Securing the Digital World

Not on My Dime: When Fraudsters Take a Phantom Ride

May 20, 2016 | by Heidi Bleau |

As any parent with children in sports knows, it is simply not possible to be in two places at the same time. I have tried to defy the laws of time and space by magically appearing at two different baseball fields when my sons' games are conveniently scheduled at the same time on different fields across town. While I have not yet succeeding in making that contradiction a real possibility, fraudsters may have uncovered a way thanks to credentialing gaps in Uber's ride-sharing service and purchases made by fraudsters on the Dark Web.

The scams, known as "ghost" or "phantom" rides occur when cyber thieves steal login credentials from legitimate users of Uber's ride-hailing service and then sell them on the Dark Web to fraudsters who, in turn, then take free rides on someone else's tab.

It's important to not be dismissive of the value of these logins. According to a recent report, Uber accounts were selling for up to $4 each on the Dark Web, a premium over more pedestrian logins from Netflix (.76).

This is not the first time the company has been in the line of attack. In 2014, an Uber database that included the names and licenses of approximately 50,000 current and former drivers was breached. In a settlement reached with the New York Attorney General, the company was directed to 'strip' all PII of riders from the company's real-time internal customer and auto-tracking system. Additionally, Uber now requires that any change in any personal information of a user (e.g. name, number or email address) requires a text verification (which we'll get to shortly).

In spite of all these precautions, the "ghost" rides persist. According to CSO online, recent Twitter posts under #UberAccountHacked included this one: "I had a great ride in China this morning. Except, weird, I wasn't in China this morning." And again: "I am in Bangkok now. But my account showed I am riding in France."

To mitigate, reduce or even eliminate this kind of fraud from the user's perspective, the long-time guidance has been to not use the same credentials (e.g. user name and password) for multiple apps or multiple sites. With human nature being what it is, if criminals steal login information for one account, be assured they will try it on others.

In some markets, Uber is testing a version of two-step authentication so when a user logs on from an unknown device, they are prompted to enter additional credentials. The company plans to roll out this second authentication factor in other markets soon.

Incidentally, Uber's SMS solution can be a double-edged sword. A managed security vendor contacted by CSO, for example, notes the following use case: If login credentials are stolen and the thief creates a new name, email address and different mobile number, Uber sends a text verification along with a four-digit token to the new number. In parallel it also sends a separate message to the older number, notifying the user of a change in their account.

However, if the authorized user had disabled SMS notifications, in this case from Uber, they will never see the notification that changes have been made to their account. This effectively, albeit unknowingly, enables the customer to "opt-out" of Uber's 2FA by default requirement.

This security hole is unlikely to deter many loyal users of Uber or other ride-sharing services to change how they hail a ride. However, just as with any other time or venue in which your financial or personal information is being exchanged for a service, it's important to not let your guard down. Not only in terms of who is driving you to your destination, but how the personal information you just shared with the service employing that driver is protecting it.