
Money can be stolen from an Uber account - unlikekinds
https://unlikekinds.com/t/your-money-can-be-stolen-from-your-uber-account
======
vxNsr
In general in these cases, if it's a credit card just do a charge back and let
Uber deal with the fallout. no need to bother trying to get Uber to make it
right, your credit card company will be much more interested in knowing that
Uber failed to safeguard their clients card info. To many charge backs can
result in higher processing fees so companies will do everything they can do
avoid that.

~~~
JohnTHaller
It's also worth noting that if you do a chargeback, a company like Uber will
often block your account and phone from using their services. Doing a
chargeback against Steam for instance and they will ban you, preventing you
from playing games you've paid for ("leased" more accurately). So, it's
important to be careful about doing chargebacks unless you're sure the company
you're doing a chargeback against is one you never wish to do business with
again.

~~~
idbehold
It seems like this behavior should also be reported to the credit card
companies. In the case of Steam, it seems like what you should do is have the
credit card company charge back ALL the purchases you made if they ban your
account.

~~~
Shivetya
Steam has a litany of disclaimers to block refunds. Even games dropped by
developers don't matter to Steam. I had a few hours registered to a game I
could never get to work beyond a few turns but since I "played" it I was not
entitled to a refund.

I really dislike digital distribution of games and software on this point.
While some Steam games I can run offline I am not sure if all of them can be.
Plus how do I reinstall?

It is a sad state of affairs when being a buyer on ebay is safer than buying
from Steam

~~~
teh_klev
> I had a few hours registered to a game I could never get to work beyond a
> few turns but since I "played" it I was not entitled to a refund.

Cough, ahem, No Man's Sky...

According to Steam I'd played around 40 hours, but in reality most likely <10
hours active and stupidly left the game idling a couple of nights which racked
up the hours.

I tried to get a refund from Steam and was refused, I then tried a charge back
from PayPal and Steam stepped in and more or less told me that if I continue
down this road I'll be locked out of all my games.

A few lessons learned:

1\. Don't pre-purchase games

2\. Wait a couple of weeks for real gamer reviews

3\. Avoid Steam/digital distributions for higher value games.

This has certainly soured me from buying anything costing more than a few quid
on Steam.

~~~
slantyyz
>> 1\. Don't pre-purchase games

>> 2\. Wait a couple of weeks for real gamer reviews

I know it's hard to do if everyone you know's playing the latest hotness, but
if you can wait a few months, you can usually get the game heavily discounted
in one of Steam's (or Humble, Green Man or other Steam key sellers) quarterly
sales.

I used to buy my games on release date at or near full price, but these days I
try very hard to wait as long as I can for them to get heavily discounted.
When you pay much less than full price, the sting is lessened if you chalk up
too many hours to get a refund.

~~~
teh_klev
> but if you can wait a few months & > playing the latest hotness

To be honest NMS is the only game I've paid for prior to the release date, and
even then I only paid for it a week beforehand.

I'm not a huge gamer (with the exception of dipping into Eve Online no and
then). But NMS was hugely attractive to me, less so from the gamer/press hype,
but from all the things Sean had talked about and demo'd.

That'll learn me.

------
naturalgradient
I have noticed that with any type of money processing service (stock broker,
bank, ..), whenever any irregularity happens, I end up losing money no matter
whether I was at fault.

The asymmetry between me as a customer and a large organisation with a
faceless customer service is just so big that complaints take too much effort
to reach someone that could do something about it (if they were willing to own
up to problems, which they usually are not).

Having the legal right to get any fee refunded and getting it are just so far
removed that I would wager all money handling services make non-trivial
amounts of profits from unjust fees because they can exploit this asymmetry.

Sadly, for me as an individual the right decision is almost always to let it
go because my time is more expensive.

~~~
mi100hael
The one company that hasn't totally sucked for me in this regard is AmEx.
Every time I've called I've gotten a native English speaker located in the US
who actually has the power to reverse charges within a matter of minutes.

~~~
phil21
This used to be the case - until I talked to them last time. Definitely not a
US-based CSR, and completely unwilling to help in a very frustrating situation
I had done almost everything right on. I don't charge back often (first time
on this card ever, after close to a decade) - so it's not like I have a flag
on my account for "shitty customer" or anything.

Basically they utterly refused to chargeback, or even _block future charges_
to a specific vendor that had been charging me monthly for a service I could
not use due to moving. The vendor said their policy was I had to cancel in
person, and refused to do anything else.

Amex absolutely did not have my back, and I have one of their higher-tier
cards. Absolutely have been looking around at alternatives now though, after
basically being told they'll let a vendor continue charging me against my will
forever and there was nothing they would do about it. They said take the
vendor to court.

I ended up canceling the card entirely and having it re-issued, since even
changing the number on your card these days isn't enough to stop monthly
recurring billing - of course that feature is for your "convenience".

All in all it was a pretty horrible experience that they resolved in the favor
of a vendor that was quite obviously playing the "make cancelation super hard
so we can collect monthly payments from people who continue to put it off"
game - Amex literally could not have cared less one of their merchants was
essentially engaging in barely-legal consumer fraud.

Utterly horrible customer service, and this was via many reps and a couple
low-tier CSR managers. It's quite obvious to me why Chase and the like are
eating steadily away at the once-stalwart Amex customer base. Prior to that
experience I would not have remotely considered a different card due to them
always being stellar whenever I needed them, and they usually went above and
beyond any expectations I had for customer service. That trust built over the
decades with me is now completely gone, and it's obvious they are simply yet
another card issuer these days.

~~~
rtx
I don't see them being at fault here. You willing entered into a contract.

~~~
lovich
Vendors who allow online or over the phone sign ups, but only in person
cancellation don't tend to be relying on the quality of their product or
service to keep customers.

ISPs are one where if you are not a savvy consumer you wont realize that when
they say up to X megabits a second that its not only a different unit from
megabytes, but that anything 0 <= (actual service) <= X is considered meeting
the terms of the contract. ISPs are also the type of company where you call to
cancel the service, as the contract allows because you are not locked in, and
instead of letting you cancel they give you the run around and send you to
person after person to try to keep you online.

While we don't know if OP was in the right here from this story, you must have
at least _some_ ability to see where they could be at fault

------
mstade
And this is why you only ever use credit cards from reputable providers with a
proven customer satisfaction track record. I had uber pulling all sorts of
shenanigans against my Amex a few months ago, and instead of dealing with
Uber's BS I just had Amex cancel the charges. Done. Zero risk to my personal
accounts with actual real money on them.

Never use debit cards when credit cards are accepted, is my general tip.

~~~
jessriedel
Or we could just move to a system where it was possible to pay for something
electronically without giving a merchant the ability to charge arbitrary
amounts into the indefinite future...

~~~
JoshGlazebrook
This is why I use [http://privacy.com](http://privacy.com) for some recurring
services and one-off transactions. It pulls from your bank account via ACH a
few days after a transaction but the ability to make one time use cards comes
in handy.

------
wolfgang42
_> I received an SMS saying “Enter Uber code 5483 to confirm your number”.
Thinking someone entered their number incorrectly or similar, and assuming -
as I had my phone with me - that my account was safe, I ignored the message._

This sounds like yet another example of why SMS is _not a good second factor_.
The Uber rep's responses seem to ignore the question of how this account was
compromised (instead providing suggestions for good password hygiene), so it's
not clear to me whether they even think that the SMS PIN is supposed to
provide any security at all.

~~~
Bartweiss
This actually seemed way worse than the monetary details. Uber offered TFA via
SMS, and then apparently failed to require it. That's _really_ bad, and sparks
concern about all of their other security practices.

Assuming this is accurate, I guess it's time to assume there's an unexplained
failure in Uber's security/login rules?

~~~
URSpider94
I assume that the attacker did one of two things: either they were somehow
cloning the SMS messages so they came to both the customer's phone and to
them, or they jumped the gun on an SMS redirect they had set up and the first
TFA got sent to the customer; they then retried later and got the message on
their channel.

The logical fallacy in your answer is in assuming that, just because the
customer got an SMS with a TFA code, an attacker did not get the same or
subsequent code and use it. We don't know that.

Of course, it's also possible that Uber's TFA is broken ...

~~~
Bartweiss
I had been assuming that cloning was very unlikely, yeah. It seems
substantially harder than actual redirection or capture would be.

But honestly, I hadn't considered the possibility that they triggered an SMS
and then got access later, maybe with a second (rerouted) SMS. That's a good
point.

------
caseysoftware
I suspect the argument here is simply "we refunded the exact amount we
received!" and that they bear no responsibility for the foreign transaction
fees, which were probably from the owners' bank.

It sucks but it makes sense for the merchant. The bank should return the fees
but the exchange rate difference is likely lost.

Also another good reason not to use a debit card for any online transaction.
At least with a credit card, no one can take your money while they're settling
the dispute.

~~~
tlb
The fact that the charges were in a foreign currency isn't the author's fault.
He wasn't traveling.

Currency exchange to RU is relatively stable, but you could imagine being
scammed from a country with hyperinflation, where a refund 3 months later
denominated in the local currency is worth much less. So in general, it's not
adequate to be compensated for international fraud in the fraudster's
currency.

~~~
caseysoftware
Yes, that's probably the exact scenario their merchant/banking agreements are
protecting them from.

------
morrow
The exact same thing happened to Alex Blumberg in this episode of Reply All:
[https://gimletmedia.com/episode/91-the-russian-
passenger/](https://gimletmedia.com/episode/91-the-russian-passenger/). They
investigate and try to find out how his account could have possibly been
hijacked with 2FA enabled.

------
jefferson123
Can someone shed light on how this sort of attack might have been carried out?

~~~
mkolodny
The title of this article isn't accurate. Personally I think it's just meant
to scare people.

Money can't be "stolen" from your Uber account.

Someone can find out your password to your Uber account the same way they
could get your password for any website. Then they log in as you, and take
trips using your account. Your card would then be charged for the trips.

It's OP's fault that someone found out their password. Uber was nice and
refunded them for the trips.

~~~
Bartweiss
> Then they log in as you

Except the account in the article had two factor auth enabled. Someone
triggered the second factor (a text message) then logged in without access to
it. That's the question at the heart of "how did this attack happen?"

~~~
URSpider94
We do not know that the attacker did not have access to the TFA code. That's
an assumption. For all we know, it was the customer's roommate reading the SMS
off his phone and sharing it to the pirates.

It is certainly possible that Uber's TFA system is compromised, but that's not
the only explanation.

------
paul7986
And Uber does not give a damn!

In 2015 my Uber account was hacked and 1k was taken from my bank account. Uber
knew/knows about their users getting hacked and their PR was it's the users
fault for using a bad password. Also then I tried to cancel my Uber account
via their site but there is no option that lets the user do so only can be
done by contacting/waiting for a support person to do so. It took them a few
days to cancel my account.

Needless to say I loathe then for this reason followed by all their other
horrid behavior!

~~~
mkolodny
I don't see how it's Uber's fault if someone finds out your password.

I think it's nice of Uber that they refunded OP's trips even though it wasn't
their fault that OP's account was compromised. And it makes sense that they
just suggested using a strong password. What else could they do?

~~~
Bartweiss
> even though it wasn't their fault that OP's account was compromised

The article strongly suggests this isn't the case, though. OP had TFA active,
but Uber allowed access to his account without without requiring the passcode
they texted him. We don't know exactly what happened, because the support rep
dodged the TFA question every time, but it doesn't appear to be a proper
outcome.

------
thinkMOAR
And it seems that the banks are aware of this. Two weeks ago only used a
credit card for a bunch of uber trips in eastern parts of europe*. Maybe 8 -
10 rides, max 20 euro total charge... bank found the charges/refunds of uber
suspicious enough to block my card as security measure (for already total
mount of less then 20 euro)

------
Cakez0r
So how did they get access to the account without the SMS pin? The question
was never answered!

------
gambiting
>>Uber quickly agreed to refund the money. Problem is, the value of the
currency had changed, so the money refunded was less than the money stolen:
$406.70

I'd just like to point out that if the currency value changed the other way,
he would be refunded more money.

I actually wondered where is that money technically going in this case. I
rented a car abroad once, a block of 3000 Euro was put on my card, then when
it was released I got less money back than it blocked originally since the
currency rate has changed. So someone made money on just blocking that money
for a few days, but who? The bank?

~~~
lucaspiller
The rates are not set by your bank, but by your card issuer, e.g. VISA.
However it's not the exchange rate differing, it's that they have different
exchange rates for charges vs refunds.

When a currency exchange happens, say from EUR to USD, it has a different
exchange rate from USD to EUR. When the retailer 'refunds' you, the
transaction isn't just cancelled or reversed, you are credited the amount of
the original charge (in the retailer's currency), so there is a different
exchange rate.

For example, on the VISA Europe [0] site you can see the exchange rate for EUR
to USD yesterday was 1 EUR = 1.11661 USD, but the other way around it is 1 EUR
= 1.12399 USD.

[0] [https://www.visaeurope.com/making-payments/exchange-
rates](https://www.visaeurope.com/making-payments/exchange-rates)

------
bkor
Shouldn't any normal consumer/customer protection law ensure that the full
amount should be refunded? Meaning if due to no fault of your own X amount was
charged / taken from your bank account, then that exact amount should be
refunded. No matter if the currency changed or not.. as it was never your
fault.

~~~
jonlucc
This is certainly the case for credit cards, and in my experience, with
checking accounts. The bank or processor will manage the investigation and go
after whomever stole the money to recover their loss after reimbursing you.

Interestingly, I had someone steal my debit card several years ago, and they
went to CVS or Walgreens (can't quite remember). They purchased Visa gift
cards, and had video of the transaction in which my card was used to purchase
a Visa gift card, so they should be able to have Visa provide the information
about the stolen card or at least void it, but they will not. For some reason,
Visa et al have decided that it's better for them to just eat the several
hundred dollar cost of the card.

~~~
mahyarm
It's probably the same kind of calculation as fix vs. buy new. If it costs you
$50 to just buy a new one or $150 to hire a repairman, you'll just buy a new
one.

------
datasage
In my experience dealing with this, it depends on who initiates the refund.

If the consumer initiates the chargeback, it will be handled in the consumer's
currency. Which will result in a fun reconciliation problem for the business.

If the company initiates it will be done in the currency it was originally
charged in. Which will give the consumer more or less money depending on
exchange rates.

------
nate_robo
The same thing happened to me last week. Noticed a number of Uber charges
being hailed from Moscow, Russia which was brought to my attention by Chase's
fraud prevention. They recognized the charges as suspicious and denied to let
any of them through so I ended up not losing anything besides my debit card
which I had to cancel. Changed my password and ordered a new debit card and
everything is resolved. However, I was very surprised to see a hacking effort
towards an Uber account versus something like an Amazon account...

------
huac
If the biggest cost was the foreign transaction fees, then the author should
get a credit card without foreign transaction fees. Which seems like decent
advice in general.

And to be fair to Uber, they don't have control over foreign transaction fees
or changing forex rates. This just as well might have worked out in the
author's favor. Uber _could_ curry some goodwill by covering the forex losses
and transaction fees in this case, especially since it came out to about $20,
but God knows that that's not their MO.

~~~
lxe
Ah yes, the "if you are not [blank], just be/do [blank]!" argument. Also, it's
not the fees on transactions made by the attacker that the problem, it's ANY
money withdrawn from the author's card resulting from the attacker's activity.

------
benmmurphy
does anyone know how they are breaking 2FA here? it doesn't sound like SS7
hijack because the message is still going to the correct handset and
presumably if you are carrying out the SS7 hijack you wouldn't proxy the
traffic. was/is uber allowing people to brute force pins? or are the PINs
being leaked through whoever is doing bulk SMS messaging for them?

------
stevenh
Have any white hats ever audited Uber's ride management protocols? One would
hope Uber would combine the ride request, GPS data, etc. from both the rider
and driver apps to doubly ensure that the ride really was requested and took
place, but now I sense the possibility that they cut corners on development,
mostly ignoring data from the rider's app and instead forwarding it directly
to a driver's account which has an undocumented God mode of sorts, allowing
the driver's app to handle every step of ride management from one blindly
trusted data source. If so, then everything could be forged from the driver's
side if the protocol were ever to be reverse engineered, and maybe the bad
guys finally figured this out.

~~~
URSpider94
I have a friend who works for Uber. They care about this DEEPLY. In emerging
countries, there are large-scale fraud rings that involve driving around with
dozens of phones in a car that are automated to request and complete rides.
The driver just toodles around town all day. The botnet operators collect
large numbers of stolen cards and cycle them through the funnel.

If Uber can't find and plug the hole for fraud pathways before the criminals
scale them, they will lose their shirts on chargebacks.

------
nstj
Interesting post, but the title is quite misleading - something closer would
be “Someone can hijack your Uber account and charge you for their rides”.

The title gives the impression that your credit card can be used for
transactions outside of Uber by attackers.

------
taormina
I had this happen to me. Since I wasn't in Amsterdam, it was pretty clear that
it was fraud of some sort. My credit card company handled everything and I
canceled the card.

------
welly
Uber customer support staff are certainly very understanding and
sympathetic...

> I'm so sorry to hear for any alarm this may have caused

> I'm sorry to hear about such a frustrating experience

> and I can totally understand your frustration here.

> My pleasure to get this sorted out for you. I'm sorry to hear this wasn't
> the 5-star experience

> I certainly understand your concern

Knock that shit off, please? We all know it's bullshit.

------
nullpage
Perhaps this has some clues as to how the SMS code was intercepted:

[https://www.theverge.com/2017/6/13/15794292/ss7-hack-dark-
we...](https://www.theverge.com/2017/6/13/15794292/ss7-hack-dark-web-tap-
phone-texts-cyber-crime)

------
lr4444lr
Why would you fight Uber for these charges in the face of such obvious fraud?
Just dispute them with your credit card.

------
cosinetau
Not properly safeguarding data AND HR problems? Why do you still have an Uber
account?

[https://help.uber.com/h/24010fe7-7a67-4ee5-9938-c734000b144a](https://help.uber.com/h/24010fe7-7a67-4ee5-9938-c734000b144a)

------
gkya
Uber is like the Kardashians of the tech industry, every other news is a
scandal. It's interesting to watch pure human vile turn a big success and a
bigger potential into nil.

------
bradyat
Anyone else notice that they gave the driver one star? I get that you don't
like uber but it's hardly the drivers fault.

~~~
ViViDboarder
Most likely, the driver is fake or complicit. The ride is just a way to
"launder" the money out from Uber. Get access to an account, fake a long ride,
get that money.

------
ajaimk
Uber has no way of accounting for the exchange rate changes from their end. A
charge back will fix the problem for the OP.

~~~
whalabi
Surely uber could just look up the exchange rate

~~~
creepydata
I assume different card issuers/card processors will charge slightly different
exchange rates and they will all have different FOREX fees and associated
charges.

------
42fortytwo
Chargeback? I believe all CC companies offer that, and it's pretty effective?

------
marvel_boy
Newbie here. Any guess on how this account was compromised?

~~~
Procrastes
See my comment above, but it could be that there was a compromised app on the
phone snagging SMS messages and forwarding them to the attacker.

------
aidenn0
Money can be stolen. From pretty much anywhere.

