Is that QR code a scam?
January 7, 2022 5:31 AM   Subscribe

According to Click2Houston: Houston is warning the public about a scam they’ve learned about in Texas cities and may be affecting people using on-street parking stations in Houston. Officials said Wednesday that fraudulent QR codes are being affixed to on-street parking pay stations. These fraudulent QR codes link to a non-city-affiliated website or a fake vendor. In the past three weeks, Houston officials say parking enforcement officers in both San Antonio and Austin discovered fraudulent QR codes affixed to on-street parking pay stations.

A man in Florida recently reported being approached by a sketchy person while in line at a Covid testing site. The woman had him scan a QR code, among other things, which seemed suspicious.

From the Detroit Free Press: One victim told the BBB Scam Tracker that they received a fraudulent letter about student loan consolidation. It contained a QR code that appeared to link to the official Studentaid.gov website. The QR code also helped the letter, which was part of a fraud, appear official.

According to the AARP: Fraudsters have used QR codes for years. The codes came on the scene 27 years ago when Japanese automakers used them to track parts and inventory. “Whenever a new technology or a new offering comes out, cybercriminals look for ways to manipulate it,” says Angel Grant, vice president of security for Seattle-based F5 and a certified information-systems security professional. “So we've seen criminals targeting QR codes pretty much from when they were originally put out.”

As an AskMe from 2020 notes, there are dozens of QR code generators out there so beware of potential fraudsters.
posted by Bella Donna (66 comments total) 19 users marked this as a favorite
 
Oh man. This seems like a very easy way to scam.
posted by tiny frying pan at 5:49 AM on January 7, 2022 [15 favorites]


Yes! I was by the local stadium in November and they had a QR code on the wall near the ticket booths for buying Blue Jays tickets. I thought it would be so easy to someone to make a fake website and put the QR code for that on top of it and take in the money.
posted by any portmanteau in a storm at 5:50 AM on January 7, 2022 [5 favorites]


The other day, when I went to get my booster shot, I arrived at the arena where the clinic was happening to discover that the only way to pay for parking was using an App I had never heard of. I had to scan a QR code and download the app using data, and create an account, and give them my credit card information and then let them put $10 in my wallet to cover $3 worth of parking, because that was the minimum amount, and was furious that I'm never going to get that $7 back.

And now I'm also worried that I may have just fallen for an absolute scam and given up my credit card data to thieves.
posted by jacquilynne at 6:00 AM on January 7, 2022 [17 favorites]


Love our cyberpunk present where everything is potentially fake!
posted by dis_integration at 6:09 AM on January 7, 2022 [24 favorites]


Yeah, sometime last summer I had the idea of having a bunch of QR codes printed up in various common sizes that linked to a certain Rick Astley video when I started seeing more and more restaurants replacing menus with QR codes, but I'm too old for casual chaos these days.

I still think it's worth it for stuff like streaming service links - I grumble every time I have to type in youtube.com/activate on my phone, or transfer a 12 digit sign-in code (thanks, Sony), but codes for random parking and ticketing apps are the pits - how do you confirm it's the legitimate provider?
posted by Kyol at 6:22 AM on January 7, 2022 [15 favorites]


This is less of a concern than it's made out to be, I think - QR codes are mostly just URLs you can put somewhere physical, and you shouldn't click random links whatever shape they arrive in but they're otherwise quite useful.

A few years ago we ran a "who uses QR codes" study, and they're pretty much a ubiquitous artifact of commerce outside of North America. The question was, "who uses QR codes, really?" and the answer that came back was, if you're seriously asking that question, the answer is "everyone but you."
posted by mhoye at 6:28 AM on January 7, 2022 [9 favorites]


Huh, this is going to be a huge problem isn't it?

It's weird that QR codes took so long to happen, what 10 years maybe before general adoption? And now that the public is generally accepting and with Covid the codes are vital for daily life, this kind of thing will take off.

The codes themselves are so ugly I'd kind of like them to die, but it's too late for that I guess.
posted by St. Oops at 6:31 AM on January 7, 2022 [2 favorites]


more and more restaurants replacing menus with QR codes

This sort of thing is part of why I think of public wifi increasingly as a basic human right. Not everyone has mobile data. I don't (Also, not everyone even has an internet-capable device on their person at all times, so you really should have some sort of alternative available that doesn't depend on them having such a thing). If you're going to ask me to screw around on the internet to pay for parking, or to view your menu, you better actually be providing that internet.
posted by jackbishop at 6:31 AM on January 7, 2022 [15 favorites]


Not everyone has mobile data.

That sort of thing is definitely, 100% deliberate, like the paired "All are welcome here! Washrooms are for customers only" stickers you'll see on the doors of those same restaurants.
posted by mhoye at 6:34 AM on January 7, 2022 [9 favorites]


This is less of a concern than it's made out to be, I think

I don't know about that. I consider myself tech savvy and vigilant, but I scan so few QR codes in real life that I probably would have fallen for a well-crafted fake web site hook line and sinker, especially if I was in a situation where I was under pressure to scan the QR code that was put before me to pay for parking or something of the like. As atomic shrimp is always pointing out in his videos about online scams, anyone can be the victim of some kind of scam.
posted by RonButNotStupid at 6:36 AM on January 7, 2022 [11 favorites]


Not everyone has mobile data.

That sort of thing is definitely, 100% deliberate, like the paired "All are welcome here! Washrooms are for customers only" stickers you'll see on the doors of those same restaurants.


Agree, and you get the same thing with "cash free" establishments; you can bill it as hip and futuristic all you want, in practice it means that people with limited access to certain resources are shut out and that's really shitty.
posted by an octopus IRL at 6:37 AM on January 7, 2022 [8 favorites]


Not everyone has mobile data.

That sort of thing is definitely, 100% deliberate, like the paired "All are welcome here! Washrooms are for customers only" stickers you'll see on the doors of those same restaurants.


Worse, the restaurant I thought about doing this to had free wi-fi, they just asked you to install this configuration profile on your phone first! yyyyyyyeah no get bent. Thankfully most places I've seen with QR menus still have print menus available on request, but I know what the shape of the future looks like, yeah.
posted by Kyol at 6:40 AM on January 7, 2022 [6 favorites]


everyone but you

I'm fine with that.
posted by hypnogogue at 6:48 AM on January 7, 2022 [4 favorites]


Yes, QR codes are extensively used outside the USA (China).

How do they avoid scams? It's pretty obvious if you pay and it doesn't chime on their phone / send the order to the chef. So the way they avoid scams is by not reducing the staffing at all, an unlikely strategy for the US. (Why the QR codes? Most people don't use credit cards.)

As typical, the problem is less the technology than the implementation. QR codes are great for paying your electric bill (a one-time scan that's then added to your utilities) or for dinner (immediate feedback). When you get into serious money, it's worth your time to check that the code is legit. But consequences for scammers to my mind are always better than shaming rubes. We can all fall for a scam given the right time and place. If consequences are not severe or likely, why would scammers worry?
posted by Trifling at 6:49 AM on January 7, 2022 [3 favorites]


so what happens if the internet goes out and the qr codes don't work?

we're putting too many eggs in one basket
posted by pyramid termite at 6:51 AM on January 7, 2022 [4 favorites]


...more and more restaurants replacing menus with QR codes

I ran into this almost ten years ago at a local brewpub. The food menu was a standard, printed menu, but the beer menu was a QR code. At the time, I didn't have a phone that could read QR codes and the staff had to search for an actual, physical beer list. Insane. I noted that, by the next time I went there, they had gone back to real menus.

Anywho...Many ages ago, when I first saw a QR code in the wild, I immediately imagined just how easy it would be to fuck with this and scam people, especially when I discovered that anyone can generate their own QR code, for whatever purpose, on myriad free websites. Yeah...that'll never be used for nefarious purposes...

I honestly thought the marketing droids had given up on such an obviously insecure technology, given that you rarely saw a QR in use in my neck of the world, but they've seem to have suddenly exploded everywhere, reaffirming my jaundiced view of the evil nexus of marketing and technology.
posted by Thorzdad at 6:51 AM on January 7, 2022 [6 favorites]


The idea of a cryptic thing I can’t decode with my eyes taking my web browser to an address—so if there is a zero-day exploit my vendor hasn’t patched, I’ve already lost—is dumb beyond belief. So vendors all over the world use them? Surprise—the risk isn’t to them, it’s to their customers. As Bruce Schneier has been saying since his blog ran on a giant steam-powered Babbage Engine in the early 1800’s, it’s all about externalities, and increasing customer’s risks is irrelevant to businesses, while a slight cost reduction is *very* relevant.

I just say no to the QR-code restaurants, not because I’m worried about stickering scamsters, but for the same reason I don’t use automated checkouts: if you’re saving money you need to pass some of it along to me! Oddly, that never happens…
posted by Gilgamesh's Chauffeur at 6:53 AM on January 7, 2022 [12 favorites]


See also: URL shorteners.
posted by scolbath at 6:55 AM on January 7, 2022 [9 favorites]


more and more restaurants replacing menus with QR codes

Beverage alcohol industry person here. I've recently read, as part of surveys being done to ascertain return to on-premise (restaurant) dining numbers, that the majority of guests surveyed would prefer to have printed menus. So I suspect we'll see an end to QR-only offerings...eventually. Also there are many diners, especially older ones, who simply can't manage the 'codes -> URL' thing on their phone and then have problems reading off their screens. They usually ask for a printed menu and many places do still have them.

Meanwhile, yeah: I think about all the codes could be used for nefarious purposes.
posted by Insert Clever Name Here at 6:56 AM on January 7, 2022


This is less of a concern than it's made out to be, I think - QR codes are mostly just URLs you can put somewhere physical, and you shouldn't click random links whatever shape they arrive in but they're otherwise quite useful.

When you're confronted with a QR code in a business, you don't know where the link is even supposed to go, so then what are your options? Most restaurant QR codes I've come across don't go to RestaurantName.Com/menu they go to some third party service provider, and often bounce through a URL shortener first. How am I supposed to verify it's not a malware link or a phishing scam *before* I scan the QR code? Someone could be plopping their own QR codes on top of existing QR code stickers and would staff even notice? Are you going to wait around until the waiter comes back to ask what URL it's supposed to go to before you click?

Since this thread, I've gone out and verified that there is a legit HotSpot app, that is legit used to pay for transit and parking in some Canadian cities, and I'm taking comfort from the fact that I downloaded the App from the App store so it's probably legit. But the setup in the parking garage was sketchy to the extreme -- the QR Code sign was just taped on top of the regular parking payment box with text saying that the parking boxes were closed (I imagine because university sports are shut down for COVID) and to use the app instead. Someone could go in and slap their own sign on top of the one that is already there and it couldn't possibly appear more sketchy and haphazard than the one that was there.

And it's not like I didn't notice the sketchiness while I was there, but I had already missed the poorly signed turn into the parking garage and had to go around the arena to get back to it, so I was running late for my appointment and I just didn't have time to try to figure out if it was legit.
posted by jacquilynne at 6:57 AM on January 7, 2022 [13 favorites]


@jacquilynne, was it ParkMobile? Our town and university have completely switched to using that, and while it's a pain in ass because the zone at work isn't the one listed on the sign, it is official.
posted by TheKaijuCommuter at 6:57 AM on January 7, 2022


The idea of a cryptic thing I can’t decode with my eyes taking my web browser to an address—so if there is a zero-day exploit my vendor hasn’t patched, I’ve already lost—is dumb beyond belief.

All of this.

I walked past an empty block yesterday, with cyclone-wire fencing covered in laminated A4 descriptions of an art project, and QR codes inviting participation.

So, I don't click on random links, why would I $(exactly the same as clicking a random link)?

Shame. Might've been a cool art thing.
posted by pompomtom at 6:58 AM on January 7, 2022 [3 favorites]


Yes, URL shorteners suffer from most of the problems that QR codes do. Also, being able to read the URL doesn’t protect against attacks using look-the-same-but-really-different domain names using obscure Unicode. I actually think only allowing ASCII in domains would have been smart, but security is not the only (or even the largest) driving force in net standards.

Kind of like gravity isn’t the only force in the physical universe—but when you get a big enough collection of matter, it can no longer be ignored.
posted by Gilgamesh's Chauffeur at 7:24 AM on January 7, 2022 [1 favorite]


In the past, I have successfully used my phone camera as a QR-reader whenever I needed it. The COVID QR boom has stumped the camera app, a little, though. Half the time I'll get seated at a restaurant and the camera QR reader won't work. At that point, I'll download whatever QR Reader app pops up first on Google Play (and hope it doesn't contain anything too horrible). Inevitably, the QR link will just link to the same menu on the restaurant website that I looked at 30 minutes before arriving. I then delete the (in theory) superfluous QR-reader until the next time.

So I don't like QR codes! But I do know some folks who haaaate typing on their phone, and prefer scanning a code to pecking in a search phrase or web address. And we're already to the point where some people prefer to use an app to a browser anything -- and that's probably getting worse now that every webpage is beset with newsletter offers, requests to track location, and demands to specify which cookies are acceptable to you.

I'll also say that I've always thought city parking spaces are one of the rare, great uses for QR codes and I never thought twice about the possibility of scams -- though I guess scamming is one of the other rare, great uses for QR codes.
posted by grandiloquiet at 8:14 AM on January 7, 2022 [4 favorites]


I just say no to the QR-code restaurants, not because I’m worried about stickering scamsters, but for the same reason I don’t use automated checkouts: if you’re saving money you need to pass some of it along to me!

I went back to a restaurant for the first time since the pandemic and they'd switched to a model where you not only read the menu online but did all the ordering through it. The wait staff had literally been reduced to just dropping off food and clearing the table at the end, but when it came time to pay still suggested a 20-25% tip which seemed a little silly. I'd get it if it was a temporary measure to reduce exposure to talking customers during Covid but I have a feeling it's not.

Also relevant - the restaurant had a sign advertising $18/hour starting base pay (in a lowish-medium cost of living area) nor were they understaffed, so they're clearing not doing it to slash employee costs to a minimum. I can't imagine that the kickback they get from the data hoovering company that's running the ordering system is all that much. Though this is a lunch for two is $50 type of place, so I guess figuring out who's in that demographic is worth something.
posted by Candleman at 8:16 AM on January 7, 2022 [5 favorites]


I am finding it a fun exercise to think of dumb and possibly impractical ways to prevent surreptitious QR codes from replacing legit ones.

Like maybe all the outdoor QR codes could be giant and placed high enough so someone needs a ladder to alter them. Or maybe all QR codes are embedded in clear, inch-thick lucite so it's immediately obvious that someone has stickered over them. Or maybe the QR code itself isn't a flat surface but composed of several different "planes" that are cut out of sheet metal and which need to be viewed from a certain angle in order to compose the image as something which can be scanned.
posted by RonButNotStupid at 8:22 AM on January 7, 2022 [10 favorites]


so what happens if the internet goes out and the qr codes don't work?

This happened to me a couple of weeks ago. They just brought us paper menus.
posted by mr_roboto at 8:30 AM on January 7, 2022 [1 favorite]


See also: URL shorteners.

My favorites are all the ones ending in .ly - You're just going to hand over all of that surprise-interdiction power to Libya for a clever URL? Really?
posted by mhoye at 8:31 AM on January 7, 2022 [9 favorites]


I believe its called qrishing (phishing = email, vishing = voicemail, qrishing or sometimes quishing = QR codes, smishing = SMS/Ticket, etc.)

Because we need fun names for the downfall of society during a pandemic.

I am finding it a fun exercise to think of dumb and possibly impractical ways to prevent surreptitious QR codes from replacing legit ones.

I was thinking real ones have to be painted only in vantablack..... But I see there are companies adding digital signatures to QR codes. Good luck with that beyond niche applications.
posted by inflatablekiwi at 8:34 AM on January 7, 2022 [3 favorites]


On TV the other day, I can’t remember if it was part of a show or a commercial, but at the end of it they were like “scan this QR code for more information!” and a QR code was put on the screen for like two seconds before the next segment/commercial came on and the code disappeared.

It seemed… stupid? Do they think people are watching broadcast television, phone in hand, ready to scan any QR code that may appear on the screen at a moment’s notice?

Am I just out of touch and people actually do that? I wouldn’t think so, but I’ve been surprised by human behavior before.
posted by wondermouse at 8:44 AM on January 7, 2022 [6 favorites]


If the show was being streamed to yr phone via the web, it's possible the browser might 'recognize' there's a QR code on the screen and just grab it automatically. (Am I dreaming this or...?)
posted by Insert Clever Name Here at 8:46 AM on January 7, 2022


Strange QR codes sitting in pubs handing out links? That hardly seems like the basis for a system of orders.
posted by Slackermagee at 8:59 AM on January 7, 2022 [18 favorites]


As a 52 year old, reading a menu on a phone is bullshit. If my restaurant experience is all automated via phone including ordering, I may as well stay home and use a proper keyboard to get it delivered. Also I miss the person sitting in the little booth taking my parking money. I liked peering in to see what book they were reading or writing during downtime.
posted by freecellwizard at 9:00 AM on January 7, 2022 [5 favorites]


I do understand the lack of menus during COVID though. I hope they come back.
posted by freecellwizard at 9:02 AM on January 7, 2022


Reading the OP, one would suspect that the parking agents discovered this because they gave parking tickets to people who were scammed and those people said they had paid. I wonder if those people will get the tickets thrown out automatically without having to go to court or any fines refunded.
posted by Captaintripps at 9:29 AM on January 7, 2022 [2 favorites]


The real question is, can you scan a QR code to buy NFTs of a fart jar. You can?

O brave new world, that has such people in it!
posted by betweenthebars at 9:34 AM on January 7, 2022 [6 favorites]


As a 52 year old, reading a menu on a phone is bullshit.

See, I'm of two minds - too many restaurants have fancy light silver print on tan vellum-wannabe paper and consider 2 candles per table sufficient lighting, so reading the menu with eyes that are more than 30 years old can be a challenge, so huzzah for a digital menu that uses your phone's accessibility features and preferred font sizes and etc!

And then they go and make their online menu a stinkin' PDF that's just a wrapper around a 100 meg picture of a scan of the physical menu. Well done.
posted by Kyol at 9:35 AM on January 7, 2022 [23 favorites]


". I wonder if those people will get the tickets thrown out automatically without having to go to court or any fines refunded."
Hahahahaha. This is America. If anything there will be a "you supported a scammer" fine of $10,000 and 2 months probation and I'm sure they'll find a way to steal at least one struggling single parent's house-car.
posted by bleep at 9:38 AM on January 7, 2022 [5 favorites]


Lovely scam. As much as I think parking should be far more expensive than it is and the funds used to support local government programs, it's hard to feel too bad about this. I am curious how their back-end credit card processing works, assuming they're just charging people for fake parking passes rather than stealing their information.

I have no idea what the parent company of the parking lot I use is called, much less if they have a website. Last time my phone ap QR code failed to open the gate, I called a phone number written by hand on a piece of paper taped to a window. An angry guy in street clothes with a key ring showed up. I suspect he actually works for the company, but I didn't check. I'd absolutely fall for this.

That my department of state has used cyberdriveillinois.com as their official website for years, but dmv.org is a scammy garbage site, sure makes it hard to blame people for being confused. (And it makes it really fucking hard to try to explain website legitimacy heuristics to people who are new to doing things online.)
posted by eotvos at 9:46 AM on January 7, 2022 [4 favorites]


Kyol, I love the idea of using QR codes to Rick Roll people.

My kid recommended a casual sushi restaurant in our small city's downtown area. So I checked it out after an appointment. There were QR codes at every table (so the server would know where to take your order, supposedly) and you needed a QR code to get a menu and, of course, you had to pay online before the food arrived. A very nice person came out and attempted to help me. I sat down, considered the situation, and then left after she turned her back. I just wasn't interested.

Many fast food places in Sweden use automated ordering and payment systems that are a huge pain in the ass to use if you (like me), don't want cheese on your junior burger, say. Anything that is a deviation from the standard menu is nearly impossible to find, and thus far all of the places use systems with shitty UIs or UXs or what the fuck ever. I am not yet disabled physically nor frail; god help the folks who just need a cheap meal who happen to be disabled or frail because you can stand there a long trying to figure out how to get what you need.

Honestly, QR codes would probably be an improvement at those places if they made them into a one-click order for each item.
posted by Bella Donna at 9:55 AM on January 7, 2022 [2 favorites]


Do they think people are watching broadcast television, phone in hand, ready to scan any QR code that may appear on the screen at a moment’s notice?

I think a lot of people can pause and rewind digital cable nowadays, either as a function of their DVR or their cable service generally. That said, I have not actually had cable in a decade so I don't know if that's still a thing.
posted by jacquilynne at 9:56 AM on January 7, 2022


I bought a "latest and greatest" Android phone a few months ago. I figured out that the QR scan only works if the camera is in "photo" mode. I handed it to a relative to take a photo over the holidays, they switched it to "portrait".....now QR codes didn't work, at least until I switched them back. Not the end of the world. The problem is if the QR code is the only option you get in a situation, but your phone treats it as a "nice to have" which might or might not be immediately accessible. Seems like that hasn't been ironed out yet.

When we've done surveys where I work, QR codes are workable for about 75% of people, and we should probably assume that that really means "75% of people who know what we're talking about".
posted by gimonca at 10:13 AM on January 7, 2022 [2 favorites]


So I don't like QR codes! But I do know some folks who haaaate typing on their phone, and prefer scanning a code to pecking in a search phrase or web address.

Here's my peeve: They could put BOTH the QR code and the URL.
posted by a non mouse, a cow herd at 10:25 AM on January 7, 2022 [6 favorites]


Yes, but see: the URL's legit & QR code goes to a scam website.
posted by seanmpuckett at 10:31 AM on January 7, 2022 [2 favorites]


I believe its called qrishing

Nope. No. Hard pass. Let's just stop it with that crap right now. It's called fraud, and we don't need to generate a new word for "fraud" every time someone thinks up a new way of transmitting URLs.

One mitigation for these types of attacks is to stop having software—browsers, particularly, but also QR code readers like the ones embedded in the Camera app—from following links and redirects automatically.

The Apple Camera app does a reasonably good job of showing you the URL you're about to visit after you scan a QR code (at the very least it shows you the domain, I believe, although it really should show the entire URL).

URL shorteners are a bad idea and whoever invented them is a bad person who should feel bad. Browsers should intentionally break them wherever possible, perhaps by inserting a mandatory delay in any link that immediately goes to a redirect. This would also have the (positive, IMO) effect of breaking those shitty analytics redirects that Facebook and Twitter both insert into links behind the scenes (e.g. you link to "http://www.bettysbakeshop.com" but what Facebook and Twitter actually do is create a link that looks like it goes to bettysbakeshop.com, but in reality goes to "https://t.co/cpk3xf9ncS", just so they can monitor what you're clicking on).

The Internet community should have absolutely nipped this behavior in the bud when it started with TinyURL and its kin, but we didn't, and shame on us for just going with it.
posted by Kadin2048 at 10:38 AM on January 7, 2022 [11 favorites]


It's called fraud, and we don't need to generate a new word for "fraud" every time someone thinks up a new way of transmitting URLs.

I strongly disagree with this.

Giving new names to novel threats is important, both because helping people understand that old ills can befall them in novel ways is important, and giving people tools so they can quickly identify whether or not they understand this specific new fraud vector ("Have you heard of qrishing?") and maybe more importantly teach each other about these new risks matters.

Novel threat vectors are novel, and specificity matters if you're going to effectively discuss and mitigate risk.
posted by mhoye at 10:50 AM on January 7, 2022


Yes, but see: the URL's legit & QR code goes to a scam website.

Right. I was talking about the restaurants that use QR codes instead of websites for their menu. The QR code that goes to the legit site before a hacker comes through and covers it up with a fake QR code. Those who want to scan, can. Those who want to type, can. There is no reason the restaurant can't put both on... unless maybe they think QR codes are a "peek into the future"?

Grar.
posted by a non mouse, a cow herd at 10:55 AM on January 7, 2022 [1 favorite]


~ Do they think people are watching broadcast television, phone in hand, ready to scan any QR code that may appear on the screen at a moment’s notice?

~ If the show was being streamed to yr phone via the web, it's possible the browser might 'recognize' there's a QR code on the screen and just grab it automatically. (Am I dreaming this or...?)


I've seen these ads on OTA broadcast tv, cable tv, and streaming services that show ads, like Hulu or Peacock. They're real ads expecting people to scan a QR on the screen. And, I suspect there is a cadre of hipper-than-thou techheads who will gleefully scan them. Because it's the future, or something?
posted by Thorzdad at 11:00 AM on January 7, 2022 [1 favorite]


I think the US is especially vulnerable to this because the prevalence of privatization means the line between the official and the scam can be pretty hazy. For a lot of this third-party vendor stuff, I'm thinking especially parking apps per one of the original examples, there are no real tells that the correct channel isn't an illegitimate scam other than just... knowing.
posted by dusty potato at 11:07 AM on January 7, 2022 [4 favorites]


That $1,000 Bourbon You Bought May Be a Phony

A cottage industry has popped up in response [to counterfeiting], especially in Britain, promising high-tech countermeasures like through-the-glass chemical analysis, which allows sellers and collectors to assess a bottle’s authenticity without having to open it. But those are still in development, and years away from widespread use.

Easier solutions already exist. The Macallan, among other distilleries, has started to place holographic images on its seals. Ardnamurchan, another Scottish distillery, is adding QR codes to its labels, allowing retailers and consumers to check for authenticity with their smartphones.
(emph. added)
posted by They sucked his brains out! at 11:26 AM on January 7, 2022 [3 favorites]


I strongly disagree with this.

Giving new names to novel threats is important, both because helping people understand that old ills can befall them in novel ways is important, and giving people tools so they can quickly identify whether or not they understand this specific new fraud vector ("Have you heard of qrishing?") and maybe more importantly teach each other about these new risks matters.


And because CompTIA needs yet another thing to add to Sec+ 701 in a couple of years.
posted by Kyol at 11:32 AM on January 7, 2022 [2 favorites]


Shame. Might've been a cool art thing.

Eh, these days it was probably an NFT, in which case, no loss.
posted by eviemath at 11:49 AM on January 7, 2022 [1 favorite]


This is less of a concern than it's made out to be, I think - QR codes are mostly just URLs you can put somewhere physical, and you shouldn't click random links whatever shape they arrive in but they're otherwise quite useful.

I'm pretty sure it was on mefi that I encountered the Pictures of People scanning QR codes tumblr, whose punchline is that there are no pictures, presumably because nobody scans QR codes.

The tumblr is now a decade old, and it seems the use case for QR codes is not deciding to buy things on a phone, but paying for things you already decided to buy.
posted by pwnguin at 11:53 AM on January 7, 2022 [2 favorites]


Heh, so I guess everyone ended-up carrying around a :CueCat after all...
posted by rozcakj at 12:07 PM on January 7, 2022 [7 favorites]


I was thinking real ones have to be painted only in vantablack

So that only Anish Kapoor can create them?
posted by hanov3r at 12:08 PM on January 7, 2022 [1 favorite]


is adding QR codes to its labels, allowing retailers and consumers to check for authenticity with their smartphones.

How the hell is this supposed to work exactly? It seems like copying a valid QR code from genuine bottles would be the least difficult part of a counterfeit operation.
posted by Mitheral at 12:19 PM on January 7, 2022 [2 favorites]


How the hell is this supposed to work exactly?

The QR Code encodes a Verrit ID which says the bottle is authentic. Duh.
posted by RonButNotStupid at 12:26 PM on January 7, 2022 [1 favorite]


They're real ads expecting people to scan a QR on the screen.

This is how we used to have to set up our TFA at work. Half the time it didn't work because the screen was too glossy. Now we make people call in and actually, you know, authenticate them and set it up for them.
posted by a non mouse, a cow herd at 12:36 PM on January 7, 2022 [2 favorites]


It seems like copying a valid QR code from genuine bottles would be the least difficult part of a counterfeit operation.

Good point. One wonders whether the veneer of technology is enough for the average buyer.
posted by They sucked his brains out! at 1:11 PM on January 7, 2022


URL shorteners are a bad idea and whoever invented them is a bad person who should feel bad.

Maybe if fewer social networks thought that there was a moral imperative to keep posts under a certain number of characters, or if people running websites designed them with better URL ergonomics, I'd agree with you. These services didn't pop up out of nowhere, they were created to solve actual problems.
posted by Aleyn at 4:02 PM on January 7, 2022 [3 favorites]


QR codes and other blind links have creeped me out since CueCat. Glad to know that my anxiety has social use.
posted by NoThisIsPatrick at 4:48 PM on January 7, 2022


QR code ordering system at a restaurant? Don't forget to tip your app developer...
posted by joelr at 6:17 PM on January 7, 2022 [1 favorite]


You're just going to hand over all of that surprise-interdiction power to Libya for a clever URL? Really?

Over the US? Why not?
posted by pompomtom at 6:54 AM on January 8, 2022


And, I suspect there is a cadre of hipper-than-thou techheads who will gleefully scan them. Because it's the future, or something?

Oh curse my unprofitable morals.
posted by pompomtom at 7:31 AM on January 8, 2022


The reverse is fun too. You know what happens if you put the virus-test string (EICAR) on a QR code? Enjoy: https://www.youtube.com/watch?v=cIcbAMO6sxo
posted by DreamerFi at 8:06 AM on January 8, 2022 [2 favorites]


These services didn't pop up out of nowhere, they were created to solve actual problems.
This is true but in many cases the problem being solved was “marketing wants to know where people are seeing our links”. Twitter helped but most of this comes back to people wanting to break down that “no referrer” number in their web analytics and they would have done that even if Twitter had always excluded URLs from the limit.

This is an externality of that click-tracking goal: big companies wanted metrics and they don’t pay the cost of training generations of internet users to click on any random thing they see. Browsers putting friction in to that process would have put some useful counter pressure in place but it seems hard to do now that most users use a browser made by a company which primarily sells data obtained from tracking.
posted by adamsc at 3:30 PM on January 8, 2022


« Older Johan Huizinga -- Homo Ludens   |   Vinyl crate-digging on single-digit budgets, in... Newer »


This thread has been archived and is closed to new comments