Friday, April 7, 2017

Uber and the Strange Case of the Russian Passenger

 by Nomad

Most of us, whether we have used the smartphone app or not, have heard of Uber.  However, there's a dark side of Uber that you might not know about.

Uber and the New Business Model

Launched in 2012, Uber provides an alternative to the traditional Yellow taxi and was hailed as the beginning of a more free-form type of business model.
In case you don't know, Uber is a kind of unique car-for-hire service with smartphone tech as its dispatch and fee manager. Drivers do not possess special licenses and use their personal vehicles at a discounted rate. Riders do not even need to pay in cash or tip the Uber driver.

Despite having its share of some serious birthing pangs, Uber has become a major success. Today Uber is in 377 major cities around the world. World travelers can expect to find Uber rides in more major cities.

The techie podcast, Reply All, recently investigated a baffling hitch related to Uber.  One of its customers was notified that he was being billed for Uber trips he had never made. More than once, Alex Blumberg's bank account was slapped with illegitimate service charges.
Somewhere, somehow, a Russian in Moscow was proving that there really is such a thing as a "free ride." Literally.

So, it's a simple case of Russian hacking of an Uber account?
You might think it should be a matter of calling an Uber rep, explaining the problem and changing your password and thanking your lucky stars that Mr. Smirnov didn't decide to take a family vacation to the Urals. Blumberg found that resolution of this matter was not as easy as it sounds.
In fact, it was impossible.

To his shock, Blumberg found that he was locked out of his own account. It was, he says, treating him as if he had just downloaded the app, with no record of who he was, no profile and no history.

That Moment

That "uh-oh" moment we have all at least once experienced. When the blue screen of death suddenly appears or when you realize that your laptop isn't obeying your furious pecking.
For poor Mr. Blumberg, it came when his smartphone app begins treating him like a complete stranger.

The next step in the sad tale is another feature of the automated new world we live in: The search for a human response from the company. We have all been through this whether is the understaffed help center (Press 1 for... Press 2 for...) That too was a dead end. There was literally nobody home. Uber didn't have a help center to call.
So we emailed and I got a [sic] e-mail response from them saying like, “We are unable to find a-any account associated with this email and mobile number.” And then I wrote back and I was like, “That’s really weird, because that’s my phone number, it’s definitely associated with this account, I have–I just received notifications this morning to this number.”
The charges were ongoing and there didn't seem to be any way he could close his account from his end. And in a bizarre twist, he learned when he finally found somebody at Uber to help him that Uber itself didn't have records of his credit card number.

Despite that, even while he was attempting to put things to right, his card was being charged for trips he wasn't making.
Still worse, Uber finally admitted there was nothing they could do. They began to close down any response at all. Meaning, they just stopped taking his calls and stopped auto-answering his increasingly desperate emails.

Some Not-Very-Good News

Reply All technical staff decided to investigate what was going on and who was behind this particular minor league hacking scam that can, for the unfortunate victim, turn into a major league nightmare.
The question was: Is this a freak occurrence or does this happen all the time? Soon enough, Reply All's investigator Alex Goldman got his answer.
I went on Twitter and found a ton of people who were having similar problems. Like I found people who were reporting that there were raides that they’d never taken in places like London and Hong Kong and France and Indonesia. Like it’s happening all over the world.
It turns out that hacked Uber accounts are traded like a commodity on the so-called Dark Web. And the investigators also learned they’re relatively cheap- they’re relatively cheap. they’re relatively cheap.
Between four and seven dollars each.
So, that led to the conclusion that Uber accounts were somehow hacked. Yet, Uber absolutely denied any data breach at all. What was really going on?

To learn the rest of this story, I invite you to listen to the rest of this podcast. Even if you don't use the Uber app, what investigators learned from this particular scam should send a powerful message about the vulnerability of anybody who uses the Internet to do business.
(Tip: start the podcast at about 7:00 to pick up the thread of the story.)

It's a cautionary tale about how big money is being made on the innocence and ignorance of the not-so-net-savvy public.