Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Uber Drivers Scammed Out of Millions of Dollars (cnet.com)

Posted by EditorDavid on from the taken-for-a-ride dept.

CNET reports on what happened when a new Uber driver received a call from Uber telling him to cancel the trip and verify his account: The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account. "Nothing happened for the rest of the week," the driver says. "I didn't think anything of this again until Saturday." But in those following three days, the scammer had changed the driver's account settings and waited for the perfect time to withdraw money.... By Saturday night, his $653.88 in earnings from that week had been nabbed from his account...

Apparently the scam has hit thousands of ride-hail drivers, and millions of dollars have been diverted from their accounts, according to a lawsuit brought by the U.S. Attorney's Office in New York's federal court last November... [A] couple of key elements about Uber make it possible. When passengers hail a ride with Uber, they see the name of the driver and the car's make, model and license number, and they get an anonymized phone number to call the driver. All of this ensures passengers safely connect with the right driver. But it also makes it possible for the wrong people to see lots of information about drivers.
When one of the scam victims complained to Uber, he "was told he had to wait until Monday when he could talk to a representative in person at one of its driver hubs," although eventually Uber "agreed to credit the $653.88 back to his account as a 'one-time repayment courtesy.'"

Other scammers have gone after Uber directly, CNET reports, using GPS-spoofing apps to simulate long rides as "a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service." Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.

94 comments

  1. Really? by Anonymous Coward · · Score: 1, Insightful

    You'd have to be a moron to be an uber driver so this seems to match up well

    1. Re:Really? by Anonymous Coward · · Score: 1, Insightful

      The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account.

      So this story is really about Uber drivers being complete morons.

    2. Re:Really? by Calydor · · Score: 4, Insightful

      Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.

      You do not speak your password aloud, ever.
      You do not send your password to another person, ever.
      You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:Really? by 0100010001010011 · · Score: 1

      I honestly couldn't tell you any password I have or have had ever.

      My first passwords were muscle memory. It was a pattern I learned on the keyboard.

      Now I use a one way hash to generate a custom password per username/site.

      sha256(password+0100010001010011+slashdot.org) = AA9BA292D020183DCAAB6FD6F546FD56EED5E46F686DE29C58EE819DCADC197E

      Good luck getting me to remember that or transcribe it correct over the phone.

    4. Re:Really? by Anonymous Coward · · Score: 0

      In this case I'm surprised the scammers went to so much trouble.
      Just ask the driver for all of their credit cards and bank account number. Clearly the driver would have just told them.

    5. Re:Really? by Kjella · · Score: 2

      Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.

      "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -- Albert Einstein

      --
      Live today, because you never know what tomorrow brings
    6. Re:Really? by ShanghaiBill · · Score: 4, Funny

      "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -- Albert Einstein

      It is unlikely that Einstein ever said that. It was first attributed to him in 1969, 15 years after his death, by someone who had earlier attributed the same quote to someone else.

      "Don't believe everything you see on the Internet just because it is attributed to someone famous." -- Abraham Lincoln.

    7. Re:Really? by alantus · · Score: 1

      Or typing it on a cellphone

    8. Re:Really? by rtb61 · · Score: 1

      It definitely would not be Einstein, stupidity is most definitely not infinite, it really does not take all the much to lead to the finiteness of death.

      --
      Chaos - everything, everywhere, everywhen
    9. Re:Really? by Anonymous Coward · · Score: 1

      Or one of those fancy, enter the 15th 19th and 12th characters from your password thingies. Which seem designed to keep passwords short as being such a pain to work through for anything complex of length.

    10. Re:Really? by Joce640k · · Score: 1

      I wounder if Uber could do something simple like change the two-factor verification message to:

      "Do NOT repeat the following number to ANYBODY over the phone, they are SCAMMERS trying to steal money from you: 123456"

      Nah, that would require a braincell.

      --
      No sig today...
    11. Re: Really? by Anonymous Coward · · Score: 0

      Getting a clue, they would quit working for Uber as uncertified taxi drivers.

    12. Re:Really? by thegarbz · · Score: 1

      You do not speak your password aloud, ever.
      You do not send your password to another person, ever.
      You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.

      And most importantly: You do not hear any of this if you are a very low class low income earner driving an uber for a few hundred bucks a week and sleeping in your car at a SevenEleven to make ends meet.

      Yeah I get what you're saying. So does every office worker who's ever had an email from IT, so do tech savy people who are around computers a lot. But there are an entire class of people who would never have received this advice and are getting calls not from unsolicitated strangers about their broken Windows installation or their non-existant PayPal accounts, but rather from what they think is their only lifeline: their very shitty employer (contract parent company? ... no. EMPLOYER).

    13. Re:Really? by Anonymous Coward · · Score: 0

      Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.

      You do not speak your password aloud, ever.
      You do not send your password to another person, ever.
      You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.

      Everyone has heard these in passing. IT/computer people have had them drilled. But unless you're infosec, you don't live it. Even IT people occasionally look at me like the teetotaler in the bar when I tell them to change their admin password because they just said it out loud in a public space. How dare I inconvenience them.

    14. Re: Really? by Anonymous Coward · · Score: 0

      Hmmm. The people that provide all types of services to make your life easier are also morons?

    15. Re:Really? by Anonymous Coward · · Score: 0

      There may be cases were you need to give out personal information. But if you did not initiate the call/email/chat/etc, don't give out personal information. If they contacted you, they have your information up. If they need to verify you are the account holder/etc, you need to look up their phone number independently, and call them back, so you know who _they_ are.

  2. News Flash by 93+Escort+Wagon · · Score: 3, Insightful

    Some Uber drivers aren't particularly bright.

    --
    #DeleteChrome
    1. Re:News Flash by Anonymous Coward · · Score: 1

      Some Uber drivers aren't particularly bright.

      There's morons everywhere. Morons are the basic currency of any large scale scam. The only fixes are education, or moron proof systems.

    2. Re:News Flash by PolygamousRanchKid+ · · Score: 1

      Some Uber drivers aren't particularly bright.

      "No one in this world, so far as I know ... has ever lost money by underestimating the intelligence of the great masses of the plain people." -- H.L. Mencken

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:News Flash by Anonymous Coward · · Score: 0

      Education?? There's no cure for stupid.

    4. Re: News Flash by Anonymous Coward · · Score: 0

      Louis XVI of France?

    5. Re:News Flash by mjwx · · Score: 1

      Some Uber drivers aren't particularly bright.

      If they were bright, they wouldn't be Uber drivers. You've got to be daft to think anyone makes money from Uber (not even Uber themselves make money).

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    6. Re:News Flash by Anonymous Coward · · Score: 0

      Precisely. Education is a cure for ignorance.

  3. Zombie society. by Anonymous Coward · · Score: 0

    It's all good in creating a society where everyone is out for themselves. From corporations to individuals one survives by figuratively eating each other.

  4. Stupid by Anonymous Coward · · Score: 0

    ...Really Should Burn

  5. Jetsons by Tablizer · · Score: 2

    Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.

    PHB: "So let's claim we invented the flying car!"
     

    --
    Table-ized A.I.
  6. Each by easyTree · · Score: 0

    Thousands of Uber Drivers Scammed Out of Millions of Dollars...

    ...each.

    --
    Requiem for the American Dream
    1. Re: Each by Monster_user · · Score: 2

      Unlikely. What are the odds that an Uber driver competent enough to earn millions in a reasonable time frame would be illiterate enough to hand our a 2FA? Most of the rest are not making enough for upkeep, and are trending towards negative income.

  7. Close, but no cigar by Anonymous Coward · · Score: 0

    ..."weird" altitude coordinates indicated that the drivers were flying through the sky.

    No, those are just the pedestrians they've been hitting.

    1. Re:Close, but no cigar by dgatwood · · Score: 1

      Must have been those self-driving Uber scammers.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  8. Difference between fairy tale and a sea story ... by CaptainDork · · Score: 1

    ... a fairy tale starts, "Once upon a time ..." and a sea story starts, "Hey, this ain't no shit:"

    Hey, this ain't no shit: I was at the hangar at NAS Quonset Point, RI, working on an antisubmarine computer that lived on a P3 Orion and the goddam thing was nuts.

    In self-test mode, it was tracking a sub at 3 feet above the surface going 60 knots.

    HAhahaHAHahA

    Seriously, folks; it's OK to mode me down but that memory (which was a hand-woven ferrite core, 64 bytes not Kb) is a hoot.

    --
    It little behooves the best of us to comment on the rest of us.
  9. Victim's fault? by Okian+Warrior · · Score: 0

    Some Uber drivers aren't particularly bright.

    So... just to be clear, you're saying it's the victim's fault, and Uber shouldn't take a look at their security practices and maybe change things to prevent this in the future.

    It's the victim's fault - right?

    1. Re: Victim's fault? by Anonymous Coward · · Score: 3, Insightful

      Yes

    2. Re:Victim's fault? by gravewax · · Score: 5, Insightful

      The victims gave away there password and gave them their 2FA confirmation and then thought nothing of it till their money disappeared. I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger. YES it is partially the victims fault. This concept that you can't blame the victim when the victim is clearly a huge part of the problem is moronic.

    3. Re:Victim's fault? by Anonymous Coward · · Score: 0

      So... just to be clear, you're saying it's the victim's fault, and Uber shouldn't take a look at their security practices and maybe change things to prevent this in the future.

      Change them to *what* exactly?

      What method and process would you suggest to allow the rightful owner of money access to said money while denying everyone else access to said money?

      What, exactly, is your suggestion to solve the problem of the "victim" willingly giving out anything and everything stored in their head that could identify them as the rightful owner?

      Do you base your security on something they know? They will willingly hand that out, obviously.
      Do you base it on something they have? That too they willingly give to others.
      Do you base it on something they are? Despite the fact that can't provide authentication and only provides identification, and again identification they willingly give to others?

      Once the rightful owner of the money has received their money, how do you intend to prevent that rightful owner from handing the money over to a stranger? They clearly do this too.

      Explain how you are intending to allow the rightful owner of their money the ability to both give their money to whom they wish, while at the exact same moment prevent the rightful owner from giving their money to whom they wish. Your plan must meet this contradictory requirement as well.

    4. Re:Victim's fault? by Anonymous Coward · · Score: 0

      What exactly would you have Uber change? I'm seriously asking here.

    5. Re:Victim's fault? by duke_cheetah2003 · · Score: 3, Insightful

      YES it is partially the victims fault.

      Partly? BS. This is 100% victims fault. I mean, who gives away their login credentials AND 2FA to a stranger on the phone?

      ZERO sympathy, sorry, this is the victim's fault. You don't get to cry foul if you open the door for the thief and point right to the valuables and say "I'll just be in the bathroom wanking off."

    6. Re:Victim's fault? by SumDog · · Score: 1

      Probably more training. More, "Uber will never ask you for your password. Do not give anyone your cell-phone confirmation code." Just more basic training for people who never got this or understand how computers and authentication work.

      At least then there is lower liability. You have proof that you tried to train your employee in correct security procedures.

    7. Re:Victim's fault? by Solandri · · Score: 3, Insightful

      Agreed. But it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."

      TFA is great, but not everyone understands how it works. And as a corollary, you shouldn't have to understand how TFA codes work in order to use them. Rather than putting a gun to your own head and pulling the trigger, a better analogy is putting a complicated piece of machinery whose function you don't entirely understand to your head. Such machinery needs to be designed with warnings and safeguards to prevent people who don't understand exactly how it works from hurting themselves.

    8. Re:Victim's fault? by gravewax · · Score: 1

      NO, not quite 100%. The scumbag scammers do deserve a portion of the blame too.

    9. Re:Victim's fault? by Anonymous Coward · · Score: 0

      Victim?

      After giving away 2 factor authentication details?

      To a fake employee over a phone?

      An adult with a functioning brain who wouldn't give their PIN to their partner?

      Victim; good one.

    10. Re:Victim's fault? by Anonymous Coward · · Score: 0

      They are not employees.

    11. Re:Victim's fault? by dgatwood · · Score: 1

      What exactly would you have Uber change? I'm seriously asking here.

      The ability to redirect payments to a checking account under a different person's name without providing a government-issued photo ID under both names, a marriage certificate or name change certificate, and at least one other form of identification, perhaps?

      Or, for that matter, the ability to make major changes to the account without contacting the account owner at his/her callback number to verify it?

      Or, for that matter, the ability to do any of those things without going in person to see an actual, human customer service representative?

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    12. Re:Victim's fault? by Anonymous Coward · · Score: 0

      This is exactly the kind of stupid, knee-jerk, reaction to any security failure that made the theme "security == inconvenience".

      The "victims" did what amounted to signing a blank check when asked to "verify their signature" and then surprised when that check got cashed. And what you called for amounted to asking the bank to call the account owner whenever anyone cashed a check from their account.

      Yes, it might have prevent *this particular* fraud, but at the cost of extra effort for many people affecting lots of normal transactions.

      And when you do that whenever some con man managed to nab some money, you end up with a system so overloaded with these redtape it became unusable.

      Not to mention if Uber actually implemented any of your suggestions, Uber would be accused of making it difficult for drivers to actually get their money.

    13. Re:Victim's fault? by Anonymous Coward · · Score: 0

      Didn't some girl get prison time for convincing her supposed on-and-off boyfriend to kill himself? Yes - although I haven't heard whether she's exhausted her appeals.

    14. Re:Victim's fault? by fph+il+quozientatore · · Score: 1

      Agreed. But it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."

      And then you happily ask for the code on the Uber website as a part of your two-factor authentication? That's not confusing at all...

      --
      My first program:

      Hell Segmentation fault

    15. Re:Victim's fault? by Anonymous Coward · · Score: 0

      As far as I know putting up signs saying "Don't be a fuckwit" never stopped people being so. If the idea that giving out random people your details is a bad idea hasn't sunk in after all these years it's hard to believe more will.

      On the other hand, it seems a good part of the world actively works against the message.

      My work medical handled by a third party, phone me up to book the appointment, for "data protection" they just need me to give them a few pieces of personal info... When I decline as giving out my personal information to someone I can't verify phoning me hardly seems a good standard of data protection, they offer to give me their phone number so I can phone in myself, when I decline that trying to search out the number to phone in soon turned up a blank.

      Or the response to me raising an issue with the Share Plan portal from work, again operated by a third party, posted whilst logged in securely to the portal, resulting in an email requesting personal details in order to be able to answer my query - again apparently to protect my personal data, even though answering the issue required no personal data be disclosed.

    16. Re:Victim's fault? by swillden · · Score: 2

      it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."

      It's actually really hard to convince people not to share their TFA codes. It's pretty much exactly the same problem as convincing them not to share their passwords, and social engineering passwords from people is astonishingly easy.

      Google's corporate security team decided a few years back to move all employee sign-in off of code-based TFA and onto security key-based TFA for exactly this reason. They couldn't train a bunch of smart, highly-educated people not to share TFA codes, but found that it's pretty easy to convince people to keep a physical device in their possession, and to report when it's lost or stolen.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    17. Re: Victim's fault? by Anonymous Coward · · Score: 0

      The scammer is a criminal. The driver is an idiot. Both can be at fault.

    18. Re:Victim's fault? by demonlapin · · Score: 1

      As mentioned above by others, changing the 2FA text message to read "WARNING: Do not give this code to anyone else. Use it only to log in to your account at uber.com. Scammers will attempt to get you to read it to them. Uber phone representatives will not. Your code is 123456ABC."

    19. Re:Victim's fault? by djinn6 · · Score: 1

      Nah, in this case the scammer should be applauded for educating the "victim" for only the tiny cost of $600.

      Can you imagine what would've happened if someone pretended to be his bank? Good thing this scammer got to him first.

    20. Re:Victim's fault? by Hognoxious · · Score: 1

      I suspect that where TFS says "a new Uber driver received a call from Uber" a "purporting to be" was missed out.

      And from TFA: "The caller, with a heavy Spanish-sounding accent, said he was from Uber".

      I'm failing to see how this was Uber's fault.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    21. Re:Victim's fault? by Bert64 · · Score: 1

      This is alarmingly common, legitimate companies which operate in suspicious ways that scream scam...
      People get used to this behaviour, and don't suspect a thing when a real scam comes along.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    22. Re:Victim's fault? by Bert64 · · Score: 1

      And who's going to pay the extra cost of implementing this?
      And what about the added inconvenience for all those who weren't stupid enough to give their passwords away for whom the existing security was working just fine?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    23. Re:Victim's fault? by Anonymous Coward · · Score: 0

      My mother's workplace has a phone-based two-factor authentication for VPN access.

      The SMS message she receives is very brief, and one of the few words it has is 'OTP'. It might've been the only word, actually.

      Those of us in the know understand that it stands for 'one-time pad'. No, the word doesn't make sense in this context. But it's the three-letter combination the VPN UI on the computer asks.

      Well, through a quirk of her phone's UI -- it had a 'quick preview' of the last message. You had to dismiss it before you could see other (newer) messages. The phone would beep every time it received a new message, but would have no visual indication for it.

      So through a quirk of her phone's UI, she was entering the same 'one-time pad' over and over again, and wondering why she can't get it work.

      After dismissing about ten of those messages, I finally got her to input a fresh code...

      So yeah, the damn messages need to be clear about their use.

    24. Re:Victim's fault? by thegarbz · · Score: 1

      I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger.

      Educate them? You're posting from a position of privilage. Either you're a tech savy Slashdot users or an office worker surrounded by technology, passwords, etc. My own multinational employeer comes up with a new IT security training scheme every two months. Currently the theme is phishing. The mat under my mouse right now says "Phishing: Don't get caught" along with a picture of some goldfish and fishing hooks, and some dot point advice on not ever giving your password out, and a reminder that you didn't win an iPad from a competition you didn't enter.

      Something tells me the nobjobs running Uber don't provide anything of the sort to their *employees*.

    25. Re:Victim's fault? by thegarbz · · Score: 2

      I mean, who gives away their login credentials AND 2FA to a stranger on the phone?

      Yeah who gives some credentials to their employer when asked and are already desperate enough to be working for Uber in the first place?

      Vicitm blaming doesn't help anything. I work for a multinational company with quite high standards when it comes to hiring technically capable people and we still go through bimonthly training on digital security, phishing, not handing out passwords, etc. At *my* company you can 100% blame the victim. You don't get to do that to the people you've never educated on the topic, and even less for people whom are in a desperate enough situation to be earning $600/week most of which will go to expenses.

    26. Re:Victim's fault? by Talderas · · Score: 1

      It is the victim's fault and there's not much Uber can do beyond installing more speed bumps to conducting account actions. The user is already compromised by trusting that the person they're on the phone with is a representative of Uber. The scammer has the account password. At this point the scammer just need to continue asking for further supplied OTPs to complete the TFA.

      The only thing that Uber can truly do is try to plaster messages saying that they will never ask for your password. Even saying what a two factor code is being requested for isn't a guarantee that it will stop the scams. Remember, the person being scammed already has a level of trust that the person on the phone is with Uber. If the person "from Uber" says, "Don't worry, we've had an issue reported with your account's ability to transfer funds. We need to verify it works with a $0.01 transfer and will credit it back to you."

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    27. Re:Victim's fault? by Anonymous Coward · · Score: 0

      Some Uber drivers aren't particularly bright.

      So... just to be clear, you're saying it's the victim's fault, and Uber shouldn't take a look at their security practices and maybe change things to prevent this in the future.

      It's the victim's fault - right?

      Have you ever heard of "Fool me once shame on you, fool me twice shame on me"? This is "fool me twice" situation -- giving out password and the 2FA code.

    28. Re:Victim's fault? by Anonymous Coward · · Score: 0

      A more accurate way to put it would be that the victim is a colossally stupid person who probably shouldn't be allowed outside unsupervised and who might to wear a helmet at all times. So no, I wouldn't blame the victims as much as the victim's handlers/caregivers who should be responsible for managing their finances.

      Honestly, the thought of anyone this clueless being allowed to drive scares me a little.

  10. Bad 2FA codes by Vrallis · · Score: 0

    Uber needs to fix their shit security on their 2FA system.

    Someone tried to get into my Uber account. I kept getting 2FA codes texted to my phone. I went to log into my account and check up on it and it sent me *the exact same 2FA code*. If I had entered that code and continued I have a feeling it would have also let in whoever was trying to get in at the same time.

    I ended up having to wait a while until Uber flipped to a new 2FA code then logged in and changed my login info. Since I never really use Uber I tried to remove my only payment method on file--Paypal. It won't let you. Your uber account isn't allowed to exist without a payment method. So I went into Paypal and de-authorized Uber.

    Uber really needs to fix this. A 2FA code should be 100% unique to that browser session and IP. It shouldn't be getting re-used.

    1. Re:Bad 2FA codes by Anonymous Coward · · Score: 0

      mobile phone IPs can change from minute to minute

    2. Re:Bad 2FA codes by Anonymous Coward · · Score: 0

      Woosh.

    3. Re:Bad 2FA codes by Anonymous Coward · · Score: 0

      2FA is often time based so getting the same 2FA is not unusual or an issue unless you are getting the same one over long periods of time.

    4. Re: Bad 2FA codes by Zero__Kelvin · · Score: 1

      A feeling isn't a fact. You might *feel* that it would let the attacker in as well, but the fact is it wouldn't.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    5. Re:Bad 2FA codes by Anonymous Coward · · Score: 0

      a lot of false logical leaps and incorrect assumptions their. One common method for seeding 2FA is the time combined with your unique key, each 2FA code is valid for a set period of time and you will get the same 2FA code if you request a second one during that time period. Most usually make this a very short period of time like 30 seconds, regardless though the intent is to prove you have the device that has the code.

      Secondly the code is independent to the session authentication, using the code and your credentials in one session will NOT mean any other session trying to get in will automatically succeed (Unless they also have a copy of the 2FA code). Your scenario shows no real weakness or issue with their 2FA (unless they aren't using time based codes of course).

    6. Re:Bad 2FA codes by Anonymous Coward · · Score: 0

      A 2FA code should be 100% unique to that browser session and IP. It shouldn't be getting re-used.

      says who? while totally unique is one way for each request, it is also very common to have time period based 2FA, this method is very common when the 2FA generation system is separate to the system you are authenticating too. The intent is to show you have the 2FA not to ensure it is unique per request.

    7. Re: Bad 2FA codes by Monster_user · · Score: 1

      To add further clarification to the others' replies. Entering the 2FA into your browser allows you access only in that browser session, it doesn't allow access from any other browser session so the hacker's session would not be allowed.

      Also, you are receiving the 2FA. It is unlikely the attacker is recieving the 2FA. They would have to get your phone number and request you provide the 2FA to gain access. Which is exactly what was described in the summary of the article.

    8. Re: Bad 2FA codes by Anonymous Coward · · Score: 0

      Do you know Uber's security well enough to state that for a fact?

      Given the disregard they seem to show for things like laws and safety, I wouldn't really trust them to make sure they get their security right either.

    9. Re: Bad 2FA codes by Anonymous Coward · · Score: 0

      No but I am well aware of how 2FA works and they would actually have to go out of their way to make it work like the OP is claiming and it would have been found long ago by the many security researchers looking at sites like Ubers. I trust Uber to take the easy path rather than reimplement something in an expensive and braindead fashion.

    10. Re:Bad 2FA codes by Anonymous Coward · · Score: 0

      A 2FA code should be 100% unique to that browser session and IP. It shouldn't be getting re-used.

      Whut?!?

      The whole idea behind 2FA is that you have a separate system issuing you a code. And tying it to time (ie letting it be valid for only a short while, usually 30 seconds) ensures that you cannot reuse that code.

      If you tie it to browser session and IP someone can reuse the code on that browser if you forget to close it.

      As for your "feeling" that it would have let in whoever was trying to get in –your "feeling" is wrong. Unless you somehow automagically typed the code you got in your text into THEIR browsers input field, there is no way they could have gotten into your account. Could you create something you describe? Yes, but it would defeat the whole purpose behind adding 2FA to logins.

  11. Scammers by Anonymous Coward · · Score: 0

    Anyone can be a victim of a scammer and we really should not be creating systems that people either of modest training, intellect, or experience can't operate safely. Uber hires drivers not people savvy on internet safety. The internet safety should be baked in. It should be that the whole point of working for uber is that they are taking care of that kind of shit and you just drive and get paid.

    Now as for scammers. I don't really like any robbers. They do something that makes you feel violated and foolish and unsafe afterwards. They can do also sorts of other damage when they rob someone who can't afford it. But at least breaking and Entering takes some skin in the game. And a larger crossection of people can evaluate the safety of their own physical possession protections more than they can their on-line possessions. In addition we have things like Neighbors and villages that also put a layer of safety into protection against theives.

    Online scammers therefore are special. They are anonymous and so remote that police forces can't handle them. And interstate and international police forces can't be bothered with thousand dollar scale crimes with no real leads to follow.

    These people will rob anyone because they don't really know who they are robbing. The last scammer that I encountered on-line I made up a story about just getting out of prison and needing to sell something so I could buy my kid a present and hope he wouldn't hate me for being in prison while he was growing up. The guy went right ahead pressuring me to send him the Money Order.

    I wish there was a vigilante network that could give people like that the punishment they deserve. They are parasites.

    1. Re:Scammers by Anonymous Coward · · Score: 0

      how the fuck do you expect them to prevent people voluntarily handing over their money to someone else. They already do as much as they can with Multi factor authentication, beyond going to extremes of inconvenience of requiring the person to personally come in to get their money how the fuck do you protect them. We live in a day and age where basic password hygiene should be second nature to everyone, especially someone that is using online apps, you can only protect them so far before they have to take some responsibility for their own safety.

  12. Morons. by rojash · · Score: 1

    Morons=/, readers who claim they were better than these guys. You morons are obviously better educated and paid and would not wanna be Uber drivers, so why the fuck take it out on those poor guys ?? Get a life already.

    1. Re:Morons. by Anonymous Coward · · Score: 0

      Morons like you that make excuses for the stupidity of these victims are why they never learn and are destined to have a tough life ahead. They fucked up, They are at fault, it is a life lesson and pointing it out is important. Most people get screwed over one way or another in life and recognising YOUR role in that is how we learn.

  13. This is not a scam by duke_cheetah2003 · · Score: 0

    This is sheer human stupidity on a whole new level.

    The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text.

    Who does all that? THOUSANDS of these drivers are this stupid? Wow. I never knew.

    Scammers should have went for the driver's bank info instead, sounds like these drivers will give anyone on the phone anything they ask for. Without question.

    1. Re: This is not a scam by Monster_user · · Score: 3, Insightful

      You don't get out much do you? At the very least you don't work in I.T. Computers are magic boxes that do many incomprehensible things like send random text messages. Its like magnets man, how do they work!?

      Have you ever been faced with a completely incomprehensible thing, that you have been given instructions on how to operate it, but have no idea what to do when outside the standardized parameters of the day-to-day?

      Have you ever been forced by progress itself to incorporate a mysterious and untrusted "blackbox" technology into your workflow simply to remain competitive and continue to bring home a salary? Or at the very least, have you ever been forced to incorporate or use tech you are not fond of?

      Have you ever been in a foot race and finished behind the leader, as in not in first place? Perhaps not even in the top ten?

      Do you typically score higher on Jeopardy than the contestants? Do you typically know more about medical science, bio-chemistry, and biology than your doctors? Do you typically know more about a vehicle than a highly paid mechanic? Do you have the ability to predict the weather with more accuracy than most meteorologists?

      We are still introducing people to the technological developments of the past three decades.

    2. Re: This is not a scam by Anonymous Coward · · Score: 1

      Have you ever read a comment made mostly of questions?

    3. Re: This is not a scam by dgatwood · · Score: 1

      You will. And the company that will bring it to you: AT&T.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re: This is not a scam by Anonymous Coward · · Score: 0

      This completely ignores the similar accounts these people undeniably have, like Facebook, Instagram, Twitter, Email, Banking, etc.

      It's not just that they gave out their secure Uber information, it's that they gave out *credentials at all* which is always a no-no regardless of what platform they lead to. Trying to say "This is just how it is in IT" is absolutely brain damaged. The whole point of IT is to educate the users NOT to do stupid shit like this. IT is not your idiot babysitter, it's there to fix real issues and teach you not to be a moron with computers.

      Apparently, these "genius" Uber drivers didn't put 1 and 1 together to think "Hey, I am constantly told not to share confirmation codes and passwords, but SURELY Uber is different, and this could NEVER be a scam!"

    5. Re: This is not a scam by Anonymous Coward · · Score: 0

      Have you ever been faced with a completely incomprehensible thing, that you have been given instructions on how to operate it, but have no idea what to do when outside the standardized parameters of the day-to-day?

      No, because the first thing I would have done is to understand how that thing worked, and so should anyone if their livelihood depends on operating that thing every day.

      Not doing so is simply inviting disaster, like those Uber drivers.

      Few, if any, man-made thing is really incomprehensible, as they are, after all, made by man. It is the laws of nature that could really be incomprehensible.

  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  15. It's been well documented that people under stress by rsilvergun · · Score: 0

    make poor decisions. Given what Uber pays (I've heard it called a Payday Loan on the value of your car) most of their drivers are already under stress.

    The reason you don't blame victims is that most of them aren't in a position to defend themselves. We have a phrase for it even: kick 'em when they're down.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  16. Can you really blame them by rsilvergun · · Score: 3, Insightful

    when we have stuff like this in America? Seriously, If I didn't know for a fact that that link is real and that somebody in a position of power made an argument against teaching critical thinking I'd have chalked it up to Poe's law.

    What I'm saying is our education system and our society's values (at least in regards to critical thinking skills) failed these people. These aren't like climate change deniers for flat earthers or some such. They aren't choosing to be ignorant and dumb. They were either born that way or made that way.

    The correct response isn't to laugh at them, it's to take pity and try to lift them out of their ignorance. Hell, you should do that even if it wasn't the right thing to do. These guys are dumb, yeah, but if you can talk them into giving up their Uber passwords imagine what a demagogue can talk them into. Where do you think dictatorships come from?

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re: Can you really blame them by c6gunner · · Score: 1

      Er. Did you actually read the article that you linked to?

      I'm guessing you didn't because if you had you would quickly have seen that the people writing the article disagree with your conclusion "that somebody in a position of power made an argument against teaching critical thinking".

      Or did you intentionally shoot an own-goal?

  17. Re:It's been well documented that people under str by Anonymous Coward · · Score: 2, Insightful

    It is about taking responsibility for your mistakes and learning from it. If they never get blamed for it and always have people defending them and blaming others then they will NEVER learn from their mistakes. It isn't kicking someone while they're down when you are pointing out what they did wrong, NOT telling them is kicking them while they are down as they are destined to do it all again.

  18. Can you really explain to them? by Anonymous Coward · · Score: 0

    Did Uber tell their employees what the procedure is when a trip is canceled? Most companies I've worked for explain procedures you need to know.

  19. eh by ChoGGi · · Score: 1

    If someone cold calls, you take down their info, look up the number for their company, and call them back.

    If you don't then I guess you just don't give a fuck (about your money).

    1. Re:eh by Anonymous Coward · · Score: 0

      Or you can do what I do. I ask for their credentials to the same system. When they give them to me and I have had a chance to verify them, I promise, pinky swear, I will let them have mine.

  20. Re:It's been well documented that people under str by djinn6 · · Score: 1

    The reason you don't blame victims is that most of them aren't in a position to defend themselves.

    But in this case, to "defend themselves" is as easy as not telling a stranger over the phone every single piece of their login credentials.

    If he doesn't learn from this, he'll lose tens of thousands of dollars when he encounters his first Nigerian prince.

  21. I'm a Nigerian Uber-Prince ... by nospam007 · · Score: 1

    I guess these people are not fit for the online business.

  22. Their own damn fault by Chewbacon · · Score: 0

    Hi, I'm from technical support. I'm verifying passwords, can you tell me yours? Dumbass.

    --
    Chewbacon
    The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
  23. 'OTP' by Anonymous Coward · · Score: 0

    OTP here means one-time password.

  24. HOW FUCKING STUPID DO YOU HAVE TO BE? by Anonymous Coward · · Score: 0

    "The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text."

    Should have tried for his banking details as well and this fucking retard would have supplied those too.