By Jason Laughlin The Philadelphia Inquirer
WWR Article Summary (tl;dr) In March 2015, "Motherboard", an online tech magazine, reported hackers were selling information on the dark web about thousands of Uber accounts for $1 an account, allowing buyers to take Uber rides on someone else's dime. Bottom line, be on the lookout....double check your credit card statements!
What Uber has described as "a glitch" in its computers led to a number of users' being charged improperly, in at least one case for more than $28,000, according to the ride hailing app giant.
The company said the glitch affected "a handful" of users and was a temporary problem. Its engineers are working to ensure a similar glitch doesn't happen again, according to a statement from the San Francisco-based company.
Uber typically puts an authorization hold on an account when a person orders a ride as a way to confirm the payment method.
The glitch caused that authorization to be much larger than is normally charged.
The company declined to say how many people were affected, but at least one Philadelphia woman, who declined to be named, said her bank flagged and blocked a charge from Uber for $28,639.14.
The explanation of what happened was contradictory. Initially, the Philadelphia woman received an email from Uber stating her account was hacked.
"Your sign-in information seemed to have been compromised/phished from another website and then tested on our platform," the Dec. 9 message from Uber's customer service stated. "This kind of fraud is highly sophisticated."
Six days later, though, the company sent another email saying it had erred and her account "had not been compromised."
"Your information is safe, and the charge that appeared on your credit card statement was an unusually large authorization hold," Uber customer service wrote in the Thursday email. "This was never processed as a payment, and our engineering team has been made aware of this error."
Drivers who use the Uber app do not have access to passengers' payment information, the company said.
Apps like Uber have become popular targets for hackers. Less well-protected than banks, companies like Uber or Netflix do business almost entirely online and have people's personal and financial information stored in databases.
"First stop is to go someplace that has huge databases brimming with information," said Adam Levin, a cybersecurity expert who had served as director of New Jersey's Division of Consumer Affairs.
There are myriad ways hackers access people's information, from breaking into corporate databases to phishing, which involves tricking people into revealing personal details and financial information through fraudulent electronic communication like phone calls, emails and texts.
More than $1 billion was taken through internet crime in the United States in 2015, according to the FBI, with more than 127,000 complaints of losses. Personal data breaches accounted for 19,632 reported incidents, and phishing and related crimes accounted for 16,954.
Making life easier for thieves is people's habit of using the same login and passwords for all their online accounts. Having a person's Gmail login, for example, can be the key to accessing all their apps and online accounts.
In March 2015 Motherboard, an online tech magazine, reported hackers were selling information on the dark web about thousands of Uber accounts for $1 an account, allowing buyers to take Uber rides on someone else's dime. Uber told the magazine the data were not leaked due to a security breach in its system. In October 2015 Uber accidentally made personal information for about 600 drivers public online, Motherboard reported.
Hackers can work for organized crime groups almost as contractors, extracting information and selling it to a syndicate, and Eastern Europe has become a nexus for these crimes.
"What we're seeing in 2016 is organized crime getting a partnership with hacking groups and computer hackers themselves," said Brian Herrick, an FBI special agent supervising Philadelphia's criminal computer intrusions squad.
The FBI has begun embedding agents with law enforcement in countries like Bulgaria and Germany to respond to these breaches, Herrick said.
He recommended that people use different passwords for different accounts, and use a phrase rather than a word. He also advised people to check their bank accounts daily. He also recommended that people buy apps only through Google or Apple, which vet products. Apps bought through other sources can be a means hackers use to gain entry to smartphones.