Here’s an old and well-known attack that exploits QR codes, still being used in 2024.

At least five parking machines with fake QR codes that said “PHONE PAY” were discovered at Fisherman’s Wharf on Thursday, the San Francisco Municipal Transportation Agency said in a Friday social media post.

The fake codes were discovered by SFMTA crews, Michael Roccaforte, an SFMTA spokesperson, told SFGATE. The agency is unsure whether any visitors were affected, Roccaforte said

Notably, nobody targeted, or even exploited, reported these bad codes.

The point of QR codes is machine readable text, yet countermeasures are all going to require human readable text. Thus a QR code found in uncontrolled public places is inherently unsafe and can’t be trusted.