Quishing: Real danger at charging stations

Quishing: Real danger at charging stations

QR codes can be found in almost all areas of life. Unfortunately, fraudsters have an easy time with static QR codes. But don’t worry. With FINETELLIGENCE you are safe: because we rely on dynamic QR codes in combination with Click2Pay at charging stations. But why are static QR codes even legal? Have you heard of quishing before? What is it? How does it work? How can you protect yourself?

Let’s start at the very beginning. The AFIR – the Alternative Fuel Infrastructure Regulation – has been in force in the EU since April 2024. The AFIR is intended to make the European charging infrastructure for e-vehicles more attractive and transparent. In future, it must be possible for electric car drivers to pay with a standard payment card, such as a debit or credit card. For charging points with an output of less than 50 kW, however, specific QR codes may also be available as an electronic means of payment.

According to the AFIR, the “security of the payment process” is satisfied with both static and dynamic QR codes. Yes, that may be true, but unfortunately practice shows otherwise. Just a few weeks ago, a post by a Belgian charging station operator went viral – an incorrect QR code redirected e-car drivers to the wrong page after charging.

Lo and behold, there’s something dangerous lurking, it’s called “quishing”. But what exactly does this term mean and how can you protect yourself against it?

What is quishing?

QR code phishing, or quishing for short, is a combination of “QR” and “phishing” in which users are directed to fake websites using QR codes. This is also the case for drivers when paying for their car during the charging process. Unfortunately, it’s almost too easy: paste over the QR code and the redirection is complete.

This method is particularly unscrupulous, as QR codes are generally seen as a convenient and secure means of transmitting information quickly. However, cyber criminals don’t just have an easy time at the shop: QR codes are ubiquitous for payments and for logging in to some websites.

With the increasing use of QR codes in our everyday lives – whether in restaurants, for other payments or when logging into websites – they offer an attractive target for cyber criminals. Not least because awareness of them is still not very high.

How does quishing work?

The process of a quishing attack is relatively simple, but effective:

  • Creation of a false QR code: Cyber criminals generate a QR code that links to a phishing website.

 

  • Distribution of the QR code: The distribution works with almost all advertising media – from social media to printed posters – or by covering or sticking over an existing “real” QR code. The latter option is ideal for charging stations, for example.

 

  • • Scan of a false QR code: When scanning a fake QR code, users are redirected to a fake website. If login details or payment details are then also entered, data theft – and in the case of payment details, money theft – takes place.

How can you protect yourself?

There are a few tips you can follow to protect yourself from quishing attacks.

  • Be careful when scanning: Do not scan QR codes from unknown or suspicious sources.

 

  • Check the URL: Many QR scanner apps will display the URL before redirecting you. Check the URL carefully and make sure it is legitimate before proceeding.

 

  • Use security software: Some antivirus and security software solutions recognise malicious QR codes and can warn you.
  • • Knowledge protects: Inform those around you about quishing or share this article 😉

 

  • Check the QR code at the charging station: Before scanning a QR code at the charging station or other locations, look out for signs of over-sticking.

Conclusion

Quishing is omnipresent. Despite the measures mentioned, static QR codes are insecure. The safer option? Dynamic QR codes. The link in the QR code redirects to a second link. These can be changed dynamically, and users are protected.

In order to be able to fully guarantee the “security of the payment process”, the only way is to use dynamic QR codes in combination with Click2Pay. The E-nfinity payment solution from FINETELLIGENCE uses dynamic QR codes to ensure secure payment transactions for CPOs and e-car drivers!

SIMPLY FLEXIBLE

Our solution is particularly flexible and supports both the direct integration of a terminal into a charging station and a decentralized kiosk for operating several charging stations. You can therefore design your charging park entirely according to your wishes. Our Direct Payment works independently of your charging station management system (CPMS) and allows you to integrate various charging station manufacturers into your portfolio, while you only need one payment software.

SIMPLY TRANSPARENT

Our software offers transparent prices and enables quick and easy integration. We think outside the box and therefore support numerous protocols. Direct contracts with acquirers mean there are no hidden costs for CPOs. This enables attractive pricing for the end user. The existing CPMS remains usable, even in the event of future changes. Our solution guarantees even more future security, as it can continue to be used in the event of a backend change.

SIMPLY LEGALLY COMPLIANT

Our payment solutions are legally compliant worldwide and take 100% account of national tax laws - including AFIR, of course. Read more about AFIR here Our solutions are already being used successfully for charging parks in various countries. Thanks to our sister company RetailForce, we offer in-house expertise in tax-compliant document creation that has proven itself in practice. Our solution is internationally scalable and enables simple payment with innovative payment methods.

SIMPLY INDIVIDUAL

With more than two decades of experience, we are true payment experts. Our payment solution is already in daily use in many countries. This means that it is not only mature and proven, but also ready to use. During the payment process, your customers can use a QR code to transfer their receipt to their mobile phone.

SIMPLY PROVEN IN PRACTISE

With more than two decades of experience, we are true payment experts. Our payment solution is already in daily use in many countries. This means that it is not only mature and proven, but also ready to use. During the payment process, your customers can use a QR code to transfer their receipt to their mobile phone.