Thousands of Uber Drivers Scammed Out of Millions of Dollars

CNET reports on what happened when a new Uber driver received a call from Uber telling him to cancel the trip and verify his account: The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account. "Nothing happened for the rest of the week," the driver says. "I didn't think anything of this again until Saturday." But in those following three days, the scammer had changed the driver's account settings and waited for the perfect time to withdraw money.... By Saturday night, his $653.88 in earnings from that week had been nabbed from his account...

Apparently the scam has hit thousands of ride-hail drivers, and millions of dollars have been diverted from their accounts, according to a lawsuit brought by the U.S. Attorney's Office in New York's federal court last November... [A] couple of key elements about Uber make it possible. When passengers hail a ride with Uber, they see the name of the driver and the car's make, model and license number, and they get an anonymized phone number to call the driver. All of this ensures passengers safely connect with the right driver. But it also makes it possible for the wrong people to see lots of information about drivers.
When one of the scam victims complained to Uber, he "was told he had to wait until Monday when he could talk to a representative in person at one of its driver hubs," although eventually Uber "agreed to credit the $653.88 back to his account as a 'one-time repayment courtesy.'"

Other scammers have gone after Uber directly, CNET reports, using GPS-spoofing apps to simulate long rides as "a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service." Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.

Re:Really?

[Calydor]

Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.

You do not speak your password aloud, ever.
You do not send your password to another person, ever.
You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.

Re:Victim's fault?

[gravewax]

The victims gave away there password and gave them their 2FA confirmation and then thought nothing of it till their money disappeared. I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger. YES it is partially the victims fault. This concept that you can't blame the victim when the victim is clearly a huge part of the problem is moronic.

Re:Really?

[ShanghaiBill]

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -- Albert Einstein

It is unlikely that Einstein ever said that. It was first attributed to him in 1969, 15 years after his death, by someone who had earlier attributed the same quote to someone else.

"Don't believe everything you see on the Internet just because it is attributed to someone famous." -- Abraham Lincoln.