Thousands of users of taxi app Uber have reported their accounts being hacked or hijacked. What’s going on?
“Bilaal, your Uber is arriving now,” my dad was told.
My dad’s name is Ed. And he hadn’t requested an Uber car.
He’s not alone. The US website Motherboard reported two months ago that “thousands” of Uber account details were available to buy for as little as $1 each on the anonymous “dark web”.
Outraged users have been complaining about being charged for various fraudulent taxi rides.
One Londoner was hit with a bill of about £3,000 for 142 journeys – about 10 a day – over the course of two weeks.
Fraudsters often try changing the phone number or email address attached to the account, preventing the account holder from immediately realising they’ve been hacked.
Bilaal was less ambitious. He changed the name on my dad’s account to Bilaal, presumably so he wouldn’t accidentally give himself away if the driver asked for Ed.
And his first trip wasn’t exactly what you’d expect from a joyriding, dark-web-using Uber hijacker.
It lasted 45 seconds – a distance of 0.12 miles – and Bilaal stayed in a single street, near the University of East London’s student union.
This was at 09:25 and it didn’t even cost enough to cover the £5 minimum – so Uber automatically topped it up by £2.24.
Question marks over Uber’s security were also raised in February, when news arose of a previous security breach concerning the details of about 50,000 drivers.
But while Uber confirmed the breach on that occasion – albeit more than four months after it occurred – this time it has consistently denied one took place. Many users receive a response similar to my dad:
“It looks like someone may have accessed your account illegitimately. Whilst this may be the case, please note that our team has investigated and found no evidence of a system-wide breach at Uber.”
But it took a while for my dad to get a response, something that has irked numerous other users.
In the meantime, at 09:31, just five minutes after his first ride, Bilaal got another Uber from further down the same road – and made an equally baffling journey.
In a 46-minute ride, Bilaal went a total distance of one mile – ending up on the opposite side of the same roundabout he’d started at, and costing £10.63 to my increasingly frustrated and perplexed dad. “He’s either someone visiting all his mates or he’s a drug dealer,” my dad said at the time.
Twice at this point he’d received the call saying his Uber was outside. Twice he’d said: “I didn’t order an Uber, cancel it”. Twice he’d been sent a receipt. And twice he’d replied with requests for Uber to do something.
He heard nothing from Uber – and for a while Bilaal went quiet too.
He suddenly resurfaced an hour and a half later on the A12 in London – a fair distance from where he’d been dropped off – taking a 29-minute, £15.36 trip out to Chigwell, in Essex.
Despite rejecting any possible security breach on their system, Uber has acknowledged the issue and promised to refund all fraudulent rides to anyone whose account has been compromised.
My dad was reimbursed and received several apologetic emails the next day. “We can confirm that we haven’t had any breach,” says Harry Porter, Uber’s spokesperson in the UK, Ireland and the Nordic countries. Other companies have experienced similar security issues at around the same time, he says.
At the end of March, British Airways’ Air Miles accounts were among those reported to have been cyber-attacked. Amazon, Netflix, EE and Vodafone accounts are all also apparently available to purchase on the dark web.
“The hypothesis that we currently have – and it seems to be correct – is that an e-commerce or online company somewhere has had some kind of breach,” Porter says.
“And what people are doing is they are trying those login details against a number of other online companies – Uber is one of them – and some of these are getting through.”
“That is quite plausible,” says Dr Steven Murdoch, a cyber-security expert at University College London. It’s still extremely common for people to use the same password on numerous websites, he says, and Uber uses email addresses rather than personalised usernames.
Sellers can get access to large databases of personal details – either from the dark web or the internet – and then test them across various websites to see if they’re of any value, Murdoch explains.
“If it’s just a database of usernames, email addresses and passwords, that’s not worth very much,” Murdoch says. “That gets sold as a big file for a very small amount of money.” But individual website accounts – such as for Uber – are worth more, he says.
“The people who are selling on these websites do have a reputation to maintain,” Murdoch says, “and they try to make sure they are selling a good product – albeit an illegal one. Many do offer refunds, so if it doesn’t work they’ll give you another one for free.”
There are even guides on sale, teaching buyers how to use their illegal accounts, reports Motherboard. The hijackers are apparently advised to login via the website, rather than the app, for example.
Uber is taking steps to heighten security. Any change in name, number or email address will now require text verification to confirm it’s you, Porter says.
“If there is a suspicious vibe on an account then the original phone number associated with that account will get a text saying, ‘Someone’s trying to book a ride in this country, is this you?'”
There’s also the possibility for greater police cooperation. In theory, a suspected criminal in an Uber is being tracked the whole way.
“If you can alert the driver in time, while they’re still in the car, surely they can just drive straight to the police station and hand them in,” my dad suggests.
If it’s possible to pinpoint exactly where someone is at a given time, Murdoch adds, maybe the fraudster’s been caught on film at some point too.
Porter says Uber is already in contact with relevant authorities and cooperating in ongoing fraud investigations.
Other suggestions surfacing online question whether Uber drivers could be involved, especially given the bizarre routes of some fake trips.
“A fraudulent driver could book people to use their own service,” Murdoch says, using a fake account and driving wherever they want to increase the price.
“But I’d be surprised if that actually works out,” Murdoch adds. “If it keeps on happening then Uber will just take the view that it’s too suspicious and take the money off the driver.”
In fact, Uber’s promise to reimburse victims of fake trips extends to drivers too.
“We make sure the driver, who is also kind of a victim in this, gets paid. So no one will lose out,” says Porter.
Bilaal used different drivers anyway, including for his final £27.73 ride of the day.
Having been in Essex at midday, Bilaal had kindly made his own way back to the A12 by 21:00, sparing my dad further expense.
But then he took one hour and 21 minutes to travel nearly 10.5 miles – far from outrageous bearing in mind London’s traffic.
Except that his destination was 1.1 miles away – and he’d already passed it at least once during a journey that should’ve taken about six minutes, according to Google Maps.
Oh, Bilaal. What were you up to?