Hacker News new | past | comments | ask | show | jobs | submit login
Money can be stolen from an Uber account (unlikekinds.com)
277 points by unlikekinds on June 13, 2017 | hide | past | web | favorite | 166 comments

In general in these cases, if it's a credit card just do a charge back and let Uber deal with the fallout. no need to bother trying to get Uber to make it right, your credit card company will be much more interested in knowing that Uber failed to safeguard their clients card info. To many charge backs can result in higher processing fees so companies will do everything they can do avoid that.

It's also worth noting that if you do a chargeback, a company like Uber will often block your account and phone from using their services. Doing a chargeback against Steam for instance and they will ban you, preventing you from playing games you've paid for ("leased" more accurately). So, it's important to be careful about doing chargebacks unless you're sure the company you're doing a chargeback against is one you never wish to do business with again.

It seems like this behavior should also be reported to the credit card companies. In the case of Steam, it seems like what you should do is have the credit card company charge back ALL the purchases you made if they ban your account.

This is exactly why when a new game comes out, I check to see if it is available on GOG.com before checking Steam. Thanks to GOG's DRM-Free policy, you can download and store the game installer. Not all digital distribution is bad.

Try http://itch.io , too (Disclaimer: my company has uploaded games here). It's incredibly developer friendly and they host game jams constantly http://itch.io/jams

GOG's fake-refund policy of "work with support to prove the game opens" is illegal in Australia and probably most countries with consumer protection laws. They're no better at respecting their customers than Valve, they just misrepresent it better.

These days you can finish most modern AAA games in the time countries with decent costumer laws let you refund a product. Not to say that with GoG DRM-free policy, you could buy the game, download it, and ask for a refund in no-time.

I find GoGs policy a nice middle ground to Steam, on one side, and ruining their business as you suggest, on the other.

The assumption that anyone seeking a refund is trying to screw the company is how criminal policies at companies like Steam and GOG evolve. It's actually easy to identify the bad people while maintaining a legal and ethical policy for customers - two distinct groups.

FWIW, while it's not as convenient as at Gog, you can still play all your steam games where the publisher/Dev didn't add the drm. Most should then work by copying the installed files

> It seems like this behavior should also be reported to the credit card companies

Hit them where it hurts: state regulators. If you're in New York, for example, complain to the Department of Financial Services (DFS) [1]. They're hard hitting and know what they're doing. (I think California's analog is the California Department of Business Oversight (DBO), though it isn't, to my recollection, as intimidating as DFS.)

[1] http://www.dfs.ny.gov

There's also the CPFB for those in the US https://www.consumerfinance.gov/

That's great, thanks. I don't live in New York though, and I'd bet most people reading this don't. I wonder what the equivalent local regulators are.

Someone should make a list of all local regulatory agencies by location. List all places hat deal with average joes as well as how likely they are to respond to you and how often they win against companies.

Steam has a litany of disclaimers to block refunds. Even games dropped by developers don't matter to Steam. I had a few hours registered to a game I could never get to work beyond a few turns but since I "played" it I was not entitled to a refund.

I really dislike digital distribution of games and software on this point. While some Steam games I can run offline I am not sure if all of them can be. Plus how do I reinstall?

It is a sad state of affairs when being a buyer on ebay is safer than buying from Steam

It always surprises me that I've never seen anyone take real legal action against a platform like Steam over this sort of policy. You can put almost anything you want in your terms of service, but in most places if it's blatantly one-sided and unreasonable there's a chance that courts will strike it down, particularly in areas with relatively strong consumer protection laws like Europe. Something like blocking access to previous purchases because of an unrelated dispute seems about as one-sided and unreasonable as you could get; it's essentially no better than the kind of anticompetitive practices that are explicitly illegal in various other contexts.

I was also under the impression that the card networks frowned upon trying to prevent cardholders from exercising any chargeback right they have with their card. Then again, I have business interests that accept payments via these card networks and I've never even seen the full terms that we supposedly agreed to on the merchant side, so I don't know how I'd check even though we're presumably subject to the same rules, whatever they are.

There's no incentive for a private party to sue them because the losses are so small that even a class action isn't worth pursuing. Any legal action would have to be government-initiated. That's unlikely in the US due to the current political climate, and EU action would do nothing for us across the pond, and vice versa.

In the US that might be true, but a small claims action if they locked someone out of a large number of previously purchased games wouldn't be out of the question somewhere like the UK.

> I had a few hours registered to a game I could never get to work beyond a few turns but since I "played" it I was not entitled to a refund.

Cough, ahem, No Man's Sky...

According to Steam I'd played around 40 hours, but in reality most likely <10 hours active and stupidly left the game idling a couple of nights which racked up the hours.

I tried to get a refund from Steam and was refused, I then tried a charge back from PayPal and Steam stepped in and more or less told me that if I continue down this road I'll be locked out of all my games.

A few lessons learned:

1. Don't pre-purchase games

2. Wait a couple of weeks for real gamer reviews

3. Avoid Steam/digital distributions for higher value games.

This has certainly soured me from buying anything costing more than a few quid on Steam.

>> 1. Don't pre-purchase games

>> 2. Wait a couple of weeks for real gamer reviews

I know it's hard to do if everyone you know's playing the latest hotness, but if you can wait a few months, you can usually get the game heavily discounted in one of Steam's (or Humble, Green Man or other Steam key sellers) quarterly sales.

I used to buy my games on release date at or near full price, but these days I try very hard to wait as long as I can for them to get heavily discounted. When you pay much less than full price, the sting is lessened if you chalk up too many hours to get a refund.

> but if you can wait a few months & > playing the latest hotness

To be honest NMS is the only game I've paid for prior to the release date, and even then I only paid for it a week beforehand.

I'm not a huge gamer (with the exception of dipping into Eve Online no and then). But NMS was hugely attractive to me, less so from the gamer/press hype, but from all the things Sean had talked about and demo'd.

That'll learn me.

Yeah, this is the same with me. The last game I bought at full price was watch_dogs, and I felt ripped off that most of the season pass content was the same copy and paste missions as the rest of the game, with only one proper DLC.

Last month I bought Dishonored 2 for £10 and Deus Ex: Mankind Divided for £8, roughly six months after release (when they were £60).

According to Steam I'd played around 40 hours, but in reality most likely <10 hours active and stupidly left the game idling a couple of nights which racked up the hours.

THIS. I posted my own comment, but I also suffered from the same crash/hang refund issue. The game was so unplayable I gave up, and shut down my Steam link. Unbeknownst to me, it was still running and therefore Steam refused my refund, and didn't reply to my follow up.

My Steam refund story: Bought a shitty game, asked for a refund but because said shitty game crashed and "ran" overnight, they denied my refund because I "played" for 25 hours straight. It was $5 so I let it go, but I received no response to my follow up regarding the reason why there was time logged. Bad support.

You can run Steam games in "Offline mode" if the network goes down and you were most recently logged into that computer, for up to (iirc?) 30 days.

And reinstalling the games is easy. You can install a copy on any computer you log into. You just can't play more than one at a time.

If you played a game for more than a couple hours, are you really entitled to a refund? And when you mention "Even games dropped by developers don't matter to Steam" do you mean early access games?

Caveat emptor. Digital distribution won't magically prevent you from buying bad games. Look at reviews, try the game for an hour or two, and ask for a refund if you don't like it.

I plaid a game a while back that was stuck in the tutorial level. The game company said that it was a known bug and that they would provide a fix for it. The fix never came. Steam tried to claim this same thing with me. Yes I was entitled to a refund despite having tried to change settings and despite being in the main menu of the game.

Steam has an automated refund policy nowadays. You just need to ask a refund for your new purchase and you will get the refund the next day.

Tried it twice, works wonders.

I don't think that's a good idea, but anyway there are time limits. You can chargeback something more than a few months old.

i assume you meant to say "you can't chargeback..." since you're pointing out there are time limits.

in my experience the time limits are related to delivery of the service. for instance, you pay with credit card for a service happening 9 months in the future. if the appointed day arrives, and the service is not performed, there won't be a problem getting a charge back even though the actual charge was 9 months old.

And in the case of steam, the "time of service" is at all points in the future?

i'd certainly make that argument to my credit card company if steam cut me off completely.

i don't think it's crazy for a software company to want to claim that i'm leasing software from them after a one-time payment, but if that's the case, i also feel like i forever have grounds for the return of my money if they ever break the lease.

With Amex, at least, you can only do chargebacks for purchases in the last six months. Probably similar for others. Just something to be aware of. Even if you have indisputable proof of theft or fraud or whatever.

I'm not surprised, Chargebacks are inordinately expensive for the company. The initial cost is usually over $25 regardless of the size of the charge. [1] I can go up from there. If they fight it, which they will likely loose because CC companies stick behind card holders, it will cost more.

To ensure they don't get more chargebacks, they have little choice but to block your account. Most companies will do whatever they can to avoid a chargeback. It's better to start there if you want to maintain a relationship.

[1] https://chargeback.com/chargeback-fees-processor-library/

I know. I experience quite a few with PortableApps.com with open source donations. Unfortunately, if you use something like PayPal, you have to monitor every donation and reverse any suspicious ones and eat the cost regularly. You even have to maintain your own internal list of what email addresses have committed fraud before because PayPal doesn't ban them.

Having been involved with chargebacks from both the consumer and company perspective, for the company, it can be really frustrating when customers chargeback without ever trying to contact you.

Often, the company is happy to rectify the situation if you contact them, because like you said, chargebacks can be expensive per transaction.

In my experience, sometimes consumers will run a chargeback even for legitimate purchases. For example, a spouse will run through a credit card statement and do a chargeback if they don't recognize a purchase, without even checking with their partner. Then, the credit card company often sides with the consumer despite evidence, and if you sold a tangible good, you're SOL.

It's a real problem with Steam or any other place where your account is tied to stuff you want to keep. But with Uber, what would prevent you from just making a new account and carrying on?

Because Uber will go very far to track you and your multiple accounts: http://www.independent.co.uk/life-style/gadgets-and-tech/new...

they can easily tie an account to a phone number.

Get a new number from Google Voice or similar?

I have heard similar stories about Sony's PlayStation store too. If you charge back, they ban your account. Now you cannot play online anymore. Even offline games may not work since the license is tied to your account.

Steam recently got fined for their deliberate, long-running, fraudulent, criminal behavior -


They're estimated to have stolen from Australians 22,000 times out of ~25m population so you can imagine why they scrambled so hard to change their policies before justice was served in the EU or US.

I've never issued a charge back so I'm in unknown waters, but if I wanted to keep my account with Steam after a charge back, couldn't I just update my account to use a different credit card?

No, because they ban the account, not the credit card.

You can make a new account and use a new credit card I guess, but you still lost your library of games.

But do you pay an upfront amount to get games on steam? It's not a subscription then, how do they justify preventing you from using them?

> how do they justify preventing you from using them?

they don't need to justify anything. Their platforms, their rules. You signed your rights away when you clicked yes to the EULER.

Of course, you can litegate, but then you'd end up costing more money than you can gain, and probably no one will find it worth the hassle.

They may have an arbitration clause, in which you agree to not litigate. 4D chess.

That would not hold up in court. At least not in European court. Consumer law trumps EULAS and its illegal to put arbitration terms in consumer contracts.

Take a look at what's happening with AT&T, arbitration in the USA. Consumers have lost a lot of their "rights"

EU is generally a lot more consumer-friendly than US. Or company-unfriendly depending on your perspective.

Yeah, you purchase the game before playing it generally. The justification is that you've only purchased a license to play it, which they'll revoke. Still some BS to get locked out if you pay upfront for a game. It's also way worse when you realize how garbage their customer service is. It's pretty hard to get a human on the other side within a week or two, so it's way harder to get wrong things fixed.

Why would anyone use steam then?

Because it's tremendously convenient, the games are cheap, and there's a two-week, two-hours-played window for refunds.

"But I can't chargeback if I get irrationally gamer-ragey" is not something I've ever worried about, ever.

Credit card charge backs are a federal law created to protect consumer rights.

Steam's ToS are at odds with federal law in this respect as they say I have a 2 week / 1 hour window to get a refund.

Federal law says I have 60 days and then outlines under what conditions, but they are pretty broad.

Previously I purchased a software license for Gamemaker Studio Master Collection (directly from YoYo, not through Steam thankfully).

This was when Windows 10 was very new, but YoYo claimed it was supported. Turned out it had bugs with some configurations and so it was crashing on launch; completely unusable.

I opened a support ticket and was following up, but they had no idea how long it would take to fix it.

Next thing that happens is they drop the price from about $800 to about $400.

There I was, still unable to use the software and now it was 1/2 the price. So I contacted them again and said, "Look, it's been a month now and you still haven't fixed this and you dropped the price to 1/2 what I paid. I've been really patient, the least you can do is refund me the difference since I still can't even use the software."

They came back and said, "No it was $800 when you bought it you just have to wait until we get it fixed."

At that point I was super frustrated and replied back and said, "I'm done, just refund the entire amount and cancel my license."

YoYo's reply was that they don't give refunds under any circumstances and that it was plainly spelled out in the EULA.

So I called my credit card company and they did a charge back.

Circling back, now they sell through Steam and if this had happened Steam would ban my account and block me from ALL software I had ever purchased from them.

It's unethical and bordering on illegal that Steam takes retaliatory measures against consumers for excercising their consumer credit rights as provided by federal law.

Quite frankly Steam should be on the receiving end of a class action lawsuit.

Not charged back. But steam having a kill switch where they can prevent you from playing any game if for any reason they don't like you. I'm not sure I would pay any money upfront for what is really a subscription.

I don't think it's something that you need to worry about unless you're gonna be overtly shitty. I have my beefs with Valve, but not on this topic. Even if you get caught hacking in a multiplayer game, your account isn't banned (though you may be VAC banned from playing multiplayer in games that participate in VAC). Steam-wide bans only come from chargebacks that are against your EULA--and their refund policy is pretty reasonable, I think--and similar stuff pulled against Steam itself rather than anything you'll do during the course of using the service normally.

And if you're really paranoid about it, you can pretty easily back up games and play them with a cracked Steam DLL. It's not a big deal.

Some games give you no choice.

Well your card is linked to your account. So you can start a new one, but you won't have access to any of your old games

i wonder if it's worth making a new account for every purchase, and then writing a script/custom client to map each game to its account, and create an automatic login shortcut for each game. This way, if you find any issues and had to chargeback, you only lose one particular game.

They do some tracking of clients and I imagine if you start refunding more than they would like they would piece two and two together.

The account itself has a restricted set of functionality. Although a little sleuthing on Google seems to indicate there is a time horizon on this. Possibly while they investigate?

Difference between this and Steam appears to be Uber losing control of the account. That's how the purportedly fraudulent charges were made. With the Steam stories I've heard, the card was usually lost and then used on Steam or otherwise the account password was lost by the user.

Yep, I recently tried to cancel a refundable ticket I had bought through Avianca. Their only means of processing a refund is a crappy long web form that doesn't work properly and their support wouldn't do anything besides say "try again later" and refused to transfer me to a supervisor. So I called the credit card company and disputed ticket purchase with an explanation of exactly what happened. The credit card company's customer service was much more helpful and pleasant.

Chargebacks are super useful, but they aren't guaranteed and I try to avoid overusing them so that when you need them you know the credit card company will take you seriously.

I feel the same. I recently used my cc companies customer service to get issued a chargeback for the first time (Amex). It was simple and painless and I was presently surprised. It was for a information lookup service that never delivered the login credentials, had a non working cancellation form, and an infinite hold support service phone number (clearly in effort to make it technically possible but incredibly difficult to cancel before recurring changes were billed). A soon as cc support contacted merchant on my behalf, they immediately issued a refund. Nice to know it's a PITA for the offending merchant, sucks it can be abused easily.

In this case, that'd likely work well.

Just be careful if you intend to keep using Uber - many companies (Steam is notorious for this - folks have lost access to thousands of dollars of games for contesting a single one) will ban you from the service if you do a chargeback.

This is why I don't buy Steam games. In fact, I don't buy any game I can't control an independent copy of.

This really should apply to all software.

Good point. I've always been deeply annoyed by this whole notion of licensing software. I get the theory behind it, but if it's a game that can be played offline, then I should be able to download and store a copy of that game for my personal use, independent of any platform.

I often here about people using charge backs a lot. But I only have debit cards so for me once I spend money there is no recourse. I should get a credit card I guess.

Credit card(s) are good to have unless they give you an impulse to spend. They have many other benefits too such as [depending on the card] purchase protection, price protection, free roadside assistance, extended warranty, rental car insurance, concierge service, cash back, points, miles, etc., etc., etc.

I've personally used price protection, roadside assistance, extended warranty, and concierge service. Plus many thousands of dollars worth of cash back, points, and miles (probably close to $10,000 total).

You should check the terms of your debit card. My credit union offers $0 fraud liability on its debit cards.

OTOH, getting a credit card and paying the full balance every month is S good way to build your credit history and scores.

Yes, I only skimmed the post so maybe I missed it but it struck me as odd that there was no mention of contacting the bank.

Not all credit card companies are so forthcoming with handling chargebacks.

Mine, for instance, will let me lodge a dispute - however to do so, they cancel my card and re-issue a new one. This means in the N places where my card is in use, I now have to go and update it.

I have noticed that with any type of money processing service (stock broker, bank, ..), whenever any irregularity happens, I end up losing money no matter whether I was at fault.

The asymmetry between me as a customer and a large organisation with a faceless customer service is just so big that complaints take too much effort to reach someone that could do something about it (if they were willing to own up to problems, which they usually are not).

Having the legal right to get any fee refunded and getting it are just so far removed that I would wager all money handling services make non-trivial amounts of profits from unjust fees because they can exploit this asymmetry.

Sadly, for me as an individual the right decision is almost always to let it go because my time is more expensive.

The one company that hasn't totally sucked for me in this regard is AmEx. Every time I've called I've gotten a native English speaker located in the US who actually has the power to reverse charges within a matter of minutes.

This used to be the case - until I talked to them last time. Definitely not a US-based CSR, and completely unwilling to help in a very frustrating situation I had done almost everything right on. I don't charge back often (first time on this card ever, after close to a decade) - so it's not like I have a flag on my account for "shitty customer" or anything.

Basically they utterly refused to chargeback, or even block future charges to a specific vendor that had been charging me monthly for a service I could not use due to moving. The vendor said their policy was I had to cancel in person, and refused to do anything else.

Amex absolutely did not have my back, and I have one of their higher-tier cards. Absolutely have been looking around at alternatives now though, after basically being told they'll let a vendor continue charging me against my will forever and there was nothing they would do about it. They said take the vendor to court.

I ended up canceling the card entirely and having it re-issued, since even changing the number on your card these days isn't enough to stop monthly recurring billing - of course that feature is for your "convenience".

All in all it was a pretty horrible experience that they resolved in the favor of a vendor that was quite obviously playing the "make cancelation super hard so we can collect monthly payments from people who continue to put it off" game - Amex literally could not have cared less one of their merchants was essentially engaging in barely-legal consumer fraud.

Utterly horrible customer service, and this was via many reps and a couple low-tier CSR managers. It's quite obvious to me why Chase and the like are eating steadily away at the once-stalwart Amex customer base. Prior to that experience I would not have remotely considered a different card due to them always being stellar whenever I needed them, and they usually went above and beyond any expectations I had for customer service. That trust built over the decades with me is now completely gone, and it's obvious they are simply yet another card issuer these days.

That "you must cancel in person" level of shittiness is typical for things like gyms. California actually has a specific law dealing with these situations for gyms.

This was a gym, Lifetime Fitness to be exact. I was hoping to go to court over it, but they dropped their collection effort.

Admittedly I could have jumped through their hoops, but I was out of the country at the time and I'm the cut off my nose to spite my face type of person when it comes to companies pulling this type of bullshit. I refuse to jump their their hoops. Started off just wanting to cancel for 6-9 months until I returned to town, but they made the process so amazingly difficult I will never give another gym a dime of business. "Cancel gym membership in person scheduled weeks in advance" is not on most folks list of things to do prior to leaving town unexpectedly.

I did find it amusing the Amex CSR basically told me to book an international flight home to resolve the issue (which amounted to $100/mo or somesuch). I was honestly flabbergasting at the support they gave the merchant, having been an Amex merchant in the past. The vendor must have some strong notes attached to it for me to get so much pushback.

AmEx likely did this because gyms have lawyers that will win the chargeback cases. They'll just FAX over a copy of the contract with your signature on it. Thus, AmEx will end up eating the administrative cost of the chargeback. You are not the first, not even the ten thousandth, person to try to get out of a gym contract by using the chargeback process.

A described in an above comment, my recent experience was different from yours. It was however an online service, and I did initiate dialog with an email support agent who claimed to be 'resolving the issue', but then did not respond to follow up emails for two weeks. I wonder if mentioning the merchant had already claimed to be cancelling the service, then continued to charge installments made the difference?

I don't see them being at fault here. You willing entered into a contract.

Vendors who allow online or over the phone sign ups, but only in person cancellation don't tend to be relying on the quality of their product or service to keep customers.

ISPs are one where if you are not a savvy consumer you wont realize that when they say up to X megabits a second that its not only a different unit from megabytes, but that anything 0 <= (actual service) <= X is considered meeting the terms of the contract. ISPs are also the type of company where you call to cancel the service, as the contract allows because you are not locked in, and instead of letting you cancel they give you the run around and send you to person after person to try to keep you online.

While we don't know if OP was in the right here from this story, you must have at least _some_ ability to see where they could be at fault

I agree, them allowing me to chargeback would have been nice but I certainly understand why they would say otherwise. I was hoping to charge back and then meet the merchant in court when they sued, so I could also collect attorney fees in this case. It was egregious. But, I also understood that Amex may take your point of view. I didn't have a problem with this.

Them stating I can't stop future payments though has nothing to do with any third party contract that may or may not exist. It's not up to them to enforce that, and in any case I can assure you said contract did not list American Express as a payment method anywhere on it. They enabled a merchant to extort me because I had at one time years before made the mistake of giving them my Amex account number and the merchant purposefully made it impossible to remove.

Counterpoint: I haven't received a native English speaker in years from Amex. Chase, on the other hand, has always provided support in English and without the need to navigate a phone tree. I'll probably move most of my purchases to them once I spend my stockpile of Amex MR points.


I keep getting random notifications that "my card has been removed from android pay" from Chase and always have to navigate a phone tree. What's this secret shibboleet code[1] you've found?

[1]: https://www.xkcd.com/806/

Several of Chase's credit cards come with that as an advertised feature. But not all of them, which means that it's not "Chase in general" but "Chase, if you have one of these specific cards with them".

I completely agree with you that this is the normal case and too many people really brush this off as business as usual. Just anecdotal, but Amazon actually has been extremely forthcoming with their service and has made right of every issue I've had with them.

And this is why you only ever use credit cards from reputable providers with a proven customer satisfaction track record. I had uber pulling all sorts of shenanigans against my Amex a few months ago, and instead of dealing with Uber's BS I just had Amex cancel the charges. Done. Zero risk to my personal accounts with actual real money on them.

Never use debit cards when credit cards are accepted, is my general tip.

Or we could just move to a system where it was possible to pay for something electronically without giving a merchant the ability to charge arbitrary amounts into the indefinite future...

This is why I use http://privacy.com for some recurring services and one-off transactions. It pulls from your bank account via ACH a few days after a transaction but the ability to make one time use cards comes in handy.

One of these things is much easier to effect, as an individual.

Use virtual card

Agreed. And I give an unsolicited thumbs-up to Capital One. My card has had fraudulent charges made against it multiple times (somewhere between 5 - 10 now), and they've always taken care of it with just one phone call where I get a capable human on the phone very fast to handle all of it, the entire charge reversed, no fees. They are prompt and professional about a replacement, which gets shipped express, they make helpful suggestions about recurring payment merchants I should probably reach out to based on my purchase history.

(No, I don't work for them or have any real love for banks, but credit where credit is due - pun intended.)

Correction: this is why you never use debit or credit cards on the internet.

In a sane world it would be considered insane to use something as insecure. Frankly, they should be considered illegal.

I don't give my wallet to the guy I'm purchasing something from and let him extract the necessary funds - why should it be ok to do so on the internet?

That the banks reimburses me for invalid transactions is not a valid approach - that is directly funding criminals.

Generate one-time cards for every purchase, anything less ought to be considered negligence.

Citibank offers generated credit card numbers that can have a limit in money and time.

I absolutely agree with you here. The only time I use my debit card is to get cash out of an ATM. And that's only because AmEx charges a fee for cash advance.

Any credit card should be safe, at least in a reasonable country. In the US, for example, you have zero liability for fraudulent transactions that don't use your physical card, by law. A bad company might make things a bit more difficult, but you will get your money back.

Totally agree on debit cards. In theory they have similar protections, but the fact that they remove your money immediately can cause a lot of trouble.

I had an opposite (BAD) experience with Amex. I switched my internet provider, called the old one and cancelled the service. They didn't give me any cancellation number, but kept charging me monthly via Amex. They were going out of business (no wonder), so they stopped picking up the phone and had PO Box for the address, but kept charging!

When I asked Amex to cancel or prevent further charges, they refused to do anything without a cancellation number, which I didn't have and couldn't get.

So, your mileage may vary.

the main reason to used credit vs debit is the longer time window alloted to dispute charges. in some cases, debit cards only allow 48 hours.

> I received an SMS saying “Enter Uber code 5483 to confirm your number”. Thinking someone entered their number incorrectly or similar, and assuming - as I had my phone with me - that my account was safe, I ignored the message.

This sounds like yet another example of why SMS is not a good second factor. The Uber rep's responses seem to ignore the question of how this account was compromised (instead providing suggestions for good password hygiene), so it's not clear to me whether they even think that the SMS PIN is supposed to provide any security at all.

This actually seemed way worse than the monetary details. Uber offered TFA via SMS, and then apparently failed to require it. That's really bad, and sparks concern about all of their other security practices.

Assuming this is accurate, I guess it's time to assume there's an unexplained failure in Uber's security/login rules?

I assume that the attacker did one of two things: either they were somehow cloning the SMS messages so they came to both the customer's phone and to them, or they jumped the gun on an SMS redirect they had set up and the first TFA got sent to the customer; they then retried later and got the message on their channel.

The logical fallacy in your answer is in assuming that, just because the customer got an SMS with a TFA code, an attacker did not get the same or subsequent code and use it. We don't know that.

Of course, it's also possible that Uber's TFA is broken ...

I had been assuming that cloning was very unlikely, yeah. It seems substantially harder than actual redirection or capture would be.

But honestly, I hadn't considered the possibility that they triggered an SMS and then got access later, maybe with a second (rerouted) SMS. That's a good point.

> This sounds like yet another example of why SMS is not a good second factor.

You know, that name is becoming customary, but this is not two factor authentication.

Two factor authentication requires that you successfully authenticate on both of two separated channels to gain access. That SMS crap companies keep doing require that you authenticate on any one of two channels to gain access.

I think it's because I'm tired, but I'm not following.

I login to $app with my password. $app bounces me to SMS. I then go back to $app with the SMS code.

So I needed my password with $app and the code from the SMS.

In the article, it looks like the code via SMS was never required. Uber sent it out, then allowed a login without it. I've seen something like this before, where companies over two factor auth via SMS, but also allow SMS as a password reset channel - which means it's not two factor anymore.'

But in general, you're right. The problem with SMS as a second factor isn't that it's not two-factor, it's the ease of compromising both factors at once. Hijacking phone numbers is disturbingly easy, and smartphones mean that you can steal one physical token and get both email access (for password reset) and SMS access (for the code).

I got the impression there was no password input. It's getting way too common to do phone based verification, and authenticate new phones by SMS codes.

If it asked for the password (does Uber use passwords at all?) then yes, I was just saying dumb things; please ignore.

If your Android phone is infected then 2FA effectively becomes single factor that is under attacker's control.

Seems like it's possible that the user's phone number was hijacked? In that case SMS verification actually makes their account less secure because it can become a single point of failure.

Wouldn't he know if his phone number was hijacked though? I found Uber's silence on how the 2FA was defeated the biggest issue here.

Could have been hijacked for a brief time, or could have been attacked through a network exploit that duplicates all SMS'es and reflects the copies to an attacker ...

If I get an SMS like this one day, what can I do to stop someone from hijacking my account?

Immediately cancel /close/delete your Uber account. As in the linked article, Uber does not allow you to remove a payment method only change it to another card or to Paypal.

You could also immediately cancel/freeze your credit card until you've resolved the issue with your stolen Uber account.

I suspect the argument here is simply "we refunded the exact amount we received!" and that they bear no responsibility for the foreign transaction fees, which were probably from the owners' bank.

It sucks but it makes sense for the merchant. The bank should return the fees but the exchange rate difference is likely lost.

Also another good reason not to use a debit card for any online transaction. At least with a credit card, no one can take your money while they're settling the dispute.

The fact that the charges were in a foreign currency isn't the author's fault. He wasn't traveling.

Currency exchange to RU is relatively stable, but you could imagine being scammed from a country with hyperinflation, where a refund 3 months later denominated in the local currency is worth much less. So in general, it's not adequate to be compensated for international fraud in the fraudster's currency.

Yes, that's probably the exact scenario their merchant/banking agreements are protecting them from.

> It sucks but it makes sense for the merchant.

It's the merchant fault the card was not protected, we shouldn't really be concerned with what makes sense for the merchant.

The merchant can't 'return' things it never got. The fees are billed by the bank to the user. That's none of Uber's business, and (more importantly): Uber has no way to verify if the user had those fees, and if the users screenshots are correct.

As Uber said: They have no control of this. The user should go to their bank, because they provided the service of currency conversion.

> The merchant can't 'return' things it never got.

Consider the following scenario:

1. I borrow your thing.

2. I break your thing.

3. Oh well, there's literally nothing that can be done about this.

That's not really how torts work. If I cause you a loss, your recovery from me is not limited to the amount I gained by so doing.

Compare, say, a suit for wrongful death. The principle you describe would in general cap damages at $0. Similarly, if Uber is responsible for stealing $430 from my bank account, that fact that they gave $20 of it away is not a reason for them to return only $410.

Yes, but a "tort" is not a "refund."

Should they make the person whole? Absolutely.

Do they have to? Probably not based on their merchant/banking agreements.

You don't get to choose whether you're liable for a tort. Nor will your merchant/banking agreements protect you.

A refund is a settlement to avoid a tort.

The exact same thing happened to Alex Blumberg in this episode of Reply All: https://gimletmedia.com/episode/91-the-russian-passenger/. They investigate and try to find out how his account could have possibly been hijacked with 2FA enabled.

Can someone shed light on how this sort of attack might have been carried out?

To offer one alternative explanation. It could be that the victim had some app on their phone which was logging SMS. The exploit may have involved sending the SMS code to the phone and forwarding it to the attacker. It's possible there was no exploit on Uber's side at all. We don't have enough information to know one way or the other.

Indeed. I think the story here, isn't so much about the loss in transaction fees, but how an attacker in Russia ordered and paid for a user in Australia's account.

I notice the victim uses Android: Is it rooted? What other random stuff do they have installed? etc. etc. - because that will make a huge difference.

There are many possible attack vectors. For example, password could be bruteforced by botnet, Android phone could be infected using some Linux kernel vulnerability, SMS could be intercepted because of vulnerabilities in cellular networks. And of course there could be vulnerabilities on Uber's side.

The title of this article isn't accurate. Personally I think it's just meant to scare people.

Money can't be "stolen" from your Uber account.

Someone can find out your password to your Uber account the same way they could get your password for any website. Then they log in as you, and take trips using your account. Your card would then be charged for the trips.

It's OP's fault that someone found out their password. Uber was nice and refunded them for the trips.

> Then they log in as you

Except the account in the article had two factor auth enabled. Someone triggered the second factor (a text message) then logged in without access to it. That's the question at the heart of "how did this attack happen?"

We do not know that the attacker did not have access to the TFA code. That's an assumption. For all we know, it was the customer's roommate reading the SMS off his phone and sharing it to the pirates.

It is certainly possible that Uber's TFA system is compromised, but that's not the only explanation.

And Uber does not give a damn!

In 2015 my Uber account was hacked and 1k was taken from my bank account. Uber knew/knows about their users getting hacked and their PR was it's the users fault for using a bad password. Also then I tried to cancel my Uber account via their site but there is no option that lets the user do so only can be done by contacting/waiting for a support person to do so. It took them a few days to cancel my account.

Needless to say I loathe then for this reason followed by all their other horrid behavior!

I don't see how it's Uber's fault if someone finds out your password.

I think it's nice of Uber that they refunded OP's trips even though it wasn't their fault that OP's account was compromised. And it makes sense that they just suggested using a strong password. What else could they do?

> even though it wasn't their fault that OP's account was compromised

The article strongly suggests this isn't the case, though. OP had TFA active, but Uber allowed access to his account without without requiring the passcode they texted him. We don't know exactly what happened, because the support rep dodged the TFA question every time, but it doesn't appear to be a proper outcome.

They could fix the security vulnerability that allowed authentication of a new device without the 2nd factor of authentication.

And it seems that the banks are aware of this. Two weeks ago only used a credit card for a bunch of uber trips in eastern parts of europe*. Maybe 8 - 10 rides, max 20 euro total charge... bank found the charges/refunds of uber suspicious enough to block my card as security measure (for already total mount of less then 20 euro)

So how did they get access to the account without the SMS pin? The question was never answered!

>>Uber quickly agreed to refund the money. Problem is, the value of the currency had changed, so the money refunded was less than the money stolen: $406.70

I'd just like to point out that if the currency value changed the other way, he would be refunded more money.

I actually wondered where is that money technically going in this case. I rented a car abroad once, a block of 3000 Euro was put on my card, then when it was released I got less money back than it blocked originally since the currency rate has changed. So someone made money on just blocking that money for a few days, but who? The bank?

The rates are not set by your bank, but by your card issuer, e.g. VISA. However it's not the exchange rate differing, it's that they have different exchange rates for charges vs refunds.

When a currency exchange happens, say from EUR to USD, it has a different exchange rate from USD to EUR. When the retailer 'refunds' you, the transaction isn't just cancelled or reversed, you are credited the amount of the original charge (in the retailer's currency), so there is a different exchange rate.

For example, on the VISA Europe [0] site you can see the exchange rate for EUR to USD yesterday was 1 EUR = 1.11661 USD, but the other way around it is 1 EUR = 1.12399 USD.

[0] https://www.visaeurope.com/making-payments/exchange-rates

This is not a normal commercial transaction. Since it only happened by negligence of Uber, there's nothing wrong in principle to make it asymmetric against them.

Shouldn't any normal consumer/customer protection law ensure that the full amount should be refunded? Meaning if due to no fault of your own X amount was charged / taken from your bank account, then that exact amount should be refunded. No matter if the currency changed or not.. as it was never your fault.

This is certainly the case for credit cards, and in my experience, with checking accounts. The bank or processor will manage the investigation and go after whomever stole the money to recover their loss after reimbursing you.

Interestingly, I had someone steal my debit card several years ago, and they went to CVS or Walgreens (can't quite remember). They purchased Visa gift cards, and had video of the transaction in which my card was used to purchase a Visa gift card, so they should be able to have Visa provide the information about the stolen card or at least void it, but they will not. For some reason, Visa et al have decided that it's better for them to just eat the several hundred dollar cost of the card.

It's probably the same kind of calculation as fix vs. buy new. If it costs you $50 to just buy a new one or $150 to hire a repairman, you'll just buy a new one.

I've gotten used to this. If you live in a non-$ country and purchase things in $, if you get a refund, you always get less than what you paid, because of the spread, and because of extra charges that banks impose for "currency conversion".

I think some people are unaware of this and think that just refunding the money to a customer means things are back to square one.

He could probably get it refunded by the bank/credit card company. It was fraud so there's no problem getting a full refund incl FX fees.

Definitely. The merchant isn't always cooperative, though, so sometimes you have to go to your card issuer instead. It sounds like the author hasn't done that for some reason.

In my experience dealing with this, it depends on who initiates the refund.

If the consumer initiates the chargeback, it will be handled in the consumer's currency. Which will result in a fun reconciliation problem for the business.

If the company initiates it will be done in the currency it was originally charged in. Which will give the consumer more or less money depending on exchange rates.

The same thing happened to me last week. Noticed a number of Uber charges being hailed from Moscow, Russia which was brought to my attention by Chase's fraud prevention. They recognized the charges as suspicious and denied to let any of them through so I ended up not losing anything besides my debit card which I had to cancel. Changed my password and ordered a new debit card and everything is resolved. However, I was very surprised to see a hacking effort towards an Uber account versus something like an Amazon account...

If the biggest cost was the foreign transaction fees, then the author should get a credit card without foreign transaction fees. Which seems like decent advice in general.

And to be fair to Uber, they don't have control over foreign transaction fees or changing forex rates. This just as well might have worked out in the author's favor. Uber could curry some goodwill by covering the forex losses and transaction fees in this case, especially since it came out to about $20, but God knows that that's not their MO.

Ah yes, the "if you are not [blank], just be/do [blank]!" argument. Also, it's not the fees on transactions made by the attacker that the problem, it's ANY money withdrawn from the author's card resulting from the attacker's activity.

does anyone know how they are breaking 2FA here? it doesn't sound like SS7 hijack because the message is still going to the correct handset and presumably if you are carrying out the SS7 hijack you wouldn't proxy the traffic. was/is uber allowing people to brute force pins? or are the PINs being leaked through whoever is doing bulk SMS messaging for them?

Have any white hats ever audited Uber's ride management protocols? One would hope Uber would combine the ride request, GPS data, etc. from both the rider and driver apps to doubly ensure that the ride really was requested and took place, but now I sense the possibility that they cut corners on development, mostly ignoring data from the rider's app and instead forwarding it directly to a driver's account which has an undocumented God mode of sorts, allowing the driver's app to handle every step of ride management from one blindly trusted data source. If so, then everything could be forged from the driver's side if the protocol were ever to be reverse engineered, and maybe the bad guys finally figured this out.

I have a friend who works for Uber. They care about this DEEPLY. In emerging countries, there are large-scale fraud rings that involve driving around with dozens of phones in a car that are automated to request and complete rides. The driver just toodles around town all day. The botnet operators collect large numbers of stolen cards and cycle them through the funnel.

If Uber can't find and plug the hole for fraud pathways before the criminals scale them, they will lose their shirts on chargebacks.

Interesting post, but the title is quite misleading - something closer would be “Someone can hijack your Uber account and charge you for their rides”.

The title gives the impression that your credit card can be used for transactions outside of Uber by attackers.

I had this happen to me. Since I wasn't in Amsterdam, it was pretty clear that it was fraud of some sort. My credit card company handled everything and I canceled the card.

Uber customer support staff are certainly very understanding and sympathetic...

> I'm so sorry to hear for any alarm this may have caused

> I'm sorry to hear about such a frustrating experience

> and I can totally understand your frustration here.

> My pleasure to get this sorted out for you. I'm sorry to hear this wasn't the 5-star experience

> I certainly understand your concern

Knock that shit off, please? We all know it's bullshit.

Perhaps this has some clues as to how the SMS code was intercepted:


Why would you fight Uber for these charges in the face of such obvious fraud? Just dispute them with your credit card.

Not properly safeguarding data AND HR problems? Why do you still have an Uber account?


Uber is like the Kardashians of the tech industry, every other news is a scandal. It's interesting to watch pure human vile turn a big success and a bigger potential into nil.

Anyone else notice that they gave the driver one star? I get that you don't like uber but it's hardly the drivers fault.

Most likely, the driver is fake or complicit. The ride is just a way to "launder" the money out from Uber. Get access to an account, fake a long ride, get that money.

Uber has no way of accounting for the exchange rate changes from their end. A charge back will fix the problem for the OP.

Surely uber could just look up the exchange rate

I assume different card issuers/card processors will charge slightly different exchange rates and they will all have different FOREX fees and associated charges.

Chargeback? I believe all CC companies offer that, and it's pretty effective?

Newbie here. Any guess on how this account was compromised?

See my comment above, but it could be that there was a compromised app on the phone snagging SMS messages and forwarding them to the attacker.

Money can be stolen. From pretty much anywhere.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact