can establish a “root of trust” in some manner that is,

1, Fool proof in use.
2, Works against all attacks.

Most people will say something along the lines of “we need a hirearchical system”…

The only problem is that we have tried that with PubKey “Certificate Authorities”(CAs) and it’s not realy worked out very well…

Ted January 10, 2022 9:01 AM

Jason Redfern, parking division manager for the Austin Transporation Department, said that “We don’t use QR codes at all for this very reason, because they are easy to fake or place on the devices … And we heard from industry leaders that this would be a possibility.”

Authorities are also telling people not to take a picture of the QR code or hold their cellphone anywhere near it.

Austin workers checked more 900 pay stations, and found fraudulent QR codes on 29 of them.

https://www.kxan.com/news/crime/apd-fraudulent-qr-codes-found-on-austin-public-parking-meters/

null clam January 10, 2022 9:26 AM

Or roving-robo-meter-maids. If houses can be vacuumed, parked cars can be billed. Hmm, actually, the robo-meter-thingy could also wash your vehicle, for an extra fee …

JonKnowsNothing January 10, 2022 10:01 AM

@Clive, @All

re: … the user would not get any “We will drag your lazy hass through court unless you pay $1000 immediately” type letters.

ROFLMAO – not even

You are more likely to have the car “booted” with a wheel clamp and then towed to an impound lot on the farthest edge of town without a bus stop within 5 miles of the place.

After you find which lot has your car, you have to arrange to go there because they do not answer phones and the registered car owner has to show up in person. After you spend some hours waiting, you may find out how much you will pay. Several thousand dollars isn’t uncommon.

And a letter?

Our US PostMaster has a “thing” about first class mail. He considers mail to be old fashioned and not worth delivering. He is interested in boxes, like AmzWalUP$ and from his view those are profitable. Letters are dead space fillers as are post office buildings.

The mail service employees do not agree and do their best to still deliver:

“Neither snow nor rain nor heat nor gloom of night stays these couriers from the swift completion of their appointed rounds”

Champs January 10, 2022 11:05 AM

For the longest time, if we can call COVID era dining long enough, I’ve been tempted to replace the codes at restaurant tables with a link to Never Gonna Give You Up. Then I saw that there are Rickroll QR codes all over the internet, and if didn’t alert people to the vulnerability I don’t know what would.

Chelloveck January 10, 2022 12:48 PM

@Elliot: The article says that the legit Austin system has nothing to scan, either. The QR codes are just put there by scammers to trick people into thinking they do. They resolve to web sites that look some degree of official and tell you to pay by credit card or something. If you’re not intimately aware of how Austin’s parking meters actually work you’re vulnerable to the scam. Residents of the city probably aren’t taken in, but anyone from out of town (including people from nearby towns who only go into the city infrequently) won’t be likely to know that the Austin system doesn’t require or support scanning a code.

@dbCooper: Cash? What is this, the 20th century? The Austin meters do take coins, but how many people carry pockets full of loose change any more? Some cities have numbered spots and a central kiosk where you can pay. If the number post has a QR code that says “Scan to pay!” it’s likely that many people won’t even notice that the kiosk exists.

Marcy January 10, 2022 2:36 PM

Simple solution, pay with cash.

The cool new thing is parking lots that don’t take cash, sometimes don’t even take cards directly. Install the app or don’t park there (and hope there’s usable parking nearby). Unlike cash-free retail stores, which some cities have banned on the theory that they discriminate against the poor, parking doesn’t get much attention—possibly because nobody expects the poor to have cars.

The Austin meters do take coins, but how many people carry pockets full of loose change any more?

People who want privacy are still carrying cash (even with license plates visible, at least the banks aren’t getting that data). Bill acceptors and change dispensers are mature technology, and cash isn’t hard to get, so if people cared there’d be no problem.

null clam January 10, 2022 3:02 PM

@ Marcy all

Re: app

It puzzles me why an app is the solution they go to. It’s a proxy for the presence of a car. One doesn’t know if the car is really there taking up valuable parking square footage. Why don’t they just use some system to detect the car and done, no phones, apps, registrations, app use etc. ? Regarding privacy, isn’t it invaded either way ?

MikeA January 10, 2022 4:31 PM

@Marcy et al.

People who want privacy are still carrying cash (even with license plates visible, at least the banks aren’t getting that data). Bill acceptors and change dispensers are mature technology, and cash isn’t hard to get, so if people cared there’d be no problem.

I suggest you not try paying with cash for parking meters in San Francisco, or at least some of them. While they claim to accept coins (and indeed one can insert coins), the coins have no effect, and there is apparently no “escrow pocket” from which they can be returned. You are just out however much you inserted before checking how much time you got (none).

You still have some other options, and have learnt a valuable lesson. Perhaps “assuming that anybody but you cares about your losing money” is no longer viable.

Clive Robinson January 10, 2022 4:42 PM

@ ALL,

Fun side story about “Automatic Plate Reconition”(ANPR / ALPR) and what is and is not legaly the “public highway”.

In most countries number/licence plates are not a requirment to be on the vehicle (the VIN is though). The plate only becomes a requirment on some public use roads, which they are is jurisdiction dependent (in the UK farm vehicles can under certain circumstances drive on the roads without being registered etc, similarly plant/construction vehicles).

In many places “car parks” are technically not “public highway” so no plate is required. So you could have any old piece of junk there… But not a valid licence plate for the country that belongs to somebody elses vehicle because that is grounds for “passing off” or fraud.

I’m not going to say which European Nation this occured in, but it can be done in many, because of a legal loop hole.

In many cases the access road to a car park is not public highway. So you could stop on it and legaly take your number plate off as it’s not required. You could also cover it with a “vanity plate” or similar.

But you could also replace the plate with another valid plate…

But… Your probably saying vehicles don’t have more than one set of valid plates… Well they can because of different jurisdictions.

Plates get changed anually in some countries to show road tax has been paid. This is an annual event in most places, but… Most countries require a foreign vehicle to be registered after as little as three months…

So like some people have more than one nations passport vehicles can be registered in two or more countries.

So the loop hole is ANPR uses the licence plate to identify the vehicle. If you go in with foreign plates, legaly there is nothing the ANPR company can do, unless it can make valid enquires in the country of the plate was issued. Some countries don’t release that information to foreign enquirers.

Therefor many ANPR companies had to swallow the cost of loosing a bit of revenue.

More interestingly if you go about it the right way they can not impound or imobalize your vehicle either (a dubious right the companies frequently lie about).

Someone I know who spends their time moving from country to country in Continental Europe as they are a “contractor”. They explained the fun side of these things like for instance sub equitorial african nations plates and where business premises are called “appartments” or “studios” etc and private post office boxes are to be found in such places… So to “western eyes” they look like house hold addresses…

As he pointed out though, doing such things is a lot of “faff” so requires a certain mind set… But there are some who can and do “yank chains” for what they see as good and proper reasons (he knows I’m a “cash only” person and why, which is why he told me about the loop hole and the fun that can be had with it).

Marcy January 10, 2022 7:25 PM

I suggest you not try paying with cash for parking meters in San Francisco, or at least some of them. While they claim to accept coins (and indeed one can insert coins), the coins have no effect, and there is apparently no “escrow pocket” from which they can be returned.

Could SF perhaps have their own version of token sucking? It might be worth dropping a washer in before a coin, to check for clogs (or just a low-value coin like a penny—probably cheaper than a washer, and not good for much else).

I had a similar thought to Clive that license plates are not usually required on private property, though it seems an inconvenient loophole to exploit regularly. With regard to unregistered vehicles, apparently rural Swedish teens build their own “pickup trucks” to drive without a license: “15-year-olds are allowed to drive virtually any type of car if it’s been converted into a two-seater pickup, and modified to top out at [30 km/h]. These home-made pickups are considered tractors by Swedish law, …”

Jon January 11, 2022 2:48 AM

@ null clam

A couple of places – What’s to stop the wrong person from billing you? Now the tollbooth has two scanners – which is right? And how long will both get away with it?

@ dbcooper

These aren’t tollbooths that accept cash anymore. They’re walled off. You couldn’t pay if you wanted to. There are no tollbooth keepers.

Bob Paddock January 11, 2022 11:59 AM

@Clive

“… Your probably saying vehicles don’t have more than one set of valid plates… Well they can because of different jurisdictions. …”

One of the old B&W Gangster Movies mounted three plates on a diamond shaped spinning mount. A button in the cabin let the driver pick which of the three plates was visible.

I’ve often thought of making some kind of Plate Overlay with an X/Y Grid for making text. Ideally something not visible to the Human eye but would show up on a plate/traffic light camera. Send such camera’s thoughtful messages that way…
I know there are some Physics issues here, why let those stand in the way…

Jon January 11, 2022 5:52 PM

@ Bob Paddock

One of James Bond (007)’s Aston Martins had the same ‘feature’.

And I’m honestly not too sure it’s unlawful. If you have a set of addresses, in various states, and trot the title of the car down to the Department of Motor Vehicles (or equivalent) and pay for registration in each state, a car could perfectly lawfully have at least fifty valid registrations in the USA.

(A couple more, because Puerto Rico, Guam, &c., and there exist federal license plates as well, although they’re rare). J.

Chad Ostreicher January 12, 2022 11:25 PM

The city of Austin needs to either hire people to find and remove the fake QR codes and send an SMS or a letter to every citizen warning them about the scam. Because busy people aren’t going to think twice about scanning a QR code that looks legit to make payment.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.