This has been a problem with NYC's bike share program, CitiBike. The solution was to add an alert when your phone's location is far from the location of the bicycle you are trying to unlock.
> Citi Bike says it is aware of a scam in New York City in which thieves are switching the QR code stickers on rental bicycles in order to steal bikes unwittingly unlocked by customers. The scammers wait for a renter to unlock a bicycle using the QR code, then ride away on the bike to which the code actually belongs, officials said.
Easy (conceptually) solution: a button on the dock that you need to press to complete the unlock. When you scan the QR code, CitiBike looks up which dock it thinks the bike is in, then waits for you to press that dock's button before releasing the bike.
Assuming that there is no feedback during this process coming from the bike, what is the thief going to do? Sit there for an hour constantly pressing the button?
The thief would just observe, from a distance, and wait for someone trying to scan the fake qr code. When he sees the victim, he pushes the button and steals the bike.
This is why Toronto's bike share requires Bluetooth to be turned on. At worst, you might end up unlocking another bike at the same station. (And you'll hear it!)
A possible solution could be to use small e-ink displays showing single-use QR codes that change every 2 minutes or so. I don't know if it would be feasible though or it would drain the battery of the bike too quickly.
> Citi Bike says it is aware of a scam in New York City in which thieves are switching the QR code stickers on rental bicycles in order to steal bikes unwittingly unlocked by customers. The scammers wait for a renter to unlock a bicycle using the QR code, then ride away on the bike to which the code actually belongs, officials said.
https://apnews.com/article/lifestyle-nyc-state-wire-34d4ecd5...