QR code scam in station car park

[geoffk]

This from BBC News:

A woman fell victim to fraudsters in a £13,000 train station QR code scam.
Fraudsters are thought to have covered a genuine code with one of their own in Thornaby station car park.
That sent her to a fake website allowing them to redirect payments and card information, resulting in the victim, 71, losing thousands of pounds.
Rail firm TransPennine Express removed all QR codes from its station car parks in September following reports of similar scams across the country.

Thornaby: Woman targeted in £13k railway station QR code scam

Rail firm TransPennine Express has since removed QR codes from all of its station car parks.

www.bbc.co.uk

My main purpose in posting this is to ask whether there was a card payment option at this car park (in which case a QR code is not needed)?

Surely all car parks should have a card payment option (whether on the railway or not)?

 

[Gwr12345]

TPE managed car parks I think don't have machines, you can only pay online

 

[stuu]

Just saw this story... quite the scam, QR codes often link to a shortened URL, in my experience, which is hard to tell if it's legitimate. Must have happened before, and no doubt a few crooks will be coming up with their own plans having seen this story. One to watch out for

 

[1D54]

Who is responsible for this? Surely this poor woman will be reimbursed, it's not as if she naively was giving bank details over her phone from home.

 

[zwk500]

Who is responsible for this? Surely this poor woman will be reimbursed, it's not as if she naively was giving bank details over her phone from home.

Allocating responsibility is a difficult thing to do in this case, because the bank did initially block some payments, then the scammers rang her up and convinced her the payments were legitimate by posing as bank staff to obtain the necessary details to persuade the bank to release the transactions.

So, IMHO:
- The scammers have ultimate responsibility as if they'd not acted it'd have never happened. They should be identified and prosecuted and have the book thrown at them.
- TPE have some responsibility for a relatively easy method to 'cuckoo'. They appear to have acted quickly to remove the vulnerability.
- The bank have some responsibility for failing to properly check a transaction they suspected was fraudulent. The article didn't appear to mention if their processes would be reviewed.
- And the victim has a tiny part of responsibility for handing over details after the bank has intercepted the fraud to allow it to continue.

 

[ChrisC]

TPE managed car parks I think don't have machines, you can only pay online

I hadn’t realised that. Are there any other TOC‘s that don’t have machines in their car parks? I‘d hate to arrive at a station car park to find that I couldn’t pay with cash or card. I’ve never been able to work out how to pay a bill using a QR code in a restaurant! I avoid car parks where a parking app is required even if it means having to walk quite a distance. There should be a choice of payment methods.

 

[Mojo]

Presumably the unfortunate victim would also have been liable to receive a penalty from the car park operator also.

 

[Brush 4]

There should always be a choice of payment methods. I won't use any car parks where pay by phone is the only option. This may mean that shops or TOC's miss out on business, although of course they will never know what quiet decisions people make or, why they have made them.

 

[Lemmy99uk]

Who is responsible for this? Surely this poor woman will be reimbursed, it's not as if she naively was giving bank details over her phone from home.

If you read the article it tells you that all fraudulent transactions were refunded.

 

[Re 4/4]

I'm told the problem with pay by card is the older generation of machines uses the 2G (I think) phone network which will soon be switched off.

I'm sure it's possible to make a newer generation of parking meters - maybe SumUp could enter this business - but at the moment the operators can save money by putting the cost of providing payment infrastructure onto consumers by demanding "your phone, our app". I know we've had this discussion about train tickets in the past and my opinion remains that "app only" is not in the spirit of the Equality Act and I hope at some point this will be tested in court.

The danger from fraud like this just compounde the problem, we've spent years telling people not to click links in random emails and now we need to add don't point your phone at random QR codes - even if they look like they're on an official sign!

 

[1D54]

If you read the article it tells you that all fraudulent transactions were refunded.

Yep sorry about that, just read it on a news feed on the phone and it didn't give much detail. Very happy she has been sorted but there are people out there who are becoming very rich off seemingly the easiest of scams and it makes my blood boil.

 

[johntea]

Northern use RingGo these days which has an app but also a phone payment option I believe

Maybe they could add some functionality to pay for parking using the TVMs

 

[Re 4/4]

Is RingGo the one with the horrible robot on the other end that doesn't pick up your car reg number if you have a slightly foreign accent?

 

[The exile]

TPE managed car parks I think don't have machines, you can only pay online

Which is absolutely disgraceful.

 

[ChrisC]

Maybe they could add some functionality to pay for parking using the TVMs

A good idea. I’d be quite happy to pay for parking at the TVM by either cash or card. I wouldn’t think that would be too difficult to introduce.

 

[Re 4/4]

That sounds like a very reasonable suggestion! Avoids having to install separate electricity/comms infrastructure when you've already got machine with card reader and touchscreen and a way of printing receipts.

 

[pokemonsuper9]

That sounds like a very reasonable suggestion! Avoids having to install separate electricity/comms infrastructure when you've already got machine with card reader and touchscreen and a way of printing receipts.

I think I recall seeing a small ticket-like card for train station parking at some point, so it might be relatively easy to add, unfortunately can't remember where.

 

[The exile]

That sounds like a very reasonable suggestion! Avoids having to install separate electricity/comms infrastructure when you've already got machine with card reader and touchscreen and a way of printing receipts.

Sure SWT /SWR have had exactly that for ages.

 

[Lucan]

we need to add don't point your phone at random QR codes - even if they look like they're on an official sign!

It didn't "look like" it was on an official sign, it was on an official sign. So it was not a random QR code. Trouble is that most people and organisations are falling over themselves to do things by smart phone. People think "Gee-whizz - smartphone!!" and the organisations think "Great, I have a foothold into that individual's life!". But no-one is thinking through all he security ramifications - except that scammers are thinking it through only too well. But they did not need to be geniuses to think of putting a different QR sticker over the original.

I do have a smartphone, but use it as little as possible and I will keep it that way for as long as possible. I realise that in time it will be impossible not to use it for everything.

 

[The exile]

It didn't "look like" it was on an official sign, it was on an official sign. So it was not a random QR code. Trouble is that most people and organisations are falling over themselves to do things by smart phone. People think "Gee-whizz - smartphone!!" and the organisations think "Great, I have a foothold into that individual's life!". But no-one is thinking through all he security ramifications - except that scammers are thinking it through only too well. But they did not need to be geniuses to think of putting a different QR sticker over the original.

And of course official signs are often officially amended using stickers….

 

[silverfoxcc]

I use paybyphone app at Hayes and Harlington ( mostly) and a few others.. No problem at all

 

[jbqfc]

you can pay for parking at Crawley at the TVM but none of the signs tell you this

 

[Lucan]

And of course official signs are often officially amended using stickers….

The sticker can be very subtle. For example the fake QR diagram could be slightly larger than the original but cut exactly at the edge of the chequer area, making it dificult to see or otherwise detect the edge unless you feel with a finger nail, and possibly not even then. We are also talking about a 71 yo in this case whose eyesight might not be as good as it once was, let alone people with actual sight impairments.

 

[BlueLeanie]

Northern use RingGo these days which has an app but also a phone payment option I believe

Maybe they could add some functionality to pay for parking using the TVMs

At Chiltern Stations, you can pay for today, tomorrow and maybe a week's parking at the TVMs.

Not sure if it's an urban myth or not, but I've heard that the Moderator of the Church of Scotland has an Equal BIK to the Head of the Church of England. Neither are required to display a registration plate on their cars as a consequence of their job.

Apparently this is causing increasing problems for the Moderator when trying to pay for parking.

 

[randyrippley]

At Chiltern Stations, you can pay for today, tomorrow and maybe a week's parking at the TVMs.

Not sure if it's an urban myth or not, but I've heard that the Moderator of the Church of Scotland has an Equal BIK to the Head of the Church of England. Neither are required to display a registration plate on their cars as a consequence of their job.

Apparently this is causing increasing problems for the Moderator when trying to pay for parking.

If there's no registration plate then how is the car identified to issue the ticket?
Sounds like a fairy tale

 

[baz962]

I hadn’t realised that. Are there any other TOC‘s that don’t have machines in their car parks? I‘d hate to arrive at a station car park to find that I couldn’t pay with cash or card. I’ve never been able to work out how to pay a bill using a QR code in a restaurant! I avoid car parks where a parking app is required even if it means having to walk quite a distance. There should be a choice of payment methods.

Bedford I think no longer accept card or cash at least on one side. However the car parking company have an app and it's pretty good. I have all my cars registered on the app and I can even pay after getting the train as they allow you to pay upto 24 hours late.

 

[Jagdpanther]

Thus proving that cash is the way to go.

 

[Halwynd]

I've been aware of this scam for at least 2 years. The fact that Trans Pennine Express only removed these QR codes a couple of months ago in September, after the customer had fallen victim, speaks volumes about their attitude to exposing their customers to risk. When Chris Jackson said: 'we acted quickly...' then I'd suggest... well, actually, no you didn't.

It is the banks and other financial institutions who refund these losses. In this case I'd say any liability should have been put firmly and squarely on Trans Pennine Express.

 

[londonbridge]

If there's no registration plate then how is the car identified to issue the ticket?
Sounds like a fairy tale

On a related note, couple of weeks ago I was driving to football with my friend, we stopped at a Harvester for breakfast, it’s one of those where you enter your reg details into a machine at the reception counter, which he did….earlier this week he got a £100 penalty charge notice in the post.

 

[Egg Centric]

If there's no registration plate then how is the car identified to issue the ticket?
Sounds like a fairy tale

Plus the Archbishop of Canterbury managed to get a speeding fine so presumably does have a number plate