The traditional meaning of people “getting taken for a ride” is that they are victims of a scam.
But in the world of online ride-hailing services, the scammer gets taken for the ride – a free ride – while the victim ends up with the bill.
The scams have come to be called “ghost” or “phantom” rides, made possible when cyber criminals steal login credentials from users of a ride service like Uber, and then sell them to fraudsters on the Dark Web.
It does not appear that a breach of the provider Uber, is the cause of a spike in credentials for sale on the Dark Web, but it is another reminder that popular apps without rigorous security and privacy protections that are implemented by users are an attractive, and relatively easy, target for online thieves.
According to a recent report by Trend Micro on data breach statistics from 2005-2015, Uber logins have been among the hottest, and priciest, items for sale on the underground online marketplace.
That doesn’t mean they cost big bucks individually. The report found that Uber accounts were selling for up to $4 each. But that is much more expensive than Netflix logins, at 76 cents, and credit cards, which were at 22 cents. The only ones with a higher price were PayPal accounts with balances, at an average of $6.43.
A threat intelligence communications team of analysts from managed security vendor Solutionary found the price of login credentials for riders ranged from 50 cents to $6. “The upper part of this range typically guarantees that the accounts were not picked at random and have some validation behind them,” the team wrote.
There had been some speculation that the stolen accounts could have been connected to the May 2014 breach of an Uber database that contained the names and driver’s license numbers of about 50,000 current and former drivers.
But that, of course, was just driver, not rider, information. There was more speculation in mid-2015 that the company may have been breached when thousands of user login credentials showed up on the Dark Web. But the company issued a statement saying its investigation showed no evidence of a breach.
And one Dark Web vendor, responding to a reporter’s question of where he had obtained them simply wrote, “Hacked accounts, buddy. I have thousands.”
Breach or not, Uber, which has an estimated 8 million users in 300 cities in 60 countries, reached a settlement three months ago with New York Attorney General Eric Schneiderman that included a $20,000 fine for the company’s failure to notify users of the 2014 data breach, and also required it to be more rigorous about both security and privacy for riders.
That included stripping the PII (personally identifiable information) of riders from the company’s internal tracking system, known as “God’s View” – an aerial view of the movement of Uber cars in real time.
Under the settlement, Uber agreed to, “encrypt rider geo-location information, adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices.”
A year ago, the company also announced that any change in the name, number or email address of a user would require a text verification.
Still, the “ghost” rides continue, although most recently reported ones are not in the U.S. Recent Twitter posts under #UberAccountHacked included this one: “I had a great ride in China this morning. Except, weird, I wasn’t in China this morning.” And another: “I am in Bangkok now. But my account showed I am riding in France.”
Experts say that eliminating, or at least minimizing, the fraud will take a combined effort by both service providers and users themselves.
Far too many users use the same credentials – user name and password – for multiple apps. That is asking for trouble – if criminals get login information for one account or app, they will try it on others as well. And if users fall for phishing emails or social media attacks that are much more credible and sophisticated than in the past (the Nigerian princess offering millions of dollars is long gone), one mistake can lead to an individual’s entire online life being compromised.
Ed Cabrera, vice president of cybersecurity strategies at Trend Micro, said users should adopt two-factor authentication (2FA), “whenever it is available.”
The idea is to authenticate a user through something he has and something he knows, such as a debit card that requires a PIN, before a transaction is authorized.
Uber did not respond to a request for comment, but other experts say the security changes it is making are good. Steven Rogers, CEO of Centripetal Networks, said 2FA is, “becoming a standard criteria for authenticating users and is a good sign of improving security.”
Some scammed users have wondered if the company could troll the Dark Web itself to find accounts for sale, and then cancel them until the real user establishes new credentials.
That is possible, experts say, but is also difficult. The Solutionary team said the company, “would need to develop a team of security experts with a deep and thorough understanding of the Dark Web. And, since some of these markets are closed markets, finding them and gaining membership can be impractical. The Dark Web is not a thing that can just be searched.”
Suni Munshani, CEO of Protegrity, agreed. “Trolling the Dark Web is an enormous task,” he said, “and it’s reactive, hit-or-miss and doesn’t solve the core attack vector here, which appears to be a flawed authentication process.”
But James Chappell, CTO and cofounder of Digital Shadows, said there still may be some value to monitoring the Dark Web. He agreed that, “it is hard to gain a comprehensive view of the marketplaces where accounts are sold, as in most cases they require some sort of transaction to become a trusted user.”
But he said the tools needed to access the Dark Web, “are readily available and easy to use, and organizations can learn about what is being discussed and what tactics, techniques, and methods cyber criminals are using. Gaining this situational awareness can help organizations such as Uber make better and more effective security decisions.”
Cabrera added that, “many companies already either build or buy advanced threat intelligence programs (that can) create their own threat intelligence by scouring various criminal underground market places for accounts for sale.”
Then there are cases where a user gets notified that a ride he didn’t order is about to arrive in some far-away city or country. That raises the question: If the real user contacts Uber immediately, couldn’t the company notify the driver that he or she is carrying a fraudulent ride?
The Solutionary team said it might be technologically possible, but would be easier, and much safer, “to allow that fraudulent rider to finish the ride, then disable the compromised account.”
Fred Touchette, manager of security at AppRiver, agreed. “As long as Uber can authenticate the claim, it should be relatively easy,” he said, “but as far as what the driver should then do, it could be trickier, because driver safety would be a big concern.”
Munshani said the better solution would be, “to verify the individual before the transaction occurs, using something more reliable than a simple password.”
And that leads to the responsibility of users to be more concerned about safety than convenience. If they don’t want their credentials stolen, they need to make more of an effort to protect them.
The Solutionary team noted that if login credentials are stolen and the thief creates a new name, email address and different mobile number, Uber then sends a text verification with a four-digit token to the new number, plus a separate message to the older number, notifying the user of a change in the account.
“But if the authorized user had disabled SMS (short message service) notifications from Uber, they will never see the notification that changes have been made to their account. So, while Uber does an excellent job at pushing 2FA by default, it also allows users to effectively opt out of 2FA,” the team said.
Besides keeping SMS notifications from Uber set to ON, other recommendations to users include:
- Share your trip information via SMS/chat with a friend or family member to confirm the driver, destination and time of the trip.
- Regularly verify your user profile from within the app.
- Monitor your ride history, to make sure they are all authorized by you.
- If you suspect you have been compromised, email the company at firstname.lastname@example.org or contact @Uber_support on Twitter.
To those, Munshani added a blanket recommendation: “Users should be aware that by entering into a sharing economy agreement with services like Uber, they are trading their data. If they take privacy seriously they should think twice about how they interact with what is essentially a public forum.”