Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Businesses Transportation

Thousands of Uber Drivers Scammed Out of Millions of Dollars (cnet.com) 94

CNET reports on what happened when a new Uber driver received a call from Uber telling him to cancel the trip and verify his account: The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account. "Nothing happened for the rest of the week," the driver says. "I didn't think anything of this again until Saturday." But in those following three days, the scammer had changed the driver's account settings and waited for the perfect time to withdraw money.... By Saturday night, his $653.88 in earnings from that week had been nabbed from his account...

Apparently the scam has hit thousands of ride-hail drivers, and millions of dollars have been diverted from their accounts, according to a lawsuit brought by the U.S. Attorney's Office in New York's federal court last November... [A] couple of key elements about Uber make it possible. When passengers hail a ride with Uber, they see the name of the driver and the car's make, model and license number, and they get an anonymized phone number to call the driver. All of this ensures passengers safely connect with the right driver. But it also makes it possible for the wrong people to see lots of information about drivers.

When one of the scam victims complained to Uber, he "was told he had to wait until Monday when he could talk to a representative in person at one of its driver hubs," although eventually Uber "agreed to credit the $653.88 back to his account as a 'one-time repayment courtesy.'"

Other scammers have gone after Uber directly, CNET reports, using GPS-spoofing apps to simulate long rides as "a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service." Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.
This discussion has been archived. No new comments can be posted.

Thousands of Uber Drivers Scammed Out of Millions of Dollars

Comments Filter:
  • Really? (Score:1, Insightful)

    by Anonymous Coward

    You'd have to be a moron to be an uber driver so this seems to match up well

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text. This was the two-factor authentication needed to get into the driver's Uber account.

      So this story is really about Uber drivers being complete morons.

      • Re:Really? (Score:5, Insightful)

        by Calydor ( 739835 ) on Saturday June 30, 2018 @06:00PM (#56872504)

        Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.

        You do not speak your password aloud, ever.
        You do not send your password to another person, ever.
        You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.

        • I honestly couldn't tell you any password I have or have had ever.

          My first passwords were muscle memory. It was a pattern I learned on the keyboard.

          Now I use a one way hash to generate a custom password per username/site.

          sha256(password+0100010001010011+slashdot.org) = AA9BA292D020183DCAAB6FD6F546FD56EED5E46F686DE29C58EE819DCADC197E

          Good luck getting me to remember that or transcribe it correct over the phone.

          • by alantus ( 882150 )
            Or typing it on a cellphone
            • by Anonymous Coward

              Or one of those fancy, enter the 15th 19th and 12th characters from your password thingies. Which seem designed to keep passwords short as being such a pain to work through for anything complex of length.

            • I wounder if Uber could do something simple like change the two-factor verification message to:

              "Do NOT repeat the following number to ANYBODY over the phone, they are SCAMMERS trying to steal money from you: 123456"

              Nah, that would require a braincell.

        • by Kjella ( 173770 )

          Pretty much, yeah. You'd think this story was from 1990 when good password management hadn't been drilled into the skulls of even the dimmest of dimwits yet.

          "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -- Albert Einstein

          • Re:Really? (Score:5, Funny)

            by ShanghaiBill ( 739463 ) on Saturday June 30, 2018 @07:46PM (#56872720)

            "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -- Albert Einstein

            It is unlikely that Einstein ever said that. It was first attributed to him in 1969, 15 years after his death, by someone who had earlier attributed the same quote to someone else.

            "Don't believe everything you see on the Internet just because it is attributed to someone famous." -- Abraham Lincoln.

            • by rtb61 ( 674572 )

              It definitely would not be Einstein, stupidity is most definitely not infinite, it really does not take all the much to lead to the finiteness of death.

        • You do not speak your password aloud, ever.
          You do not send your password to another person, ever.
          You most certainly do not read aloud the CONFIRMATION CODE that gets sent when someone has entered your password.

          And most importantly: You do not hear any of this if you are a very low class low income earner driving an uber for a few hundred bucks a week and sleeping in your car at a SevenEleven to make ends meet.

          Yeah I get what you're saying. So does every office worker who's ever had an email from IT, so do tech savy people who are around computers a lot. But there are an entire class of people who would never have received this advice and are getting calls not from unsolicitated strangers about their broken Window

  • News Flash (Score:4, Insightful)

    by 93 Escort Wagon ( 326346 ) on Saturday June 30, 2018 @05:50PM (#56872486)

    Some Uber drivers aren't particularly bright.

    • by Anonymous Coward

      Some Uber drivers aren't particularly bright.

      There's morons everywhere. Morons are the basic currency of any large scale scam. The only fixes are education, or moron proof systems.

    • Some Uber drivers aren't particularly bright.

      So... just to be clear, you're saying it's the victim's fault, and Uber shouldn't take a look at their security practices and maybe change things to prevent this in the future.

      It's the victim's fault - right?

      • by Anonymous Coward

        Yes

      • Re:Victim's fault? (Score:5, Insightful)

        by gravewax ( 4772409 ) on Saturday June 30, 2018 @06:44PM (#56872610)
        The victims gave away there password and gave them their 2FA confirmation and then thought nothing of it till their money disappeared. I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger. YES it is partially the victims fault. This concept that you can't blame the victim when the victim is clearly a huge part of the problem is moronic.
        • Re:Victim's fault? (Score:4, Insightful)

          by duke_cheetah2003 ( 862933 ) on Saturday June 30, 2018 @08:36PM (#56872800) Homepage

          YES it is partially the victims fault.

          Partly? BS. This is 100% victims fault. I mean, who gives away their login credentials AND 2FA to a stranger on the phone?

          ZERO sympathy, sorry, this is the victim's fault. You don't get to cry foul if you open the door for the thief and point right to the valuables and say "I'll just be in the bathroom wanking off."

          • NO, not quite 100%. The scumbag scammers do deserve a portion of the blame too.
            • by djinn6 ( 1868030 )
              Nah, in this case the scammer should be applauded for educating the "victim" for only the tiny cost of $600.

              Can you imagine what would've happened if someone pretended to be his bank? Good thing this scammer got to him first.
          • I mean, who gives away their login credentials AND 2FA to a stranger on the phone?

            Yeah who gives some credentials to their employer when asked and are already desperate enough to be working for Uber in the first place?

            Vicitm blaming doesn't help anything. I work for a multinational company with quite high standards when it comes to hiring technically capable people and we still go through bimonthly training on digital security, phishing, not handing out passwords, etc. At *my* company you can 100% blame the victim. You don't get to do that to the people you've never educated on the topic

        • Re:Victim's fault? (Score:4, Insightful)

          by Solandri ( 704621 ) on Saturday June 30, 2018 @09:42PM (#56873002)
          Agreed. But it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."

          TFA is great, but not everyone understands how it works. And as a corollary, you shouldn't have to understand how TFA codes work in order to use them. Rather than putting a gun to your own head and pulling the trigger, a better analogy is putting a complicated piece of machinery whose function you don't entirely understand to your head. Such machinery needs to be designed with warnings and safeguards to prevent people who don't understand exactly how it works from hurting themselves.
          • Agreed. But it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."

            And then you happily ask for the code on the Uber website as a part of your two-factor authentication? That's not confusing at all...

          • it does bring up the issue that TFA codes probably need a warning placed alongside the code. "This code is for your personal use only. Nobody should ever ask you for this code. Never give the code to another person, even if they claim to be from [company] or [government]."

            It's actually really hard to convince people not to share their TFA codes. It's pretty much exactly the same problem as convincing them not to share their passwords, and social engineering passwords from people is astonishingly easy.

            Google's corporate security team decided a few years back to move all employee sign-in off of code-based TFA and onto security key-based TFA for exactly this reason. They couldn't train a bunch of smart, highly-educated people not to share TFA codes, but found that it's prett

        • make poor decisions. Given what Uber pays (I've heard it called a Payday Loan on the value of your car) most of their drivers are already under stress.

          The reason you don't blame victims is that most of them aren't in a position to defend themselves. We have a phrase for it even: kick 'em when they're down.
          • Re: (Score:2, Insightful)

            by Anonymous Coward

            It is about taking responsibility for your mistakes and learning from it. If they never get blamed for it and always have people defending them and blaming others then they will NEVER learn from their mistakes. It isn't kicking someone while they're down when you are pointing out what they did wrong, NOT telling them is kicking them while they are down as they are destined to do it all again.

          • by djinn6 ( 1868030 )

            The reason you don't blame victims is that most of them aren't in a position to defend themselves.

            But in this case, to "defend themselves" is as easy as not telling a stranger over the phone every single piece of their login credentials.

            If he doesn't learn from this, he'll lose tens of thousands of dollars when he encounters his first Nigerian prince.

        • I don't like Uber but fuck what more can you do to protect someone that voluntarily puts a gun to their head and pulls the trigger.

          Educate them? You're posting from a position of privilage. Either you're a tech savy Slashdot users or an office worker surrounded by technology, passwords, etc. My own multinational employeer comes up with a new IT security training scheme every two months. Currently the theme is phishing. The mat under my mouse right now says "Phishing: Don't get caught" along with a picture of some goldfish and fishing hooks, and some dot point advice on not ever giving your password out, and a reminder that you didn't w

      • I suspect that where TFS says "a new Uber driver received a call from Uber" a "purporting to be" was missed out.

        And from TFA: "The caller, with a heavy Spanish-sounding accent, said he was from Uber".

        I'm failing to see how this was Uber's fault.

      • It is the victim's fault and there's not much Uber can do beyond installing more speed bumps to conducting account actions. The user is already compromised by trusting that the person they're on the phone with is a representative of Uber. The scammer has the account password. At this point the scammer just need to continue asking for further supplied OTPs to complete the TFA.

        The only thing that Uber can truly do is try to plaster messages saying that they will never ask for your password. Even saying what a

    • Some Uber drivers aren't particularly bright.

      "No one in this world, so far as I know ... has ever lost money by underestimating the intelligence of the great masses of the plain people." -- H.L. Mencken

    • by rsilvergun ( 571051 ) on Saturday June 30, 2018 @11:38PM (#56873294)
      when we have stuff like this [politifact.com] in America? Seriously, If I didn't know for a fact that that link is real and that somebody in a position of power made an argument against teaching critical thinking I'd have chalked it up to Poe's law.

      What I'm saying is our education system and our society's values (at least in regards to critical thinking skills) failed these people. These aren't like climate change deniers for flat earthers or some such. They aren't choosing to be ignorant and dumb. They were either born that way or made that way.

      The correct response isn't to laugh at them, it's to take pity and try to lift them out of their ignorance. Hell, you should do that even if it wasn't the right thing to do. These guys are dumb, yeah, but if you can talk them into giving up their Uber passwords imagine what a demagogue can talk them into. Where do you think dictatorships come from?
      • Er. Did you actually read the article that you linked to?

        I'm guessing you didn't because if you had you would quickly have seen that the people writing the article disagree with your conclusion "that somebody in a position of power made an argument against teaching critical thinking".

        Or did you intentionally shoot an own-goal?

    • by mjwx ( 966435 )

      Some Uber drivers aren't particularly bright.

      If they were bright, they wouldn't be Uber drivers. You've got to be daft to think anyone makes money from Uber (not even Uber themselves make money).

  • by Tablizer ( 95088 ) on Saturday June 30, 2018 @06:00PM (#56872510) Journal

    Uber's data science manager spotted the fake rides because "weird" altitude coordinates indicated that the drivers were flying through the sky.

    PHB: "So let's claim we invented the flying car!"
     

  • ... a fairy tale starts, "Once upon a time ..." and a sea story starts, "Hey, this ain't no shit:"

    Hey, this ain't no shit: I was at the hangar at NAS Quonset Point, RI, working on an antisubmarine computer that lived on a P3 Orion and the goddam thing was nuts.

    In self-test mode, it was tracking a sub at 3 feet above the surface going 60 knots.

    HAhahaHAHahA

    Seriously, folks; it's OK to mode me down but that memory (which was a hand-woven ferrite core, 64 bytes not Kb) is a hoot.

  • Uber needs to fix their shit security on their 2FA system.

    Someone tried to get into my Uber account. I kept getting 2FA codes texted to my phone. I went to log into my account and check up on it and it sent me *the exact same 2FA code*. If I had entered that code and continued I have a feeling it would have also let in whoever was trying to get in at the same time.

    I ended up having to wait a while until Uber flipped to a new 2FA code then logged in and changed my login info. Since I never really use Ub

    • A feeling isn't a fact. You might *feel* that it would let the attacker in as well, but the fact is it wouldn't.
    • To add further clarification to the others' replies. Entering the 2FA into your browser allows you access only in that browser session, it doesn't allow access from any other browser session so the hacker's session would not be allowed.

      Also, you are receiving the 2FA. It is unlikely the attacker is recieving the 2FA. They would have to get your phone number and request you provide the 2FA to gain access. Which is exactly what was described in the summary of the article.
  • Morons=/, readers who claim they were better than these guys. You morons are obviously better educated and paid and would not wanna be Uber drivers, so why the fuck take it out on those poor guys ?? Get a life already.
  • This is sheer human stupidity on a whole new level.

    The caller asked for his email. He gave it. The caller asked for his Uber account password. He gave him that, too, after a brief hesitation. Then the caller said to tell him the confirmation code he'd be receiving shortly via text. The driver told him the code once he got the text.

    Who does all that? THOUSANDS of these drivers are this stupid? Wow. I never knew.

    Scammers should have went for the driver's bank info instead, sounds like these drivers will give anyone on the phone anything they ask for. Without question.

    • by Monster_user ( 5075027 ) on Saturday June 30, 2018 @09:24PM (#56872948)
      You don't get out much do you? At the very least you don't work in I.T. Computers are magic boxes that do many incomprehensible things like send random text messages. Its like magnets man, how do they work!?

      Have you ever been faced with a completely incomprehensible thing, that you have been given instructions on how to operate it, but have no idea what to do when outside the standardized parameters of the day-to-day?

      Have you ever been forced by progress itself to incorporate a mysterious and untrusted "blackbox" technology into your workflow simply to remain competitive and continue to bring home a salary? Or at the very least, have you ever been forced to incorporate or use tech you are not fond of?

      Have you ever been in a foot race and finished behind the leader, as in not in first place? Perhaps not even in the top ten?

      Do you typically score higher on Jeopardy than the contestants? Do you typically know more about medical science, bio-chemistry, and biology than your doctors? Do you typically know more about a vehicle than a highly paid mechanic? Do you have the ability to predict the weather with more accuracy than most meteorologists?

      We are still introducing people to the technological developments of the past three decades.
      • by Anonymous Coward

        Have you ever read a comment made mostly of questions?

  • Comment removed based on user account deletion
  • by ChoGGi ( 522069 )

    If someone cold calls, you take down their info, look up the number for their company, and call them back.

    If you don't then I guess you just don't give a fuck (about your money).

  • I guess these people are not fit for the online business.

  • Hi, I'm from technical support. I'm verifying passwords, can you tell me yours? Dumbass.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...