Phantom riders abusing stolen Uber users’ accounts for strange journeys

Scamming passengers leave Uber users out of pocket.

David bisson
David Bisson

Uber taxi

Scammers are stealing Uber users’ account credentials and abusing them to take “phantom rides” wherever they want.

As reported by The Guardian, all sorts of people, including TV personalities, have had their accounts taken over by scammers and charged for rides they did not order.

When you look over the details of these fraudulent rides, many of them just don’t make sense.

Sign up to our free newsletter.
Security news, advice, and tips.

For instance, Angie Bird, an Uber user who lives in London, was charged for 16 separate rides in Mexico some 5,500 miles away. Those responsible for ordering the rides completed only five of the journeys. One of the rides dropped the passengers off at a location just 790 meters away. A journey later that night returned the passengers to their starting point.

Meanwhile, another London user named Franki Cookney was charged US $600 for three Uber rides in New York. One of the rides was a 95-minute, 24-mile drive around Manhattan Island that concluded around the same location where it started.

Uber ride

It’s unclear how the scammers obtained Bird’s and Cookney’s account credentials.

To be sure, Uber has had its security problems in the past.

In February of 2015, for instance, researchers found the company had left its lost-and-found database open to the web.

This alarming discovery came only a few weeks before a database containing the information on 50,000 drivers was revealed to have been accessed by an unauthorized third party.

Two months later, some active Uber account details were posted to a dark web marketplace, leading some to wonder whether the online transportation network company had been hacked.

Uber, which just released its first-ever transparency report earlier this month, investigated these claims and found no signs of a breach. It has promised to issue a refund to each and every customer who receives a bill for rides they did not order.

The company says that when users are charged for suspicious rides, that means attackers likely compromised a set of account credentials the user set up across multiple web accounts, and offers the following advice:

“While there has been no breach of Uber’s systems, we would like to remind our users to always use unique passwords for different online accounts As has been highlighted before, when people use the same password on more than one site, and one of those accounts is compromised, then anywhere else with the same log-in details can also be accessed.”

The company went on to clarify that attackers have no way of compromising users’ credit card details should they obtain access to a hacked account:

“It is not possible for anybody who logs into an Uber account to access credit card details, and we have already made significant changes to reduce the ability for criminals to take trips on compromised accounts. We are always enhancing the ways we protect users.”

Scan credit card

That sounds reasonable to me.

Barring any indication the company might have been hacked, such as a huge uptick in fraudulent orders, users should make sure that they use strong, unique passwords for each of their web accounts.

That will help prevent fraudsters from taking a joyride on your dime halfway around the world.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.