Thousands of Uber Drivers Scammed Out of Millions of Dollars (cnet.com) 94
CNET reports on what happened when a new Uber driver received a call from Uber telling him to cancel the trip and verify his account:
The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account. "Nothing happened for the rest of the week," the driver says. "I didn't think anything of this again until Saturday." But in those following three days, the scammer had changed the driver's account settings and waited for the perfect time to withdraw money.... By Saturday night, his $653.88 in earnings from that week had been nabbed from his account...
Apparently the scam has hit thousands of ride-hail drivers, and millions of dollars have been diverted from their accounts, according to a lawsuit brought by the U.S. Attorney's Office in New York's federal court last November... [A] couple of key elements about Uber make it possible. When passengers hail a ride with Uber, they see the name of the driver and the car's make, model and license number, and they get an anonymized phone number to call the driver. All of this ensures passengers safely connect with the right driver. But it also makes it possible for the wrong people to see lots of information about drivers.
When one of the scam victims complained to Uber, he "was told he had to wait until Monday when he could talk to a representative in person at one of its driver hubs," although eventually Uber "agreed to credit the $653.88 back to his account as a 'one-time repayment courtesy.'"
Other scammers have gone after Uber directly, CNET reports, using GPS-spoofing apps to simulate long rides as "a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service." Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.
Apparently the scam has hit thousands of ride-hail drivers, and millions of dollars have been diverted from their accounts, according to a lawsuit brought by the U.S. Attorney's Office in New York's federal court last November... [A] couple of key elements about Uber make it possible. When passengers hail a ride with Uber, they see the name of the driver and the car's make, model and license number, and they get an anonymized phone number to call the driver. All of this ensures passengers safely connect with the right driver. But it also makes it possible for the wrong people to see lots of information about drivers.
When one of the scam victims complained to Uber, he "was told he had to wait until Monday when he could talk to a representative in person at one of its driver hubs," although eventually Uber "agreed to credit the $653.88 back to his account as a 'one-time repayment courtesy.'"
Other scammers have gone after Uber directly, CNET reports, using GPS-spoofing apps to simulate long rides as "a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service." Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.
Really? (Score:1, Insightful)
You'd have to be a moron to be an uber driver so this seems to match up well
Re: (Score:1, Insightful)
The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account.
So this story is really about Uber drivers being complete morons.
Re:Really? (Score:5, Insightful)
Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.
You do not speak your password aloud, ever.
You do not send your password to another person, ever.
You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.
Re: (Score:2)
I honestly couldn't tell you any password I have or have had ever.
My first passwords were muscle memory. It was a pattern I learned on the keyboard.
Now I use a one way hash to generate a custom password per username/site.
sha256(password+0100010001010011+slashdot.org) = AA9BA292D020183DCAAB6FD6F546FD56EED5E46F686DE29C58EE819DCADC197E
Good luck getting me to remember that or transcribe it correct over the phone.
Re: (Score:2)
Re: (Score:1)
Or one of those fancy, enter the 15th 19th and 12th characters from your password thingies. Which seem designed to keep passwords short as being such a pain to work through for anything complex of length.
Re: (Score:2)
I wounder if Uber could do something simple like change the two-factor verification message to:
"Do NOT repeat the following number to ANYBODY over the phone, they are SCAMMERS trying to steal money from you: 123456"
Nah, that would require a braincell.
Re: (Score:3)
Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -- Albert Einstein
Re:Really? (Score:5, Funny)
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -- Albert Einstein
It is unlikely that Einstein ever said that. It was first attributed to him in 1969, 15 years after his death, by someone who had earlier attributed the same quote to someone else.
"Don't believe everything you see on the Internet just because it is attributed to someone famous." -- Abraham Lincoln.
Re: (Score:2)
It definitely would not be Einstein, stupidity is most definitely not infinite, it really does not take all the much to lead to the finiteness of death.
Re: (Score:2)
You do not speak your password aloud, ever.
You do not send your password to another person, ever.
You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.
And most importantly: You do not hear any of this if you are a very low class low income earner driving an uber for a few hundred bucks a week and sleeping in your car at a SevenEleven to make ends meet.
Yeah I get what you're saying. So does every office worker who's ever had an email from IT, so do tech savy people who are around computers a lot. But there are an entire class of people who would never have received this advice and are getting calls not from unsolicitated strangers about their broken Window
News Flash (Score:4, Insightful)
Some Uber drivers aren't particularly bright.
Re: (Score:1)
Some Uber drivers aren't particularly bright.
There's morons everywhere. Morons are the basic currency of any large scale scam. The only fixes are education, or moron proof systems.
Victim's fault? (Score:1)
Some Uber drivers aren't particularly bright.
So... just to be clear, you're saying it's the victim's fault, and Uber shouldn't take a look at their security practices and maybe change things to prevent this in the future.
It's the victim's fault - right?
Re: Victim's fault? (Score:3, Insightful)
Yes
Re:Victim's fault? (Score:5, Insightful)
Re:Victim's fault? (Score:4, Insightful)
YES it is partially the victims fault.
Partly? BS. This is 100% victims fault. I mean, who gives away their login credentials AND 2FA to a stranger on the phone?
ZERO sympathy, sorry, this is the victim's fault. You don't get to cry foul if you open the door for the thief and point right to the valuables and say "I'll just be in the bathroom wanking off."
Re: (Score:2)
Re: (Score:2)
Can you imagine what would've happened if someone pretended to be his bank? Good thing this scammer got to him first.
Re: (Score:3)
I mean, who gives away their login credentials AND 2FA to a stranger on the phone?
Yeah who gives some credentials to their employer when asked and are already desperate enough to be working for Uber in the first place?
Vicitm blaming doesn't help anything. I work for a multinational company with quite high standards when it comes to hiring technically capable people and we still go through bimonthly training on digital security, phishing, not handing out passwords, etc. At *my* company you can 100% blame the victim. You don't get to do that to the people you've never educated on the topic
Re:Victim's fault? (Score:4, Insightful)
TFA is great, but not everyone understands how it works. And as a corollary, you shouldn't have to understand how TFA codes work in order to use them. Rather than putting a gun to your own head and pulling the trigger, a better analogy is putting a complicated piece of machinery whose function you don't entirely understand to your head. Such machinery needs to be designed with warnings and safeguards to prevent people who don't understand exactly how it works from hurting themselves.
Re: (Score:2)
And then you happily ask for the code on the Uber website as a part of your two-factor authentication? That's not confusing at all...
Re: (Score:3)
it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."
It's actually really hard to convince people not to share their TFA codes. It's pretty much exactly the same problem as convincing them not to share their passwords, and social engineering passwords from people is astonishingly easy.
Google's corporate security team decided a few years back to move all employee sign-in off of code-based TFA and onto security key-based TFA for exactly this reason. They couldn't train a bunch of smart, highly-educated people not to share TFA codes, but found that it's prett
It's been well documented that people under stress (Score:1)
The reason you don't blame victims is that most of them aren't in a position to defend themselves. We have a phrase for it even: kick 'em when they're down.
Re: (Score:2, Insightful)
It is about taking responsibility for your mistakes and learning from it. If they never get blamed for it and always have people defending them and blaming others then they will NEVER learn from their mistakes. It isn't kicking someone while they're down when you are pointing out what they did wrong, NOT telling them is kicking them while they are down as they are destined to do it all again.
Re: (Score:2)
The reason you don't blame victims is that most of them aren't in a position to defend themselves.
But in this case, to "defend themselves" is as easy as not telling a stranger over the phone every single piece of their login credentials.
If he doesn't learn from this, he'll lose tens of thousands of dollars when he encounters his first Nigerian prince.
Re: (Score:2)
I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger.
Educate them? You're posting from a position of privilage. Either you're a tech savy Slashdot users or an office worker surrounded by technology, passwords, etc. My own multinational employeer comes up with a new IT security training scheme every two months. Currently the theme is phishing. The mat under my mouse right now says "Phishing: Don't get caught" along with a picture of some goldfish and fishing hooks, and some dot point advice on not ever giving your password out, and a reminder that you didn't w
Re: (Score:2)
Probably more training. More, "Uber will never ask you for your password. Do not give anyone your cell-phone confirmation code." Just more basic training for people who never got this or understand how computers and authentication work.
At least then there is lower liability. You have proof that you tried to train your employee in correct security procedures.
Re: (Score:2)
This is alarmingly common, legitimate companies which operate in suspicious ways that scream scam...
People get used to this behaviour, and don't suspect a thing when a real scam comes along.
Re: (Score:2)
The ability to redirect payments to a checking account under a different person's name without providing a government-issued photo ID under both names, a marriage certificate or name change certificate, and at least one other form of identification, perhaps?
Or, for that matter, the ability to make major changes to the account without contacting the account owner at his/her callback number to verify it?
Or, for that matter, the ability to do a
Re: (Score:2)
And who's going to pay the extra cost of implementing this?
And what about the added inconvenience for all those who weren't stupid enough to give their passwords away for whom the existing security was working just fine?
Re: (Score:2)
Re: (Score:2)
I suspect that where TFS says "a new Uber driver received a call from Uber" a "purporting to be" was missed out.
And from TFA: "The caller, with a heavy Spanish-sounding accent, said he was from Uber".
I'm failing to see how this was Uber's fault.
Re: (Score:2)
It is the victim's fault and there's not much Uber can do beyond installing more speed bumps to conducting account actions. The user is already compromised by trusting that the person they're on the phone with is a representative of Uber. The scammer has the account password. At this point the scammer just need to continue asking for further supplied OTPs to complete the TFA.
The only thing that Uber can truly do is try to plaster messages saying that they will never ask for your password. Even saying what a
Re: (Score:2)
Some Uber drivers aren't particularly bright.
"No one in this world, so far as I know ... has ever lost money by underestimating the intelligence of the great masses of the plain people." -- H.L. Mencken
Can you really blame them (Score:4, Insightful)
What I'm saying is our education system and our society's values (at least in regards to critical thinking skills) failed these people. These aren't like climate change deniers for flat earthers or some such. They aren't choosing to be ignorant and dumb. They were either born that way or made that way.
The correct response isn't to laugh at them, it's to take pity and try to lift them out of their ignorance. Hell, you should do that even if it wasn't the right thing to do. These guys are dumb, yeah, but if you can talk them into giving up their Uber passwords imagine what a demagogue can talk them into. Where do you think dictatorships come from?
Re: Can you really blame them (Score:2)
Er. Did you actually read the article that you linked to?
I'm guessing you didn't because if you had you would quickly have seen that the people writing the article disagree with your conclusion "that somebody in a position of power made an argument against teaching critical thinking".
Or did you intentionally shoot an own-goal?
Re: (Score:2)
Some Uber drivers aren't particularly bright.
If they were bright, they wouldn't be Uber drivers. You've got to be daft to think anyone makes money from Uber (not even Uber themselves make money).
Jetsons (Score:3)
PHB: "So let's claim we invented the flying car!"
Re: Each (Score:3)
Re: (Score:2)
Must have been those self-driving Uber scammers.
Difference between fairy tale and a sea story ... (Score:2)
... a fairy tale starts, "Once upon a time ..." and a sea story starts, "Hey, this ain't no shit:"
Hey, this ain't no shit: I was at the hangar at NAS Quonset Point, RI, working on an antisubmarine computer that lived on a P3 Orion and the goddam thing was nuts.
In self-test mode, it was tracking a sub at 3 feet above the surface going 60 knots.
HAhahaHAHahA
Seriously, folks; it's OK to mode me down but that memory (which was a hand-woven ferrite core, 64 bytes not Kb) is a hoot.
Bad 2FA codes (Score:1)
Uber needs to fix their shit security on their 2FA system.
Someone tried to get into my Uber account. I kept getting 2FA codes texted to my phone. I went to log into my account and check up on it and it sent me *the exact same 2FA code*. If I had entered that code and continued I have a feeling it would have also let in whoever was trying to get in at the same time.
I ended up having to wait a while until Uber flipped to a new 2FA code then logged in and changed my login info. Since I never really use Ub
Re: Bad 2FA codes (Score:2)
Re: Bad 2FA codes (Score:2)
Also, you are receiving the 2FA. It is unlikely the attacker is recieving the 2FA. They would have to get your phone number and request you provide the 2FA to gain access. Which is exactly what was described in the summary of the article.
Morons. (Score:1)
This is not a scam (Score:1)
This is sheer human stupidity on a whole new level.
The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text.
Who does all that? THOUSANDS of these drivers are this stupid? Wow. I never knew.
Scammers should have went for the driver's bank info instead, sounds like these drivers will give anyone on the phone anything they ask for. Without question.
Re: This is not a scam (Score:4, Insightful)
Have you ever been faced with a completely incomprehensible thing, that you have been given instructions on how to operate it, but have no idea what to do when outside the standardized parameters of the day-to-day?
Have you ever been forced by progress itself to incorporate a mysterious and untrusted "blackbox" technology into your workflow simply to remain competitive and continue to bring home a salary? Or at the very least, have you ever been forced to incorporate or use tech you are not fond of?
Have you ever been in a foot race and finished behind the leader, as in not in first place? Perhaps not even in the top ten?
Do you typically score higher on Jeopardy than the contestants? Do you typically know more about medical science, bio-chemistry, and biology than your doctors? Do you typically know more about a vehicle than a highly paid mechanic? Do you have the ability to predict the weather with more accuracy than most meteorologists?
We are still introducing people to the technological developments of the past three decades.
Re: (Score:1)
Have you ever read a comment made mostly of questions?
Re: (Score:2)
You will. And the company that will bring it to you: AT&T.
Re: (Score:2)
eh (Score:2)
If someone cold calls, you take down their info, look up the number for their company, and call them back.
If you don't then I guess you just don't give a fuck (about your money).
I'm a Nigerian Uber-Prince ... (Score:2)
I guess these people are not fit for the online business.
Their own damn fault (Score:1)
Hi, I'm from technical support. I'm verifying passwords, can you tell me yours? Dumbass.