QR code insanity
-
Of course abuse of QR codes is obvious. QR codes can be phishing scams in disguise, warns the FTC - The Verge[^] But I encounter this real scenario.... Went to park at a downtown parking lot that I had not parked at for quite some time (pre-covid probably). Before there used to be credit card reader kiosk. Those have been around for a while. Now all there is is a sign, rather large one, with a message like 'Use the QR code to pay'. Then of course a QR code. It is trivially simple to print out a QR code and just cover up the real one. Not even sure in this case that replacing it would require more than just someone that was a bit taller than average. One could likely do that on quite a few lots in one night. It would be days or even weeks before anyone figured it out. Even if a diligent check of proceeds from one lot showed reduced revenue I bet figuring out why would take some time and one lot owner would probably just fix their own lots. And they would be unlikely to rescind tickets, handed out of course because the real QR code wasn't used, unless a government agency started getting involved. Perhaps not even then.
-
Of course abuse of QR codes is obvious. QR codes can be phishing scams in disguise, warns the FTC - The Verge[^] But I encounter this real scenario.... Went to park at a downtown parking lot that I had not parked at for quite some time (pre-covid probably). Before there used to be credit card reader kiosk. Those have been around for a while. Now all there is is a sign, rather large one, with a message like 'Use the QR code to pay'. Then of course a QR code. It is trivially simple to print out a QR code and just cover up the real one. Not even sure in this case that replacing it would require more than just someone that was a bit taller than average. One could likely do that on quite a few lots in one night. It would be days or even weeks before anyone figured it out. Even if a diligent check of proceeds from one lot showed reduced revenue I bet figuring out why would take some time and one lot owner would probably just fix their own lots. And they would be unlikely to rescind tickets, handed out of course because the real QR code wasn't used, unless a government agency started getting involved. Perhaps not even then.
-
Of course abuse of QR codes is obvious. QR codes can be phishing scams in disguise, warns the FTC - The Verge[^] But I encounter this real scenario.... Went to park at a downtown parking lot that I had not parked at for quite some time (pre-covid probably). Before there used to be credit card reader kiosk. Those have been around for a while. Now all there is is a sign, rather large one, with a message like 'Use the QR code to pay'. Then of course a QR code. It is trivially simple to print out a QR code and just cover up the real one. Not even sure in this case that replacing it would require more than just someone that was a bit taller than average. One could likely do that on quite a few lots in one night. It would be days or even weeks before anyone figured it out. Even if a diligent check of proceeds from one lot showed reduced revenue I bet figuring out why would take some time and one lot owner would probably just fix their own lots. And they would be unlikely to rescind tickets, handed out of course because the real QR code wasn't used, unless a government agency started getting involved. Perhaps not even then.
-
So this lot has an honor system for paying? No gate at the exit that requires some confirmation of payment (ex. a "paid" ticket be inserted / scanned)?
-
Of course abuse of QR codes is obvious. QR codes can be phishing scams in disguise, warns the FTC - The Verge[^] But I encounter this real scenario.... Went to park at a downtown parking lot that I had not parked at for quite some time (pre-covid probably). Before there used to be credit card reader kiosk. Those have been around for a while. Now all there is is a sign, rather large one, with a message like 'Use the QR code to pay'. Then of course a QR code. It is trivially simple to print out a QR code and just cover up the real one. Not even sure in this case that replacing it would require more than just someone that was a bit taller than average. One could likely do that on quite a few lots in one night. It would be days or even weeks before anyone figured it out. Even if a diligent check of proceeds from one lot showed reduced revenue I bet figuring out why would take some time and one lot owner would probably just fix their own lots. And they would be unlikely to rescind tickets, handed out of course because the real QR code wasn't used, unless a government agency started getting involved. Perhaps not even then.
Does there still exist a way to pay without the QR code? There's times when QR codes are helpful/useful but when that's the only option, that's a problem. There's an assumption that everyone has a smart-phone, and that's not true. There's a number of people that don't even own a cell-phone, never mind a smart phone. And that doesn't include the lost, forgotten, broken, or out of juice phones. And, as you point out, there's many ways that this could be abused. And if you and I can think of ways to abuse this, then you know that others with far fewer scruples are thinking about it, too.
"A little song, a little dance, a little seltzer down your pants" Chuckles the clown
-
There has to be more to it than that. Most car parks use ANPR, so the driver would need to connect his payment to the car's index plate in some way.
-
So this lot has an honor system for paying? No gate at the exit that requires some confirmation of payment (ex. a "paid" ticket be inserted / scanned)?
lot of places use honor system. No need to maintain a gate that's always broken or a pay booth that never works. Street side parking with parking meters also work that way. You can take the chance that no one will come and check the meter, or just pay. we got stuck 30 minutes at an airport gate once with a long line of cars behind us waiting for the sole attendant to come in and fix the gate.
CI/CD = Continuous Impediment/Continuous Despair
-
Richard MacCutchan wrote:
Most car parks use ANPR
Not in my little slice of the world. Our parking lots are either 100% free or they issue a ticket upon arrival that needs to be paid upon leaving.
-
lot of places use honor system. No need to maintain a gate that's always broken or a pay booth that never works. Street side parking with parking meters also work that way. You can take the chance that no one will come and check the meter, or just pay. we got stuck 30 minutes at an airport gate once with a long line of cars behind us waiting for the sole attendant to come in and fix the gate.
CI/CD = Continuous Impediment/Continuous Despair
Maximilien wrote:
No need to maintain a gate that's always broken or a pay booth that never works.
Instead they get to maintain an electronic payment system (that can be easily hacked) and automatic systems to scan license plates and issue tickets. Poe-tay-toe vs. Puh-tah-toe.
-
Over here they have all switched to ANPR. And in some places you also need a parking app on your mobile phone in order to pay.
-
Maximilien wrote:
No need to maintain a gate that's always broken or a pay booth that never works.
Instead they get to maintain an electronic payment system (that can be easily hacked) and automatic systems to scan license plates and issue tickets. Poe-tay-toe vs. Puh-tah-toe.
-
Does there still exist a way to pay without the QR code? There's times when QR codes are helpful/useful but when that's the only option, that's a problem. There's an assumption that everyone has a smart-phone, and that's not true. There's a number of people that don't even own a cell-phone, never mind a smart phone. And that doesn't include the lost, forgotten, broken, or out of juice phones. And, as you point out, there's many ways that this could be abused. And if you and I can think of ways to abuse this, then you know that others with far fewer scruples are thinking about it, too.
"A little song, a little dance, a little seltzer down your pants" Chuckles the clown
-
k5054 wrote:
There's a number of people that don't even own a cell-phone, never mind a smart phone
I have a phone. It's just never had a sim card put in it. Still great for "everything else".
-
Of course abuse of QR codes is obvious. QR codes can be phishing scams in disguise, warns the FTC - The Verge[^] But I encounter this real scenario.... Went to park at a downtown parking lot that I had not parked at for quite some time (pre-covid probably). Before there used to be credit card reader kiosk. Those have been around for a while. Now all there is is a sign, rather large one, with a message like 'Use the QR code to pay'. Then of course a QR code. It is trivially simple to print out a QR code and just cover up the real one. Not even sure in this case that replacing it would require more than just someone that was a bit taller than average. One could likely do that on quite a few lots in one night. It would be days or even weeks before anyone figured it out. Even if a diligent check of proceeds from one lot showed reduced revenue I bet figuring out why would take some time and one lot owner would probably just fix their own lots. And they would be unlikely to rescind tickets, handed out of course because the real QR code wasn't used, unless a government agency started getting involved. Perhaps not even then.
I live in India, and here, we have the [UPI: Unified Payments Interface - Instant Mobile Payments | NPCI](https://www.npci.org.in/what-we-do/upi/product-overview) When a QR code is scanned, and used for payment, it shows the name of the recipient (on my mobile), and I can refuse to pay if the name looks fishy. The UPI payment system is indeed a robust one.
-
I live in India, and here, we have the [UPI: Unified Payments Interface - Instant Mobile Payments | NPCI](https://www.npci.org.in/what-we-do/upi/product-overview) When a QR code is scanned, and used for payment, it shows the name of the recipient (on my mobile), and I can refuse to pay if the name looks fishy. The UPI payment system is indeed a robust one.
I guess that requires mobile phone coverage, supporting all the various standard of all potential customers. Maybe 100% geographical smartphone coverage is the top priority development goal of every country in the world, ahead of health care, decent and healthy food, education and housing. I read a claim a few days ago that 90% of all adults on earth own a smartphone. I am not sure that I believe that figure, but my impression is that less than 90% have decent health care, food, education and housing. Maybe having a smartphone will help them forget their uncovered needs. Having mobile technology available as an option is great, but I really dislike how we make ourselves (read: the entire world) totally dependent on it working flawlessly at any time, and is available to every one of us at any time. When I go out for a walk, or go downtown shopping, or whatever, I usually leave my smartphone at home. (Except when I go out with friends who take for granted that they can carry on a conversation with me through texting if the noise at the pub gets so loud that we have problems hearing each other across the table, so we use SMS for chatting :-))
-
In rural parts of the Southern United States it's pronounced Tayter. Actually, my Maw-Maw (father's mother) said Eyersh Tayters (Irish Potatoes, a russet or the like). The other kind were Sweet Tayters. We also have ink pens and straight pins because because pen and pin is pronounced pea-yen.
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated. I’m begging you for the benefit of everyone, don’t be STUPID.
-
Over here they have all switched to ANPR. And in some places you also need a parking app on your mobile phone in order to pay.
The app is the key to hackers not being able to “easily” hack the QR code. The QR code has to match inside the app or else it doesn’t work. That’s why I thumbed up your message — not necessarily because QR codes are the best way to solve his problem. But, at least, the hacker cannot just replace the QR code and take payment. Although I guess, the hacker could replace the QR code and the unwitting victim who doesn’t know you need the app could just pay directly to the hacker so that may be a point too. Hmmm.. interesting.
-
Over here they have all switched to ANPR. And in some places you also need a parking app on your mobile phone in order to pay.
Here in Norway, toll road booths are history: If you do not have an car ID chip glued to your windshield (or they have problems reading it), they use ANPR. Same for most ferries: Car ID chip if you have got it, otherwise ANPR. Automatic speed ticketing has been using ANPR since the day of dawn. For a number of years, foreign cars could do as they like - park anywhere. drive at any speed, drive on toll roads ... Ferries were the last to go to ANPR. At that time, international coordination had come so far that you would find a bill in your mailbox when returning home. If you haven't already got an ID chip in your car (of the standard used in Europe), you can get one at the customs office at the national border, and tell which account to charge for all parking, toll roads, ferries etc., and you don't have to worry about it. Some indoor parking houses have been using ANPR for many years. After I scrapped my old car, 6 years ago, I received a dozen of tickets from one parking house 500 km from here, for having driven off without paying. Before scrapping the car, I tried to sell it through a web site, presenting photos with the number plates visible. Obviously, someone had figured that with a felt tip pen, they could change their registration plates to resemble my number, and the arguments would be between the buyer of my car and me. I found no buyer, and scrapped the car. Only with the formal documents showing that the car had been demolished days and weeks before even the first parking ticket, did I avoid going to court for not paying my debts. The only bad thing is that you are tracked 'all the time', anywhere any service finds a reason to read your car's ID chip or number plate. That is almost everywhere, especially around big towns and along big highways, with a lot of toll stations. I don't like being tracked and monitored everywhere; it gives me a feeling of Big Brother. Maybe even scarier is if you can persuade young people to actually read 1984, and they fail to see the point, 'Yes, they knew where Winston was at any time, and what he was doing. What's the real problem? We do that all the time!'
-
The app is the key to hackers not being able to “easily” hack the QR code. The QR code has to match inside the app or else it doesn’t work. That’s why I thumbed up your message — not necessarily because QR codes are the best way to solve his problem. But, at least, the hacker cannot just replace the QR code and take payment. Although I guess, the hacker could replace the QR code and the unwitting victim who doesn’t know you need the app could just pay directly to the hacker so that may be a point too. Hmmm.. interesting.
The QR code itself, at the physical level, is just an encoding of a bit stream, length given by the size (in b/w squares) of the code. Go up one (or two) levels, and first bits are a tag indicating the meaning, or semantics, of the rest of the bit stream. It doesn't have to be a URL, but that is what most people have seen it as. If it really is a URL (which is quite likely) to a web service for the user to transfer money from his bank account to the parking service, replacing it with a URL to another web service for the user to transfer money from his bank account to someone else's bank account is not that difficult. As long as you need to establish some contractual agreement with the parking lot before parking there, you can in theory have a white list of money recipients, to prevent this kind of fraud - but it doesn't work in practice: There will be lots of parking lots where you do not have any prior agreement, so you have to accept the web service that comes up when you go to the QR supplied URL. There is no easy way for you to know whether it is real or fake. In the metal days, you could be reasonably sure that the coins you dropped into the slot actually landed in the money box of the parking lot owner. Today you can't be that certain about the owner receiving the right bits. I sort of trust(ed) coins a lot more.