Uber fraud: Scammer takes the ride, victim gets the bill

Any online app that gets popular also becomes an attractive target for cyber criminals. In the case of Uber, the ride-hailing service, the goal is a free ride more than cash

The traditional meaning of people “getting taken for a ride” is that they are victims of a scam.

But in the world of online ride-hailing services, the scammer gets taken for the ride – a free ride – while the victim ends up with the bill.

The scams have come to be called “ghost” or “phantom” rides, made possible when cyber criminals steal login credentials from users of a ride service like Uber, and then sell them to fraudsters on the Dark Web.

It does not appear that a breach of the provider Uber, is the cause of a spike in credentials for sale on the Dark Web, but it is another reminder that popular apps without rigorous security and privacy protections that are implemented by users are an attractive, and relatively easy, target for online thieves.

According to a recent report by Trend Micro on data breach statistics from 2005-2015, Uber logins have been among the hottest, and priciest, items for sale on the underground online marketplace.

That doesn’t mean they cost big bucks individually. The report found that Uber accounts were selling for up to $4 each. But that is much more expensive than Netflix logins, at 76 cents, and credit cards, which were at 22 cents. The only ones with a higher price were PayPal accounts with balances, at an average of $6.43.

goingrate chart J Kivinen

A threat intelligence communications team of analysts from managed security vendor Solutionary found the price of login credentials for riders ranged from 50 cents to $6. “The upper part of this range typically guarantees that the accounts were not picked at random and have some validation behind them,” the team wrote.

There had been some speculation that the stolen accounts could have been connected to the May 2014 breach of an Uber database that contained the names and driver’s license numbers of about 50,000 current and former drivers.

But that, of course, was just driver, not rider, information. There was more speculation in mid-2015 that the company may have been breached when thousands of user login credentials showed up on the Dark Web. But the company issued a statement saying its investigation showed no evidence of a breach.

And one Dark Web vendor, responding to a reporter’s question of where he had obtained them simply wrote, “Hacked accounts, buddy. I have thousands.”

Breach or not, Uber, which has an estimated 8 million users in 300 cities in 60 countries, reached a settlement three months ago with New York Attorney General Eric Schneiderman that included a $20,000 fine for the company’s failure to notify users of the 2014 data breach, and also required it to be more rigorous about both security and privacy for riders.

That included stripping the PII (personally identifiable information) of riders from the company’s internal tracking system, known as “God’s View” – an aerial view of the movement of Uber cars in real time.

Under the settlement, Uber agreed to, “encrypt rider geo-location information, adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices.”

A year ago, the company also announced that any change in the name, number or email address of a user would require a text verification.

Still, the “ghost” rides continue, although most recently reported ones are not in the U.S. Recent Twitter posts under #UberAccountHacked included this one: “I had a great ride in China this morning. Except, weird, I wasn’t in China this morning.” And another: “I am in Bangkok now. But my account showed I am riding in France.”

Experts say that eliminating, or at least minimizing, the fraud will take a combined effort by both service providers and users themselves.

Far too many users use the same credentials – user name and password – for multiple apps. That is asking for trouble – if criminals get login information for one account or app, they will try it on others as well. And if users fall for phishing emails or social media attacks that are much more credible and sophisticated than in the past (the Nigerian princess offering millions of dollars is long gone), one mistake can lead to an individual’s entire online life being compromised.

Ed Cabrera, vice president of cybersecurity strategies at Trend Micro, said users should adopt two-factor authentication (2FA), “whenever it is available.”

The idea is to authenticate a user through something he has and something he knows, such as a debit card that requires a PIN, before a transaction is authorized.

Uber did not respond to a request for comment, but other experts say the security changes it is making are good. Steven Rogers, CEO of Centripetal Networks, said 2FA is, “becoming a standard criteria for authenticating users and is a good sign of improving security.”

Some scammed users have wondered if the company could troll the Dark Web itself to find accounts for sale, and then cancel them until the real user establishes new credentials.

That is possible, experts say, but is also difficult. The Solutionary team said the company, “would need to develop a team of security experts with a deep and thorough understanding of the Dark Web. And, since some of these markets are closed markets, finding them and gaining membership can be impractical. The Dark Web is not a thing that can just be searched.”

Suni Munshani, CEO of Protegrity, agreed. “Trolling the Dark Web is an enormous task,” he said, “and it’s reactive, hit-or-miss and doesn’t solve the core attack vector here, which appears to be a flawed authentication process.”

But James Chappell, CTO and cofounder of Digital Shadows, said there still may be some value to monitoring the Dark Web. He agreed that, “it is hard to gain a comprehensive view of the marketplaces where accounts are sold, as in most cases they require some sort of transaction to become a trusted user.”

But he said the tools needed to access the Dark Web, “are readily available and easy to use, and organizations can learn about what is being discussed and what tactics, techniques, and methods cyber criminals are using. Gaining this situational awareness can help organizations such as Uber make better and more effective security decisions.”

Cabrera added that, “many companies already either build or buy advanced threat intelligence programs (that can) create their own threat intelligence by scouring various criminal underground market places for accounts for sale.”

Then there are cases where a user gets notified that a ride he didn’t order is about to arrive in some far-away city or country. That raises the question: If the real user contacts Uber immediately, couldn’t the company notify the driver that he or she is carrying a fraudulent ride?

The Solutionary team said it might be technologically possible, but would be easier, and much safer, “to allow that fraudulent rider to finish the ride, then disable the compromised account.”

Fred Touchette, manager of security at AppRiver, agreed. “As long as Uber can authenticate the claim, it should be relatively easy,” he said, “but as far as what the driver should then do, it could be trickier, because driver safety would be a big concern.”

Munshani said the better solution would be, “to verify the individual before the transaction occurs, using something more reliable than a simple password.”

And that leads to the responsibility of users to be more concerned about safety than convenience. If they don’t want their credentials stolen, they need to make more of an effort to protect them.

The Solutionary team noted that if login credentials are stolen and the thief creates a new name, email address and different mobile number, Uber then sends a text verification with a four-digit token to the new number, plus a separate message to the older number, notifying the user of a change in the account.

“But if the authorized user had disabled SMS (short message service) notifications from Uber, they will never see the notification that changes have been made to their account. So, while Uber does an excellent job at pushing 2FA by default, it also allows users to effectively opt out of 2FA,” the team said.

Besides keeping SMS notifications from Uber set to ON, other recommendations to users include:

  • Share your trip information via SMS/chat with a friend or family member to confirm the driver, destination and time of the trip.
  • Regularly verify your user profile from within the app.
  • Monitor your ride history, to make sure they are all authorized by you.
  • If you suspect you have been compromised, email the company at support@uber.com or contact @Uber_support on Twitter.

To those, Munshani added a blanket recommendation: “Users should be aware that by entering into a sharing economy agreement with services like Uber, they are trading their data. If they take privacy seriously they should think twice about how they interact with what is essentially a public forum.”

Join the CSO newsletter!

Error: Please check your email address.

More about CentripetalFredNetflixPayPalTrend MicroTwitterUber

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place