Scammers are stealing Uber users’ account credentials and abusing them to take “phantom rides” wherever they want.
As reported by The Guardian, all sorts of people, including TV personalities, have had their accounts taken over by scammers and charged for rides they did not order.
When you look over the details of these fraudulent rides, many of them just don’t make sense.
For instance, Angie Bird, an Uber user who lives in London, was charged for 16 separate rides in Mexico some 5,500 miles away. Those responsible for ordering the rides completed only five of the journeys. One of the rides dropped the passengers off at a location just 790 meters away. A journey later that night returned the passengers to their starting point.
Meanwhile, another London user named Franki Cookney was charged US $600 for three Uber rides in New York. One of the rides was a 95-minute, 24-mile drive around Manhattan Island that concluded around the same location where it started.
It’s unclear how the scammers obtained Bird’s and Cookney’s account credentials.
To be sure, Uber has had its security problems in the past.
In February of 2015, for instance, researchers found the company had left its lost-and-found database open to the web.
This alarming discovery came only a few weeks before a database containing the information on 50,000 drivers was revealed to have been accessed by an unauthorized third party.
Two months later, some active Uber account details were posted to a dark web marketplace, leading some to wonder whether the online transportation network company had been hacked.
Uber, which just released its first-ever transparency report earlier this month, investigated these claims and found no signs of a breach. It has promised to issue a refund to each and every customer who receives a bill for rides they did not order.
The company says that when users are charged for suspicious rides, that means attackers likely compromised a set of account credentials the user set up across multiple web accounts, and offers the following advice:
“While there has been no breach of Uber’s systems, we would like to remind our users to always use unique passwords for different online accounts As has been highlighted before, when people use the same password on more than one site, and one of those accounts is compromised, then anywhere else with the same log-in details can also be accessed.”
The company went on to clarify that attackers have no way of compromising users’ credit card details should they obtain access to a hacked account:
“It is not possible for anybody who logs into an Uber account to access credit card details, and we have already made significant changes to reduce the ability for criminals to take trips on compromised accounts. We are always enhancing the ways we protect users.”
That sounds reasonable to me.
Barring any indication the company might have been hacked, such as a huge uptick in fraudulent orders, users should make sure that they use strong, unique passwords for each of their web accounts.
That will help prevent fraudsters from taking a joyride on your dime halfway around the world.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.