Uber is facing problems with Chinese fraudsters

Nasty surprise for Uber users who have found themselves credited several rides through the streets of China, the company is investigating on the cases.

A nasty surprise for Uber users who have found themselves credited several rides through the streets of China.

Unfortunately, fraudsters have targeted Uber to take free rides, in the following picture the Tweet posted by one of the numerous victims.

Below are a few tweets from those who’ve found that Chinese fraudsters had used the hacked accounts to take free trips.

The news was reported by Motherboard that was alerted by a professional Chicago cabbie that posted the news on the UberPeople.net forum.

“Now, it looks like Chinese fraudsters are using hacked Uber accounts to take free trips.” states Motherboard. “The tweets were shown to Motherboard by ‘Just Aguy’, a poster on the UberPeople.net forum.”

At the same time, Wantchinatimes reported thousands of Uber drivers in Chengdu have gone to the police in an attempt to retrieve money Uber owes them, because the service closed a large number of driver accounts in Beijing and Chengdu due to the recent frauds.

Which is a possible fraud schema?

Below the description provided by the Chinese website:

“The system can be cheated in two different ways. One way is if the driver buys a hacked smartphone which can operate with several phone numbers. These numbers can be registered to multiple Uber accounts. Then the driver can use one phone number to request a ride and another number to accept the request, allowing the driver to cash in on the subsidy without having to actually drive anyone anywhere.

Other drivers make arrangements with other people to request rides which they don’t intend to take and then split the profits with the fake passenger, as subsidies are often three-times the amount of average fares.”

In June, the Uber company revealed that the overall volume of scams accounts for about 3% of its total rides. This figure is considerable acceptable by the company because it is much lower than competitors.

“If calculated on the base of 1 million deals and 30 yuan (US$4.70) in subsidies per ride, Uber has paid 900,000 yuan (US$141,064) for the 3% of fake rides, a total of 27 million yuan (US$4.2 million) every month, the report said.” continues the Wantchinatimes.

The Motherboard is the first web portal reporting the news of thousands of compromised Uber accounts selling for as little as $1 on the dark web.

It was March 2015, meanwhile in May many Uber customers reported unauthorized rides paid through their accounts, but the company excluded a data breach despite it suggested users to reset their password.

The experts at Uber speculated that the account have been compromised because the owners shared the same credentials with other web services that have been hacked in the past.

In August, Uber started experimenting a multifactor authentication mechanism to protect its customers.

“Our security teams are laser focused on protecting the integrity of our community’s Uber accounts,” Uber said in a statement by email. “We use technical measures to detect any issues and are always enhancing the measures we deploy to protect our users’ accounts. We also encourage all of our users to choose strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”

Earlier this month, some Uber trip information was publicly accessible through simple Google queries, the set includes trip and user info, and home and work addresses.

Anyway, my dear Uber Users, the good news is that the company recently hired two of the most popular hackers, Miller and Valasek, I’m sure that things will go better in the next months, meantime let me suggest to change your passwords avoiding to reuse the same credentials across several web services accounts.

Pierluigi Paganini

(Security Affairs –  Uber,  cybercrime)