It can't happen with a landline anymore either, IIRC it was only ever possible on BT anyway and they made the technical change (how long to wait between putting phone down and ending call) to make this impractical long ago, and the move to VoIP based landlines will allow other technical enhancements to further make the scammers' lives harder
-
Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
QR code scam in station car park
- Thread starter geoffk
- Start date
- Status
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
CharlieSpotted
Member
- Joined
- 21 May 2014
- Messages
- 751
The same scam has been reported on local groups affecting a privately run car park next to Wolverhampton station - the "Corn Hill" car park.
Anecdotally, the same scam absolutely has been used in pubs/restaurants with a replacement QR code covering the original on the menu. It doesn't work as well as these parking signs as it's discovered quite quickly - the person who placed the order will soon go up to the bar and ask where their ham, egg and chips is.
Not quite - it occurred when the call is made from a Voice-over-IP network and relied on the networks involved in the call (deliberately or by misconfiguration) not handling the hang up signal correctly. It was mitigated by the type of change you described but can still occur and of course is made all the more potent by the fact that some Voice-over-IP networks will also allow you to "spoof" the number you're calling from / make a call from a number you don't own.
Anecdotally, the same scam absolutely has been used in pubs/restaurants with a replacement QR code covering the original on the menu. It doesn't work as well as these parking signs as it's discovered quite quickly - the person who placed the order will soon go up to the bar and ask where their ham, egg and chips is.
Not quite - it occurred when the call is made from a Voice-over-IP network and relied on the networks involved in the call (deliberately or by misconfiguration) not handling the hang up signal correctly. It was mitigated by the type of change you described but can still occur and of course is made all the more potent by the fact that some Voice-over-IP networks will also allow you to "spoof" the number you're calling from / make a call from a number you don't own.
Yes but I doubt this would even work. What if the parking is being provided by a subcontractor? Are people meant to know every legal entity involved? Or even a sub entity of the TOC if it was direct.
If they were really clever they'd go and do another order of the exact same stuff to your table after they got your banking details on the real site/app, with your card.
Bletchleyite
Veteran Member
Given how obviously bad many scam emails/sites are I doubt it.
This does mean it's worth using apps, though - if you download the Spoons app from a curated App Store you know it's genuine.
This does mean it's worth using apps, though - if you download the Spoons app from a curated App Store you know it's genuine.
CharlieSpotted
Member
- Joined
- 21 May 2014
- Messages
- 751
Indeed - I suspect the services that were most vulnerable to this type of scam were those where a QR code linked to a mobile-responsive website, rather than an app downloaded from Google Play / Apple Appstore. Quite a few of these mobile responsive web apps were spun up during / shortly after COVID for table service as considered easier than creating and publishing an app. Possibly, the same is true of the car park payment services now too, though it's not an area I'm terribly familiar with.
Kite159
Veteran Member
.
(Which has a benefit of any issues with the car park potentially getting noticed, ie broken glass/fly tipping/broken lights, which ANPR won't pick up)
Until you make a simple mistake when inputting a number plate (ie putting an 'O' instead of a '0'). Then the parasite will send you an invoice demanding money. Whereas having a proper P&D ticket such a minor mistake likely won't be noticed if the car park gets monitored.
(Which has a benefit of any issues with the car park potentially getting noticed, ie broken glass/fly tipping/broken lights, which ANPR won't pick up)
Agree. Their (card) payment machines are similarly awful. I recently gave up trying to get their app going whilst standing in a chilly car park and used the machine instead.
This shouldn't be an issue. Number plates are of the format AA11 BBB, where A is any letter of the alphabet apart from I O U Z. B can be any letter.
Any good parking machine/app will not let you put 0 in B or put O in A (or the number) and will tell you the mistake. Its not surprising if parking firms deliberately allow this to catch people out but hopefully a TOC should handle it better.
It was intentional behaviour specific to BT's "legacy" PSTN network. all the chapter and verse you could want here - look at the history section where it mentions the changes to the timeout in 2014 and 2016. I am not aware of any VoIP based system allowing this behaviour, but happy to be corrected.
Caller ID spoofing is certainly possible today, though changes are happening slowly and the move to an entirely VoIP based infrastructure makes this much easier.
At the precisely one (1) ANPR car park I've used, this is largely solved. The plate is read on entry and exit (ie if you've paid it'll open the barrier automatically), and it is printed on the ticket, which you still use to pay for parking as you make your way back to the car. There is no need to enter your plate details manually, perhaps unless you have a dirty plate (which is illegal anyway)
Bletchleyite
Veteran Member
All car parks I've seen even vaguely recently use apps. The most common is RingGo, then PayByPhone, but there are a few other odd ones e.g. NCP have their own, and some railway car parks use either APCOA Connect or Saba (or Trust, which is an add-on to some of them that does automatic payment via ANPR once set up, which is handy to avoid being fined if you go to pick someone up but stay more than 20 minutes).
It is a faff to install them, but once you've got all of the common ones they're there and quick and easy to use, and you can be sure of no scams other than the price of the parking itself!
Regarding pubs, it doesn't help that some of those sites are absolutely awfully designed, and so identifying a scammer might be hard. But as someone has said, it's fairly likely you'll notice the lack of food/drink quite quickly and report the scam (so they'll not get chance to use your card details), and none are going to be clever enough to interface into the pub's systems so the order would still be delivered. And for me at least it'd already raise a concern on a new website if the online two-factor authentication wasn't requested, as most sites/apps now do do it. (Which itself reduces the usefulness of a set of card details anyway!)
Don't know about you, but I would pay extra for them to install cameras to send £100 "fines" to the lazy <naughty word>s who wilfully drive round car parks the wrong way even where there are obvious arrows, and get their back up when you just stop blocking them and give a "turn around" gesture.
That doesn't universally work, due to custom number plates or older cars with previous schemes still.
I also don't have much hope a TOC would handle it much better even if they could - they're not incentivised to do it poorly like the parking companies, but they've no incentive to do it right either
Main problem with them is the local authorities and other entities that charge you extra for using the app! In those cases I fall back to the machines on principle, even though the app is more convenient. Or if the app is APCOA then the app is an abomination so the machine is definitely preferable
It catches most out, the restriction on private plate formatting is fairly strict nowadays.
Given how quick a database lookup is machines should say when it doesn't exist anyway.
Bletchleyite
Veteran Member
I agree this does rile, but my time to faff about isn't worth the very small extra charge. One thing of note is that RingGo charges you by default 20p extra for two text message reminders, but you can turn this off and just set an alarm for the time your parking expires if you think you may forget.
I'd agree the APCOA app is rubbish, but TfW's machines are/were worse, they only used to let you put on one unit of (bizarrely) 12 hours, not all day (or at least the one at Llandudno Town was like that)! Lord knows who came up with that.
FWIW it appears you can use PayByPhone in TfW car parks, you don't have to subject yourself to the rubbishness of APCOA Connect. I don't know if that's true of their whole estate.
There would need to be an option for foreign cars too.
I assume the very rare ones you see with Arabic lettering (typically I think from Egypt or north Africa, it's a bit far to drive from most Arabic speaking countries!) just get away without paying.
Kite159
Veteran Member
However as the parking machine needs to cope with the older style number plates & private plates such a system won't work to enforce AA11 BBB.
norbitonflyer
Established Member
I always prefer to have a physical paper ticket in the windcreen rather than rely on the insubstantial electronic signals winging their way from my phone to a data base somewhere and back to the traffic warden looking for commission.
Older plates could involve confusion between O and 0 - for example 123 ORA and 1230 RA. The Ministry of Transport did limit the use of indexes starting with the letter "O" in reverse format, when both two and three letter indexes in reverse format were issued in the early 1960s, but there were several issuing authorities which overlooked the requirement. In the event only Chester, (OFM) Derbyshire (ONU and ORA), and West Sussex (OBP and OPO) also issued two-letter reverse marks.
There can also be confiusion between some vanity plates and current Northern Ireland marks, as Derry/Londonderry City is still issuing marks ending in the letter "I" e.g AVI 123 vs AV 1123 (and is likely to do so for some time, as it took fifty years to use up all the available marks from AUI to YUI)
The machines don't look up a database to check the number is valid. Although things like ULEZ cameras do, as they need to know whether your vehicle is exempt.
Older plates could involve confusion between O and 0 - for example 123 ORA and 1230 RA. The Ministry of Transport did limit the use of indexes starting with the letter "O" in reverse format, when both two and three letter indexes in reverse format were issued in the early 1960s, but there were several issuing authorities which overlooked the requirement. In the event only Chester, (OFM) Derbyshire (ONU and ORA), and West Sussex (OBP and OPO) also issued two-letter reverse marks.
There can also be confiusion between some vanity plates and current Northern Ireland marks, as Derry/Londonderry City is still issuing marks ending in the letter "I" e.g AVI 123 vs AV 1123 (and is likely to do so for some time, as it took fifty years to use up all the available marks from AUI to YUI)
renegademaster
Member
Honestly train station parking needs to be free as a condition of the franchise, unless the car park would regularly fill up with non rail passengers otherwise
Bletchleyite
Veteran Member
In much of the South East at least it probably would, so you really need to charge at least a full day in the local Council car park.
And "rail users only" is quite hard to implement, particularly as a very cheap ticket to the next station fulfils that. Oxford does it by requiring a code to be entered that is visible on a screen within the gateline, but I bet there's some awkward whatever that Tweets it daily or similar.
Why should other passengers pay for somewhere to store peoples' possessions?
renegademaster
Member
The capital cost is already largely paid , and free parking would encourage more people to take the train which could easily balance potential maintenance cost. Most of the underused car parks are in nimby ruled semi rural areas so housing on the plot is unlikely
Manchester Metrolink doesn't take a confrontational attitude with cars and has become a very popular informal park and ride and has probably took a lot of cars off Manchester arterial roads.
You could do a "free parking ticket with a season ticket" kinda deals
Mcr Warrior
Veteran Member
- Joined
- 8 Jan 2009
- Messages
- 12,374
Believe it does if anyone was thinking of parking their car overnight / beyond the end of service, certainly Sundays to Thursdays. You'll be liable to a parking charge notice then.
not if the car park fills up with people taking advantage of cheaper fares.
Rural parking tends to be quite popular for railheading especially in commuterland.
Bletchleyite
Veteran Member
Lord knows why them and Merseyrail don't get that driving to the stop, going for a night out, getting a taxi home then coming back Sunday morning for the car is a valid and sensible use case. I've done it before at Bletchley and MKC and it is utterly ludicrous that both Metrolink and Merseyrail would fine people for that.
Mcr Warrior
Veteran Member
- Joined
- 8 Jan 2009
- Messages
- 12,374
Overnight parking is permitted on Metrolink until the following noon, but only on a Friday night / Saturday morning, or a Saturday night / Sunday morning, but not Sunday nights to Thursday nights as already mentioned.
Kite159
Veteran Member
.
I've noticed SWR in their recent car parking increases (or decreases) has changed the "weekend special" tickets to be 00:01 Friday to 03:59 on the following Tuesday, whereas before I want to say only available from midday on the Friday to the Sunday [03:59 on the Monday morning]
Or even parking on a Saturday morning (or Friday evening), taking the Merseyrail train into Liverpool (or Chester) to connect with a long distance service for a weekend getaway, coming back on the Sunday. Rather than using the car park at Hooton (or even Capenhurst).
I've noticed SWR in their recent car parking increases (or decreases) has changed the "weekend special" tickets to be 00:01 Friday to 03:59 on the following Tuesday, whereas before I want to say only available from midday on the Friday to the Sunday [03:59 on the Monday morning]
Bletchleyite
Veteran Member
Which means deciding after you've gone to work to have a few drinks with colleagues will cost you a fine. And Merseyrail have no exemption at all!
It's absolutely nuts and there is no possible good reason for it. If they want to avoid people storing cars there, just apply a maximum stay of say 72 hours (which would also allow a weekend away), or make it free for 24 hours then chargeable at £5/day thereafter or whatever.
- Status