Close

Updated: How a data breach took me for an $800 Uber ride

NZ Retail and The Register deputy editor Courtney Devereux wrote a stunt journalism piece on how easy it is to be hacked in Idealog last year. In an ironic twist of events, she recently discovered she has actually had her data breached, except this time through her Uber account to the tune of $800. Here, she explains what happened, and the problem with entrusting your confidential details to big, faceless corporations.

Society's undying love for convenience has led us to save our credit card details to almost any platform – as long as it cuts off those precious eight seconds spent reaching into our wallet to pull out the card itself.

But this yearning for ease has made us vulnerable, even from those we trust the most.

I may be overly dramatic suggesting that my Uber account getting breached is the downfall of society, but it has resulted in a loss of trust, and a loss of access to Uber Eats. Technology is freaky, we rely so heavily on it that as soon as it doesn’t work or something goes wrong, we don’t know how to operate. We as a society have adapted so quickly to the benefits of technology, but struggle to adapt back to how we were before as soon as they are compromised.

In my ever-present life of more breaches than I would care to admit, you would think I would be more careful with technology.

And I am: I have password protectors, anti-virus programmes, and a small sticker over my webcam (some real top of the line protection). 

But when a company loses our data there isn’t anything you can do, unless you cancel your credit card, change your email, last name and move to a new house. Some of which may be a little bit of an overreaction when most ‘free’ apps gain capital by selling your data to third party sites anyway. 

Recently in the news, Facebook came under fire for losing over 50 million users' data. In 2014, Yahoo lost three billion user accounts which included names, emails, and phone numbers. In late 2016, Uber lost the personal information of 57 million users, including names, phone numbers and emails.

The bad part about that last hack was that Uber didn’t make the breach public until 2017, a year later. What’s worse, they paid the hackers USD$100,000 to destroy the data with no way to verify that they did, claiming it was a “bug bounty” fee. Uber fired its CSO because of the breach, effectively placing the blame on him. 

Information on the data breach available on the app states “the security incident that resulted in the breach of information included names, email address and mobile phone numbers.”

  • For more on how this scam works, check out the Reply All podcasts here and here. 

For the past two months, every Monday around lunchtime, an account presenting as Uber has been taking lump sums out of my account, ranging from about $7 to $50. Now, obviously these trips are not mine, seeing as the only time I use Uber is usually coming home from the clubs on Saturday night. And although I may not be in the clearest frame of mind on those trips, I still know if I’m inside a moving Toyota Prius or not.

The codes vary on my bank account, usually along the lines of Uber BV* or Uber Trip*, on the same day, around the same time.

Now if you’re wondering why it has taken me months to notice this, it is because I live in my overdraft and avoid looking at my bank account as much as possible. But this is not the time to be giving me financial advice.

What finally got my attention was the 40 texts from Uber in 24 hours, supplying me with an Uber Code, one which is usually used when needed to access an account you forgot a password for. I took these signs to bite the bullet and check my account and going back to February this year, an account masking as Uber had been taking money out of my account almost every week, with the total far above $300.

I quickly deactivated my account (not that that would stop my credit details from being out there in the wild). Almost akin to picking up something unsanitary, you think dropping it is going to solve the problem, but the germs are still on your hands to deal with. And these germs still had my card details.

I tried to log back into my account instantly, as I thought it would help to form the dispute against the company, but as soon as I tried to log in, it denied my access, stating that I had tried too many times to log in unsuccessfully.

Uber recommends finding a ‘help’ section within its app, which would have been handy to know before I went and locked myself out of it.

My first thought was to email Uber, but finding Uber's support account was about as easy as finding the Da Vinci Code, and even then, the email didn’t work – off to a great start.

Luckily for me, working in media means usually someone around you can supply a contact with almost anyone, Uber included.

Armed with an email from a colleague, I sent my strongly worded masterpiece off to the behemoth. It bounced back three times, until I realised Outlook blocks emails with the word ‘hack’ in the headline. On the fourth attempt it finally went through.

“Obviously somehow, through Uber, my credit card details have fallen into the wrong hands,” I quipped. “I would be very interested to know how this came to be.” I had them shaken.  

With the law of the land on my side, and with suggestions from a boss with smarter ideas than mine which didn’t involve sitting back until it went away, I called the bank.

Cancelling a card has a refreshing feeling to it when you’ve been hacked, cancelling your third card because you never learn your lesson is slightly less refreshing. The bank informed me that this money stealing had been coming out of my account since December 2017. With over $700 missing from my account since then and none through a reputable Uber account.

As I wait for Uber to “come to the party” as my bank assistant so adequately put it, I can’t help but muse over our undying loyalty to convenience. We will keep our credit card details in any app, as long as it makes checkout processes faster. The option to cut the time of reaching into our wallets, and entering something manually, is seen as a big drawcard (pun intended), customers are so easily swayed by making things easy, they forgo possible risks.

Keeping your details saved anywhere is risky, and big corporations that are known for having these details saved are huge targets for hackers. And although these big corporations try their best to keep customer data safe, it often falls into the wrong hands.

Just ask the 57 million Uber users that are most likely dealing with the same issue. I may be a bit more careful in the future, but unfortunately, if large companies are not careful and honest with data, there isn’t a lot we can do about it. People will continue to use the platform, maybe with some trepidation, but there would have to be a larger more detrimental risk to get consumers to change their behaviour.

As these trips are not recorded on my app I would find it hard to believe the Uber app itself is taking the money, more likely someone masking as the company. Yet the Uber code texts and being locked out of my account show that in the 2016 breach of mobile numbers and emails, I was most likely included.

In the meantime I will wait for Uber to reply, but if there is anything more difficult than getting a contact for a faceless corporation, it’s getting money from it. 

Updated: 17/05/2018 - 11:30am

A representative from Uber's PR team has requested we rectify information regarding this article. 

"Uber has seen no evidence of fraud or misuse tied to the 2016 incident. Uber’s outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers or dates of birth were downloaded in the breach. Uber is monitoring the affected accounts and have flagged them for additional fraud protection.

"It is an unfortunate reality that all online accounts, whether email, banking, or Uber can be the target of phishing attacks that aim to steal a user’s personal information, such as passwords.

There are multiple reasons why unauthorised activity may occur -  including whether the user is maintaining good habits in safeguarding personal information security, whether the device has been compromised, or even issues with the financial institution and its products. Fraudsters may also try to use credit card numbers stolen from other services to request Uber trips.

To reiterate, in relation to the 2016 data breach, Uber has seen no evidence of fraud or misuse tied to the incident and no credit card information was downloaded.

On reaching Uber support, Uber uses in-app help as it is the most efficient way to provide partner and customer support at scale."

I have yet to hear from Uber's support team in regards to the breach.

Idealog has been covering the most interesting people, businesses and issues from the fields of innovation, design, technology and urban development for over 12 years. And we're asking for your support so we can keep telling those stories, inspire more entrepreneurs to start their own businesses and keep pushing New Zealand forward. Give over $5 a month and you will not only be supporting New Zealand innovation, but you’ll also receive a print subscription and a copy of the new book by David Downs and Dr. Michelle Dickinson, No. 8 Recharged (while stocks last).