22 April 2018
Keith Appleyard

Please Engage Brain

Keith Appleyard - available for hire

60Posts 304,446Views 107Comments
Whatever...

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.

Beware Pay by Phone Cashless Payment at Car Parks

09 June 2009  |  6632 views  |  1

Many cities across the world are switching over to Pay by Phone Cashless Payment at Car Parks. 

The market leader is Verrus (www.verrus.com) who has contracts in over 100 cities across UK & North America, including Birmingham, Manchester, Oxford, Westminster, York, Chicago, Dallas, Minneapolis, Seattle, Vancouver. 

In order to pay you have to use your Mobile Phone. You can set up an account beforehand via the internet, but if you are caught out in an unfamiliar location then you can set up an account there and then. 

However, this requires you standing in the middle of the street, with your phone in one hand, your credit card in the other, sending an unencrypted SMS text message. 

The message contains location (Parking Bay Number), duration of stay, your vehicle registration number, and your credit or debit card details. 

So if you want to park vehicle AB54DPN in location 8362 for 3 hours and your credit card number is 4929 1234 5678 9012 with an expiry of 0810 and security code of 279 then you send   ‘8362 3 AB54DPN 4929123456789012 0810 279’ [not my real details!] 

Verrus does not warn you that your SMS message is sent unencrypted; actually they reassure that it is safe because it is stored encrypted when it arrives at Verrus – and all the client Cities simply refer you to Verrus’ FAQs. I wonder if Verrus is storing the Security Code - because that is against PCI-DSS rules. 

As for additional costs – well it can get expensive : 

In the case instance of Westminster, in addition to the parking fee and paying for the SMS message, there is a service charge of 10-20p which is billed to your credit card. If you request an SMS text reminder when you’re running out of credit a further 10p service charge is added. 

If you have any problems juggling your texting whilst clenching your Credit Card in your teeth, you can always call to talk to a friendly person, but that’s via an 0870 number, costing you another 20-40p per minute from your cellphone.

If a subsequent attempt is made to charge your [registered] Credit Card and it fails for any reason (eg insufficient funds, card cancelled etc), then there is a chargeback fee of £15 (not sure how they aim to collect that if the Card is cancelled – I presume they get your home address from your Car Registration details?). 

Now how about the other risks : apart from the risk of eavesdropping where someone can scan and intercept your unencrypted SMS text message containing your Cardnumber, Expiry Date & Security Code, there’s an even better scam. 

Make a mock-up of a legitimate Pay by Phone notice, attach them to the back of traditional Parking Meters/Payment machines, but with your Mobile Phone number as the contact details, and you’ll have all the techno-savvy punters willingly texting you their Credit Card details, and not even know they’ve been ‘had’ until they come back to their car hours later to find they’ve incurred a parking fine for £60. You could probably harvest a 100 numbers an hour before the Parking Inspector comes around, and they’d be too excited at the prospect of generating all those Parking Fines to even notice the rogue signage. You of course discard the SIM at the end of the day and move on.    

Some locations are removing coin-operated Parking Meters, but retaining Credit/Debit Card readers; so in those instances its cheaper & safer to pay directly by Credit Card than add 10% or so to your Parking Fees. 

I did pay by Credit Card in Westminster outside the Natural History Museum and still got a Parking ticket. I presume so many people are using the Pay by Phone Service that the Parking Inspector simply looked me up on the computer, found no record of Payment and ticketed me. Unfortunately (for them), I did have the Credit Card Parking Receipt displayed on the dashboard, legible even in their own photos of my car supposedly illegally parked, so Westminster “gave me the benefit of the doubt” – excuse me there was no doubt! – and let me off. 

So hold on to those Credit Cards - don't leave home without them - and don't get seduced by new gimmicks.

TagsSecurityRisk & regulation

Comments: (1)

A Finextra member
A Finextra member | 09 June, 2009, 14:45

There are alternatives.

Without getting too cute, signing up in the street probably requires you to transmit the account data to the parking payment processor at east once in the initial sign-up, no mater who is providing the service. Voice would probably be better than SMS but if it is to a fake number then you are cactus.

The credit card provider's system is where the fault is to be found.

The credit card system is deficient if simply paying for parking endangers the card-holder's financial security.

The foundation of the system is absent. There is no authentication. the 'parker' cannot determine if the parking payment service is authentic - the credit card company or subsequent merchants and service providers cannot determine if the provider of your details is you or a thief providing your stolen details.

Do you really want to have to hand out your credit card number to everyone and your security code to even some? Perhaps not wise - if you are relying on the card company to protect you.

Another option which would protect you either way would be to demand real time authentication and provided some protection against being scammed in the first place and protected you even after you did give your credit card details to the wrong person.

Perhaps better to sign-up to a payment system which authenticated your payments in real time and refused to pay thieves, even if you mistakenly tried to.

I have a somewhat cheaper and simpler to use mobile parking payment system in mind which has no additional fees for 'parkers' yet the councils get at least 25% more net revenue. You'll also be reminded before your parking runs out and if you haven't exceeded the overall time limit you'll be able to top up in a second from wherever you are, or told you are out of time.  In that case you'd best get back to the car because the inspector would probably know too. Fair is fair

The parking business is fraught with many problems often associated with cash-cows and some councils may not be getting the best deal for their community.

Parking meters are a blight on the landscape and I'd be suggesting something a little more discreet. Just because some mobile systems are designed and provided by people who don't want to see mobile transactions replace their parking meters doesn't mean there isn't a better way to do it with mobiles. It is a question of motivation. At present the parking meter crowd and some council emloyees may be motivated similarly.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Keith

Barclays On-line Banking deserves better error messages

02 January 2014  |  14303 views  |  1 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

RBS does have robust procedures

01 October 2013  |  3619 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

National Savings and Investments are rather too lethargic

17 April 2013  |  13992 views  |  0 comments | recomends Recommends 1 TagsSecurityMobile & onlineGroupWhatever...

RBS Internet Banking is not for the English

28 January 2013  |  5704 views  |  0 comments | recomends Recommends 0 TagsMobile & onlineGroupWhatever...

RBS don't seem to understand basic book-keeping rules

26 June 2012  |  6462 views  |  5 comments | recomends Recommends 2 TagsPaymentsGroupWhatever...

Keith's profile

job title IT Consultant
location Bromley
member since 2008
Summary profile See full profile »
Focussing on IT Strategy and Systems Architecture issues, primarily in the Payment Card Industry - scope is Global. SME on topics such as Data Protection and Encryption.

Keith's expertise

Member since 2007
60 posts107 comments
What Keith reads

Who's commenting on Keith's posts