“Phantom Trips” Reported After Stolen Uber Accounts Went on Sale in the Dark Web

A couple of weeks ago, Angie Bird received what seemed to be her regular credit card statement. In it, a series of trips to the Mexican cities of Guadalajara and Aguascalientes were billed via the famed passenger-hailing app Uber. Bird never left London though, and lives a good 5,500 miles away from where the trips supposedly took place. Five trips were billed on her credit card statement—including one with a certain Jose Antonio—to a destination 790 meters away.

Bird was not alone. Another Londoner, Franki Cookney, was taken aback by a $600-bill on her credit card statement for three Uber trips in New York City when she was, in fact, in Australia at the time the trips were booked. Interestingly, the trips could only be described as ones that no “regular” Uber patron would make—including a 95-minute trip worth almost $200 that began and culminated at the same location.

These recent cases are reminiscent of incidents of “phantom trips” charged to British Uber accounts in 2015. U.S. authorities have started looking into reports of unauthorized trips billed on accounts belonging to customers in the U.K., including TV personality Anthea Turner, who called out the ride-sharing service on Twitter. Such instances led to speculations of Uber accounts being sold in the underground market.

In March 2015, Motherboard reported findings of several vendors offering hacked Uber accounts. The report identified underground sellers such as Courvoisier, who charged $1.85 per account, and ThinkingForward, who even created a “buy 1 get 1 free” promo on accounts sold for $5. Not long after, a subsequent report showed an increase in vendors, including some who sold compromised details in bulk.

At the time, Uber was quick to respond that they didn't find evidence of any breach that could harvested information from their database. In a statement, a representative noted, “We have no further details at this point—this is now in the hands of the authorities. I want to stress—we conducted a thorough investigation of this report and found no evidence of a breach on Uber systems.” In addition, the company left a reminder for its consumers, “This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”

This was not far from how the billion-dollar startup responded to the new fraudulent sightings involving the transportation service. As such, an Uber spokesperson stated, “While there has been no breach of Uber’s systems, we would like to remind our users to always use unique passwords for different online accounts. As has been highlighted before, when people use the same password on more than one site, and one of those accounts is compromised, then anywhere else with the same log-in details can also be accessed.”

While the company assured the public that there was no breach that could have led to the sold credentials in the dark web and no direct connection to the seen hacked Uber credentials in the underground market to the recent reports of fraudulent trips, the continuing rise of stolen identities is a cause for concern among consumers and the authorities as reports of unauthorized bookings still continue.

Stolen personal information are used by cybercriminals to create fraudulent accounts. Often, when an individual’s personal information falls into the hands of an online crook, this could lead to the theft of one’s identity, the same way stolen Uber accounts led to the unauthorized bookings supposedly made by the legitimate account owners.

 [Read: Identity theft and the value of your personal data]

This isn’t the first time that Uber received heat for failure to protect the personal information residing in its systems. In January, Uber was made to pay a $20,000 fine in New York after an investigation revealed the exposure of over 50,000 present and former drivers who signed up for the popular application. The settlement also served as a mandate to revamp and bolster its hotly-debated data privacy and security measures.

Currently, Uber assured that the reported irregularities in hacked Uber accounts were duly refunded. As such, the company also made sure that credit card credentials are not stored locally, thus making it impossible to claw out such details from the  app  itself. It notes, “It is not possible for anybody who logs into an Uber account to access credit card details, and we have already made significant changes to reduce the ability for criminals to take trips on compromised accounts. We are always enhancing the ways we protect users.”


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.