Two weeks ago, my brother got an alert: his Uber was arriving.
This was a fairly normal occurrence for him, except that he was firmly seated at his office in Madison, Wisconsin, and the Uber on the screen was on the outskirts of London.
The text and email from Uber confirmed his fear: his email and password had been changed.
He was locked out with a $US31 bill for the London joyride.
Like my brother, many Uber users have found their accounts taken over since March after stolen account information was posted for sale on the dark web.
The company investigated and found no breach in its system. While the spate of London-based account takeovers are ultimately a reflection on poor password management of its users rather than a problem with Uber’s security, the company is still working to get ahead of larger-scale account lockouts.
Part of that includes ultimately ditching the email and password system that hackers use in favour of a mobile-first approach.
“Uber is committed to developing security features that go beyond relying on email accounts and passwords for verification,” the company told Business Insider. “We are investing in rules engines and machine learning and believe we will be able to create a higher quality experience in the long-run by putting resources into technology solutions.”
The machine learning system takes time to train as new types of fraud emerge. The London-based account takeovers meant the company had to add even more rules, the source said.
Uber is also being more aggressive about actively acquiring account information when it’s posted on sites like Pastebin and notifying users if their accounts could have been compromised, the source said.
My brother, unfortunately, didn’t receive this friendly heads up.
Since the hacker had somehow acquired his login information, he or she was able to go in and update the account information with nothing more than a text sent to my brother telling him to email support if it wasn’t him. (Uber has since refunded the trip cost and reinstated his account access.)
To prevent that from happening in the future, Uber is testing two-factor authentication in one market. That means that my brother would have received a text on his phone when the hacker was trying to change his account. He would have realised something was wrong and the hacker never would have gotten to hijack his account.
“We have been experimenting with two factor authentication in one market, and also exploring alternatives,” Uber said. “We may invest more heavily in this area in the future, but given the very limited adoption of second factor authentication on other services, are focusing even more right now on security that will work for all users.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.