Slashdot Mirror
Thousands of Uber Drivers Scammed Out of Millions of Dollars (cnet.com)
CNET reports on what happened when a new Uber driver received a call from Uber telling him to cancel the trip and verify his account:
The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account. "Nothing happened for the rest of the week," the driver says. "I didn't think anything of this again until Saturday." But in those following three days, the scammer had changed the driver's account settings and waited for the perfect time to withdraw money.... By Saturday night, his $653.88 in earnings from that week had been nabbed from his account...
Apparently the scam has hit thousands of ride-hail drivers, and millions of dollars have been diverted from their accounts, according to a lawsuit brought by the U.S. Attorney's Office in New York's federal court last November... [A] couple of key elements about Uber make it possible. When passengers hail a ride with Uber, they see the name of the driver and the car's make, model and license number, and they get an anonymized phone number to call the driver. All of this ensures passengers safely connect with the right driver. But it also makes it possible for the wrong people to see lots of information about drivers.
When one of the scam victims complained to Uber, he "was told he had to wait until Monday when he could talk to a representative in person at one of its driver hubs," although eventually Uber "agreed to credit the $653.88 back to his account as a 'one-time repayment courtesy.'"
Other scammers have gone after Uber directly, CNET reports, using GPS-spoofing apps to simulate long rides as "a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service." Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.
Apparently the scam has hit thousands of ride-hail drivers, and millions of dollars have been diverted from their accounts, according to a lawsuit brought by the U.S. Attorney's Office in New York's federal court last November... [A] couple of key elements about Uber make it possible. When passengers hail a ride with Uber, they see the name of the driver and the car's make, model and license number, and they get an anonymized phone number to call the driver. All of this ensures passengers safely connect with the right driver. But it also makes it possible for the wrong people to see lots of information about drivers.
When one of the scam victims complained to Uber, he "was told he had to wait until Monday when he could talk to a representative in person at one of its driver hubs," although eventually Uber "agreed to credit the $653.88 back to his account as a 'one-time repayment courtesy.'"
Other scammers have gone after Uber directly, CNET reports, using GPS-spoofing apps to simulate long rides as "a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service." Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.
You'd have to be a moron to be an uber driver so this seems to match up well
Some Uber drivers aren't particularly bright.
#DeleteChrome
PHB: "So let's claim we invented the flying car!"
Table-ized A.I.
... a fairy tale starts, "Once upon a time ..." and a sea story starts, "Hey, this ain't no shit:"
Hey, this ain't no shit: I was at the hangar at NAS Quonset Point, RI, working on an antisubmarine computer that lived on a P3 Orion and the goddam thing was nuts.
In self-test mode, it was tracking a sub at 3 feet above the surface going 60 knots.
HAhahaHAHahA
Seriously, folks; it's OK to mode me down but that memory (which was a hand-woven ferrite core, 64 bytes not Kb) is a hoot.
It little behooves the best of us to comment on the rest of us.
Yes
The victims gave away there password and gave them their 2FA confirmation and then thought nothing of it till their money disappeared. I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger. YES it is partially the victims fault. This concept that you can't blame the victim when the victim is clearly a huge part of the problem is moronic.
Morons=/, readers who claim they were better than these guys. You morons are obviously better educated and paid and would not wanna be Uber drivers, so why the fuck take it out on those poor guys ?? Get a life already.
A feeling isn't a fact. You might *feel* that it would let the attacker in as well, but the fact is it wouldn't.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
YES it is partially the victims fault.
Partly? BS. This is 100% victims fault. I mean, who gives away their login credentials AND 2FA to a stranger on the phone?
ZERO sympathy, sorry, this is the victim's fault. You don't get to cry foul if you open the door for the thief and point right to the valuables and say "I'll just be in the bathroom wanking off."
Probably more training. More, "Uber will never ask you for your password. Do not give anyone your cell-phone confirmation code." Just more basic training for people who never got this or understand how computers and authentication work.
At least then there is lower liability. You have proof that you tried to train your employee in correct security procedures.
Unlikely. What are the odds that an Uber driver competent enough to earn millions in a reasonable time frame would be illiterate enough to hand our a 2FA? Most of the rest are not making enough for upkeep, and are trending towards negative income.
You don't get out much do you? At the very least you don't work in I.T. Computers are magic boxes that do many incomprehensible things like send random text messages. Its like magnets man, how do they work!?
Have you ever been faced with a completely incomprehensible thing, that you have been given instructions on how to operate it, but have no idea what to do when outside the standardized parameters of the day-to-day?
Have you ever been forced by progress itself to incorporate a mysterious and untrusted "blackbox" technology into your workflow simply to remain competitive and continue to bring home a salary? Or at the very least, have you ever been forced to incorporate or use tech you are not fond of?
Have you ever been in a foot race and finished behind the leader, as in not in first place? Perhaps not even in the top ten?
Do you typically score higher on Jeopardy than the contestants? Do you typically know more about medical science, bio-chemistry, and biology than your doctors? Do you typically know more about a vehicle than a highly paid mechanic? Do you have the ability to predict the weather with more accuracy than most meteorologists?
We are still introducing people to the technological developments of the past three decades.
To add further clarification to the others' replies. Entering the 2FA into your browser allows you access only in that browser session, it doesn't allow access from any other browser session so the hacker's session would not be allowed.
Also, you are receiving the 2FA. It is unlikely the attacker is recieving the 2FA. They would have to get your phone number and request you provide the 2FA to gain access. Which is exactly what was described in the summary of the article.
Have you ever read a comment made mostly of questions?
Agreed. But it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."
TFA is great, but not everyone understands how it works. And as a corollary, you shouldn't have to understand how TFA codes work in order to use them. Rather than putting a gun to your own head and pulling the trigger, a better analogy is putting a complicated piece of machinery whose function you don't entirely understand to your head. Such machinery needs to be designed with warnings and safeguards to prevent people who don't understand exactly how it works from hurting themselves.
NO, not quite 100%. The scumbag scammers do deserve a portion of the blame too.
Comment removed based on user account deletion
The ability to redirect payments to a checking account under a different person's name without providing a government-issued photo ID under both names, a marriage certificate or name change certificate, and at least one other form of identification, perhaps?
Or, for that matter, the ability to make major changes to the account without contacting the account owner at his/her callback number to verify it?
Or, for that matter, the ability to do any of those things without going in person to see an actual, human customer service representative?
Check out my sci-fi/humor trilogy at PatriotsBooks.
Must have been those self-driving Uber scammers.
Check out my sci-fi/humor trilogy at PatriotsBooks.
when we have stuff like this in America? Seriously, If I didn't know for a fact that that link is real and that somebody in a position of power made an argument against teaching critical thinking I'd have chalked it up to Poe's law.
What I'm saying is our education system and our society's values (at least in regards to critical thinking skills) failed these people. These aren't like climate change deniers for flat earthers or some such. They aren't choosing to be ignorant and dumb. They were either born that way or made that way.
The correct response isn't to laugh at them, it's to take pity and try to lift them out of their ignorance. Hell, you should do that even if it wasn't the right thing to do. These guys are dumb, yeah, but if you can talk them into giving up their Uber passwords imagine what a demagogue can talk them into. Where do you think dictatorships come from?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It is about taking responsibility for your mistakes and learning from it. If they never get blamed for it and always have people defending them and blaming others then they will NEVER learn from their mistakes. It isn't kicking someone while they're down when you are pointing out what they did wrong, NOT telling them is kicking them while they are down as they are destined to do it all again.
You will. And the company that will bring it to you: AT&T.
Check out my sci-fi/humor trilogy at PatriotsBooks.
If someone cold calls, you take down their info, look up the number for their company, and call them back.
If you don't then I guess you just don't give a fuck (about your money).
And then you happily ask for the code on the Uber website as a part of your two-factor authentication? That's not confusing at all...
My first program:
Hell Segmentation fault
it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."
It's actually really hard to convince people not to share their TFA codes. It's pretty much exactly the same problem as convincing them not to share their passwords, and social engineering passwords from people is astonishingly easy.
Google's corporate security team decided a few years back to move all employee sign-in off of code-based TFA and onto security key-based TFA for exactly this reason. They couldn't train a bunch of smart, highly-educated people not to share TFA codes, but found that it's pretty easy to convince people to keep a physical device in their possession, and to report when it's lost or stolen.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
As mentioned above by others, changing the 2FA text message to read "WARNING: Do not give this code to anyone else. Use it only to log in to your account at uber.com. Scammers will attempt to get you to read it to them. Uber phone representatives will not. Your code is 123456ABC."
Nah, in this case the scammer should be applauded for educating the "victim" for only the tiny cost of $600.
Can you imagine what would've happened if someone pretended to be his bank? Good thing this scammer got to him first.
The reason you don't blame victims is that most of them aren't in a position to defend themselves.
But in this case, to "defend themselves" is as easy as not telling a stranger over the phone every single piece of their login credentials.
If he doesn't learn from this, he'll lose tens of thousands of dollars when he encounters his first Nigerian prince.
I suspect that where TFS says "a new Uber driver received a call from Uber" a "purporting to be" was missed out.
And from TFA: "The caller, with a heavy Spanish-sounding accent, said he was from Uber".
I'm failing to see how this was Uber's fault.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I guess these people are not fit for the online business.
This is alarmingly common, legitimate companies which operate in suspicious ways that scream scam...
People get used to this behaviour, and don't suspect a thing when a real scam comes along.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And who's going to pay the extra cost of implementing this?
And what about the added inconvenience for all those who weren't stupid enough to give their passwords away for whom the existing security was working just fine?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger.
Educate them? You're posting from a position of privilage. Either you're a tech savy Slashdot users or an office worker surrounded by technology, passwords, etc. My own multinational employeer comes up with a new IT security training scheme every two months. Currently the theme is phishing. The mat under my mouse right now says "Phishing: Don't get caught" along with a picture of some goldfish and fishing hooks, and some dot point advice on not ever giving your password out, and a reminder that you didn't win an iPad from a competition you didn't enter.
Something tells me the nobjobs running Uber don't provide anything of the sort to their *employees*.
I mean, who gives away their login credentials AND 2FA to a stranger on the phone?
Yeah who gives some credentials to their employer when asked and are already desperate enough to be working for Uber in the first place?
Vicitm blaming doesn't help anything. I work for a multinational company with quite high standards when it comes to hiring technically capable people and we still go through bimonthly training on digital security, phishing, not handing out passwords, etc. At *my* company you can 100% blame the victim. You don't get to do that to the people you've never educated on the topic, and even less for people whom are in a desperate enough situation to be earning $600/week most of which will go to expenses.
It is the victim's fault and there's not much Uber can do beyond installing more speed bumps to conducting account actions. The user is already compromised by trusting that the person they're on the phone with is a representative of Uber. The scammer has the account password. At this point the scammer just need to continue asking for further supplied OTPs to complete the TFA.
The only thing that Uber can truly do is try to plaster messages saying that they will never ask for your password. Even saying what a two factor code is being requested for isn't a guarantee that it will stop the scams. Remember, the person being scammed already has a level of trust that the person on the phone is with Uber. If the person "from Uber" says, "Don't worry, we've had an issue reported with your account's ability to transfer funds. We need to verify it works with a $0.01 transfer and will credit it back to you."
"Lack of speed can be overcome. In the worst case by patience." --Znork