There wasn't enough information in the article to explain how this scam worked. I understand that they would make large fake orders as customers, which they would then cancel, but what are the normal procedures when that happens? The article says they'd just buy a lot of gift cards, but I don't understand how that wouldn't be immediately detected and how Uber wouldn't have blocked them immediately.
Does anyone have more details on the logistics of this scam?
Two men from the Fort Lauderdale, Florida area scammed Uber Eats out of more than $1 million over 19 months, local police say.
The suspects carried out the scheme — which began in January 2022 — by creating fake accounts on the Uber Eats app to act as both the customer and courier when placing grocery orders, the Broward County Sheriff's Office said in a statement. This worked because Uber Eats provides couriers with prepaid cards they can use to purchase up to $700 to complete customers' orders.
Police claim the suspects would show up as couriers for their fake grocery orders before canceling them and using the prepaid cards to purchase gift cards at the stores.
According to the sheriff's office, "On January 24, 2023, detectives conducted a surveillance operation and observed Morgan and Blackwood travel to 27 different Walgreens committing fraud that totaled a $5,013.28 loss for Uber that day. "
Yes, I understand all that - you just copied the beginning of the article, which I read.
But that still doesn't explain why Uber's systems allowed that at all, which seems insane to me. Reading other folks comments, it seems that Uber Eats allows an order to be canceled after it has already been purchased, which to me is already crazy, but if that is indeed something that Uber intentionally allows, what do they tell Uber Eats couriers to do with the purchased items? Do they say "just throw it away"??? I would expect that Uber would require some evidence, or at least give some guidance, on what couriers should do in this situaiton. The whole thing just doesn't make any sense to me.
> Yes, I understand all that - you just copied the beginning of the article, which I read.
Some people have a problem with visiting /. You asked. I said where I got the explanation from so that other people don't have to navigate away.
> But that still doesn't explain why Uber's systems allowed that at all
What did you expect? Uber to give some sort of explanation as to how their systems can be exploited? It's surprising that the details that were released at all.
My assumption here is they exploited a race condition between order cancellation and spend, as well as the lack of transparency on spend items.
As in, Uber has to provide some allowance for the Uber Eats courier to spend while the cancellation happens.
1. Enter order for $700 of whatever
2. Got to store.
3. Cancel order
4. Buy $700 gift cards immediately
Uber sees the driver doing his job. Credit cards don’t report what’s bought, only that $700 was spent. Uber courier says “oops, I didn’t see the cancel in time”. Customer isn’t charged in this case, they cancelled.
They leave with $700 of gift cards.
Still, seems easily detectable behavior, but maybe it’s common anyway.
When this story came out a couple of months ago, I didn't really understand how this would go undetected for any amount of extended time. One driver keeps having hundreds of dollars in cancelled orders and there's no tracking of it?
Every single driver at the airport repeatedly cancels over and over if the fare is less than 100$ - clearly there is no tracking going on of anything at Uber.
Recently I had one driver claim he picked me up then ended the ride immediately, claimed the full fare and it was a massive shitfight to prove to Uber that it was fraudulent.
Why don’t you just use American Express? If I have a merchant dispute and they don’t fix it after 1-2 emails. I just charge it back by calling AMEX. It works fantastically well.
More than likely, yes. Chargebacks work way better for goods than it does for services. The online store you bought goods from might ban you if you initiate a chargeback, but usually with stores it's not that big of a deal, there's an alternative store to go to anyway.
Why would you want to continue doing business with a company who put you through a “massive shitfight” over money owed to you? I would charge back and never do business with them again.
I’ve had enough deliveries where the person making the drop off isn’t the person on the app (wrong gender often) to think there’s a pretty heavy trade or even loaning of accounts enough so that these guys may have had a large stable of courier accounts to work from.
I’d not be surprised to find a healthy gray market of people “renting” their courier account out.
Anecdotally, and perhaps unfairly, in my head I have attributed this to be couriers who may have trouble finding legal work due to residency issues. I have not had a problem with it.
Sometimes there are teams of two doing deliveries. It seems much more efficient, because the driver doesn’t have to actually park, and I also wonder if they can get more orders by having two accounts open at once.
Yeah, I've come across this plenty of times. When it is food delivery I don't really care, but sometimes a totally different car than shown on the app will pull up to give you a ride and expect you to get in. No thanks, that's a cancellation from me.
Sometimes the companies notice the scams but let them continue until the amount gets big enough for the authorities to take them seriously. Similar to how stores will let repeat shoplifters keep stealing until the total amount has crossed the threshold for the state to prosecute them, and only then report it.
large companies have departments. communication between departments about discrepancies can be slow, allowing fraud to fly under the radar for quite some time.
Big companies can have major blind spots like this that in hindsight are obvious, but you'd be surprised what is undetected. Departments cannot easily communicate with other departments about discrepancies--communication tends to be slow; this allows stealthy criminals to get away for quite some time under the radar.
There was an incident where someone did $100 million of invoice fraud against Meta and Google, until finally caught.
"Uber continues to invest in robust anti-fraud systems and technology, which allowed our Global Investigations Team to proactively alert law enforcement about this case"
$1,000,000 / 700 = ~1500 trips starting in January last year. 20 months = ~75 trips a month or about twice a day.
I'm not sure Uber understands what the word, "proactive" or "robust" means.
(russellbeattie... I recognize that name... small world. Sorry for digressing. Russell: I've got to thank you for https://www.russellbeattie.com/blog/1008770. We all felt so proud after reading that review! Finally someone who got it. I was the person who led the product design/engineering effort during its first decade.)
The Opera Mini browser was amazing. Did any of the people that worked on it end up working on anything open source making use of the same ideas?
I’m dreaming of having an open source backend that I could run myself on my server, and that would similarly download and compress pages and then send a representation of the page that can be displayed on my iPhone without the app running any JS or anything.
Greater security, and also it would make me able to browse even in bad coverage areas where currently all that happens is I wait an eternity for things to try to load and they just time out.
Basically, I wish there was an open source backend and app that behaved like Opera Mini used to.
Web pages don't really work without in-page/dynamic javascript any longer.
On the other hand it's now cheaper than ever to just have a full-blown webkit instance in the cloud and just sync/stream the dom tree paints to the client. A bunch of products do that, I think.
Back then we had a moat because
a) Opera's Presto used so much less memory than Webkit - after having gone through so many painful memory optimization efforts, particularly with Japanese mobile browser deliveries, but also with Symbian.
b) We figured out a way of making 90% of the web javascript work be keeping "tabs" around on the server for a few minutes and then just replaying carefully selected input events and capturing the output, with some kinda clever heuristics. That combined with the low memory usage did it.
Webkit used like 10x more memory per tab/window back then, iirc. And RAM was expensive.
Wow! That's a blast from the past! I'm flattered the post meant so much to you and your team that you remember it 17 years later!! The review was well deserved, Opera showed how good browsers could be on mobile, and really presaged how important they would become once smartphones took off. You guys were way ahead of your time.
I still find it interesting how personal blogs could have an impact back then when they were still a relatively new idea. Google gave us preferential placement in searches, and the results for many of us was a boost in our careers and an outsized notoriety. You're not the only one who's contacted me years later about something I wrote back when. I would never have predicted that at the time.
I used Opera Mini for many, many years on a variety of phones, from "dumb" feature phones to my N-Gage. What an incredible product it was! Thank you for allowing me to read cool stuff in Wikipedia while I was bored in school. It made things a lot more bearable.
To get even more meta, isn't it quite incredible that 17y later not only does the blog still exist, but we have the author and a key subject (or person behind subject) in the same comment section?
Not even like it's particularly niche, 80s arcade games ported to 90s machines forum dot net or something.
It's not like we died or decided to suddenly switch careers and become car salesmen or something. I was just a blogger. I find it even more amazing when someone truly important or influential comments on HN on things they worked on, say in the 1990s. A while ago there was a thread about Sun Microsystems GUI which used PostScript and one of the original developers chimed in and I was astounded.
Sure, sorry, I just thought it was nice. Yes obviously even older is even nicer. A lot of just bloggers 17y ago won't still have their blog (or not that one) up, these things rot. And then just you and someone it had a particular affect on happening to be in the same comment section (about something else) at the same time and noticing... Idk, whatever, I just thought it was nice!
You have a certain "budget" for losses like this. Beneath a certain amount, you just take the loss, as it's more cost effective than spending man-hours on it. Their fraud systems and dedicated fraud teams are better off alerting on the "whales", so to speak. And in these cases, if you're gonna lay accusations and ban people, you'd rather be more certain (i.e. minimize false positives).
All that is to say, it's understandable if they only pounce once it gets to a certain level of badness.
So what you’re suggesting is Uber has an actionable fraud threshold and if an intelligent actor wanted to float beneath that with fake accounts and identities they could extract even more?
Yes. Same for all the big tech companies. I guarantee you people are already doing this in every way you can imagine and many you can't. Source: Worked on bad actor detection at FB.
That article doesn’t make any sense. At big companies like this you can’t just send money to someone who even convincingly looks like a vendor or partner. You need to have a PO created with the vendor as the recipient, and there are entire purchasing departments who vet recipients and make sure things like the legal name of the entity matches the wire instructions and so on.
I’d imagine that medium sized companies without much process might be vulnerable to this, but FAANGs?? No way.
If KNOWN_PARTNER simply emails an invoice and wire instructions to an employee of one of these larger companies, there is no way in hell that’s getting paid without multiple people in the paying company simultaneously screwing up.
Not having automatic fraud detection that can alert on... (a) new accounts in a (b) geographically-specific area that are (c) failing to balance at a greater than average rate... sounds pretty basic.
You'd assume it would be one of the most common use patterns for structured fraud.
Maybe when you fail at due dilligence so blatantly, you should no longer be able to prosecute or press charges. They deserve to lose their shirts at this point.
I can't shake feeling of disparity - as an ordinary Joe, you are presented with dozens of contracts for loans, mortgages, life insurance. The fine print is incomprehensible to an average person, and yet you could lose your shirt if you get it wrong and law is not on your side.
I know these are different situations, but I am getting these vubes.
Uber has so much $ from VC that this is peanuts, so it's not a priority. Eventually they noticed the theft and contacted authorities and fixed it.
Uber has defied all predictions over the past 13 or so years of running out of money: there is always more $, and stock price keeps going up. It sorta defies reality--like amazon in 2015 in this regard or Tesla in 2013.
Western Union money transfers used to be the way. I don’t know for sure, but I imagine the western union staff now have a lot more questions to ask before performing a transfer.
Gift cards are just too easy to buy and use, and the people selling them aren’t paid to care what you do with them. Bitcoin ATMs might be what would replace gift cards for scams, but these are harder to use than gift cards
Western Union was the de facto way for fraudsters to send funds for many years. They didn’t ID the recipient when picking up orders under 700 or 800 dollars. Scams were easy to spot, they t shears try to get you for something just below that threshold.
Gift cards are not fool proof either, anyone who touches it along its existence can extract funds, as everyone who touches it would see the card number and pin. so there is implied trust what dealing with them.
Cloned debit cards, credit cards, or gift cards? And if debit or credit, how could they be cloned if they have a chip? I assumed chips protect cards from that and skimming.
Gift cards are a scam even when used "correctly". Its whole purpose is to convert fungible money into something worse and conning you into thinking it's a good deal.
Where do you get discounted gift cards? I just checked two major retailers in the UK and they only sell those at face value.
I wonder if those "discounted" cards you see are actually an artifact of money laundering where illicitly-obtained cards (from victims of phone scams?) are being laundered.
The underlying cause here is that companies like Uber simply leave too much room for scams and arbitrage opportunities with their massive "growth" budgets and non-existent abuse detection. Anyone remember the story about the pizzeria owner who made money by ordering his own pizzas when he found out that DoorDash listed his restaurant without his knowledge and was charging customers less than the actual price? Or people who create new accounts whenever they order to always get their food for free via "new customer" promos? In this particular case is there any reason for Uber to not charge customers the full amount when they cancel orders after they have been prepared/shopped for?
1. Customer places order for $700 worth of Avacados.
2. Uber Courier accepts the order; goes to grocery store for which Uber has issued him a $700 debit card that can only be used at that grocery store.
3. Customer canceled the order, but Uber somehow doesn’t automagically cancel the debit card, so courier buys $700 of visa gift cards.
4. Somehow Uber doesn’t monitor that issued debit card balances on canceled orders are being spent and they are bleeding $$$.. until it goes over $1MM.
Uber sees a line item for $XXX, at say Vons, and that's all they see. Generally food items are non refundable/returnable, so they have to eat the loss on canceled orders. It's actually a pretty solid scam, the issue is hiding it at scale.
Several metrics probably make them stand out:
- ratio of canceled vs fulfilled orders; frequency thereof
- ratio of average cost of canceled order to that of other drivers
- ratio of canceled orders on the consumer accounts vs population
Had they stayed small time, they probably would not have been caught
Yeah, but this is so easily prevented by making it so the order isn't cancellable after the order has been run on the debit card.
From my understanding the debit cards are dynamically turned on and off and authorized only for the amount of the order. I would guess that means that they have near real time ability to see if the order has been paid for by Uber. This is pure, lunatic, shitty product management. Can you imagine if Amazon allowed you to cancel your order after it shipped?
Easy in the technical sense, certainly. The issue moves to UX. Likely there's some metrics/calculus that suggest that eating the occasional customer caused loss is actually more beneficial to the bottom line than having the customer eat it.
I'd expect that having customers swallow the cost of late cancelations would likely alienate a large fraction of them; perhaps the calculus is such that the money saved doing this is actually less than the lifetime value of the average customer.
I've seen this said this a few times here in various ways, but the optimal amount of fraud is non-zero [0]. While it's feasible to eliminate most/all fraud in various arenas, it's not cost effective to do so.
Back in 1999, ordered a book from amazon, it took over 5 weeks, asked for a resend (cause i thought the package was lost), got a got a resend... then both books arrived.
When the scammer, attempts to scam a scammer, who is then scammed by a another scammer; which scammer wins? Which scammer is at fault?
Honest question, how do you afford to have food delivered so often? Maybe I’m just old but… It seems so incredibly expensive. I imagine people who use Uber eats a lot must be extremely busy, have a lot of money, or just hate cooking.
Not sure what the question is? Are some people in the world financially well off? Yes they are. And spending $20 on delivery a few times a week doesn't exactly require a billion dollars in the bank.
60% promo in nyc makes it cheaper to have $20 worth of food delivered to my door than to buy $17 of food from the same restaurant in person. It’s very strange
The two suspects — 21-year-old Trayon Morgan and 38-year-old Roy Blackwood — now face charges of organized scheme to defraud and grand theft following their arrests earlier this month, police say.
funny how it's some kids who made $1 million will only face state charges, and keep a decent chunk of $, but when it comes to crypto frauds, like insider trading on Coinbase or NFTs, the amount of $ is way smaller, the charges way worse, and the criminals from white collar backgrounds. It shows how the best criminals are not where or who'd you'd ordinarily expect. The lesson is stay away from crypto and keep it state instead of federal.
While obviously the lesson is to not break the law, I believe it is common knowledge that federal crimes are typically more severe than state ones. Feds have more resources, and the courts hand out more severe sentences.
Feds would be unlikely to prosecute this. It all occured in FL, Uber likely had a Florida Nexus. Then it's a dicey case. It seems like clear fraud but the platform obviously allows users to cancel the order and instructs the buyer most likely to discard or donate the purchase. The buying of gift cards is the element that evidences fraud but Federal prosecutors don't really take chances on minor crimes if they can't get a plea or be 99% sure of a conviction they won't pursue.
If these guys had been smart though, they would have just dealt with the meat man. The meat man is who people with extra food stamps sell to in order to get cash. They go buy meat from the store and he buys it at a discount. When you see videos of people shoplifting like 30lbs of meat it's not because they are about to have a BBQ they are going to sell it to the meat man. He will in turn supply all the people who set up their grills in gas stations and sell plates.
I'm sure the meat man could work it out to have all his regulars place real grocery orders and then cancel them that an Uber buyer picks up and then sells to him.
And if the situation was reversed you would complain about how poor people get the book thrown at them and white collar criminals can buy their way out of the justice system.
Does anyone have more details on the logistics of this scam?