# Passengers are now getting hacked via Uber app.



## W00dbutcher (Jan 14, 2019)

“Since Saturday, I have contacted Uber 4x via email and not received a single reply” - PoPville


"Dear PoPville, I've heard rumors that this has begun happening to others as well. On Saturday, 11/13 I was out at lunch with a few friends in Adams Morgan. Around 3pm I called an Uber, as I've done dozens of times in DC and across the country. I was going to another friend's surprise birthday




www.popville.com





I checked my Uber app and I saw that I had a message from the driver requesting my phone number. I gave it to him, not thinking that it was odd the driver was not calling me through the app as usual.

The driver then asked for a verification code Uber texted me, claiming that he needed to verify my Uber account and phone number. I gave it to him


----------



## Daisey77 (Jan 13, 2016)

I'm calling bullshit. Unless the so-called driver bought the account on the black market🤷‍♀️ other than that there's no way. Uber and the passenger would be able to immediately identify who did this unlike when the passengers do it. A passenger can have an account with no private information whatsoever. A driver cannot. The only way a driver would be able to drive with no personal information tied to the account, would be to purchase one off the black market. Even if they were using a friend's account or a relative's account, they're going to get their friend or relative in trouble. I just don't see it.


----------



## Stevie The magic Unicorn (Apr 3, 2018)

Uhh... they could be using hacked driver accounts from the safety of their home in Africa?

I mean if they can take a hacked driver account then use it to scam customers that's more they got from the scam right?


It seems to me like they can use GPS spoofers to generate fake rides and tip heavily once they have both a hacked customer account and a hacked driver account. If you had half a dozen driver accounts you could pinata that customer account for bogus rides over and over further muddying the waters. Then do a cash out on the driver accounts. How many airport trips could you do with a GPS spoofer active and live and a pile of customer accounts?

Buying uber gift cards? That's more evidence to me that they are doing it.

It sounds a little more complicated than hacking drivers accounts and draining them but not terrible much more difficult. But if you added $50 tips onto a bunch of short $10 rides, you could easily leverage a hacked customer account into an extra $400-500 in stolen funds in an hour.


----------



## Gone_in_60_seconds (Jan 21, 2018)

W00dbutcher said:


> “Since Saturday, I have contacted Uber 4x via email and not received a single reply” - PoPville
> 
> 
> "Dear PoPville, I've heard rumors that this has begun happening to others as well. On Saturday, 11/13 I was out at lunch with a few friends in Adams Morgan. Around 3pm I called an Uber, as I've done dozens of times in DC and across the country. I was going to another friend's surprise birthday
> ...


You can buy Uber gifts cards with a Uber Pax account?


----------



## New2This (Dec 27, 2015)

Daisey77 said:


> I'm calling bullshit. Unless the so-called driver bought the account on the black market🤷‍♀️ other than that there's no way. Uber and the passenger would be able to immediately identify who did this unlike when the passengers do it. A passenger can have an account with no private information whatsoever. A driver cannot. The only way a driver would be able to drive with no personal information tied to the account, would be to purchase one off the black market. Even if they were using a friend's account or a relative's account, they're going to get their friend or relative in trouble. I just don't see it.


You've seen all the "my account was hacked they drained my earnings posts" right?

They use the hacked account to then scam riders.


----------



## Illini (Mar 14, 2019)

Yet again, someone who thinks they were hacked. The pax gave their login info to a 
"driver".


----------



## New2This (Dec 27, 2015)

Supposedly Uber's stopped reimbursing drivers that fall for this. 

What do you want to bet they reimburse riders?


----------



## The Entomologist (Sep 23, 2018)

Daisey77 said:


> I'm calling bullshit. Unless the so-called driver bought the account on the black market🤷‍♀️ other than that there's no way. Uber and the passenger would be able to immediately identify who did this unlike when the passengers do it. A passenger can have an account with no private information whatsoever. A driver cannot. The only way a driver would be able to drive with no personal information tied to the account, would be to purchase one off the black market. Even if they were using a friend's account or a relative's account, they're going to get their friend or relative in trouble. I just don't see it.


Actually, it's fairly easy and simple to pull that and it doesn't need a driver's account compromised.

Let me explain what is happening and what will happen more in the future, I saw this being discussed in some darknet forums.

The way they pull this is by creating a fake driver's account (which is relatively trivial) if you have the means, tools and good scammers.

By creating fake accounts, hackers and scammers have access to being your driver without leaving their home, the only flaw I saw in this operation was targeting a young person, they are usually fast to catch up but everything else pretty much fits what gets done once you are stupid enough to fall for it.

So I'm gonna go ahead and say: Yes Uber got hacked by being unable to protect its account onboarding exploitation, as you know an exploit=hack.

When done correctly (to an old person), you can make deals with drivers to milk the account for profit, Uber would never know if the driver was in cahoots or not.


----------



## Stevie The magic Unicorn (Apr 3, 2018)

The Entomologist said:


> Actually, it's fairly easy and simple to pull that and it doesn't need a driver's account compromised.
> 
> Let me explain what is happening and what will happen more in the future, I saw this being discussed in some darknet forums.
> 
> ...


I just think it would work a lot easier if it was a hacked driver account (something they were already doing anyway) then they could give fake rides to that hacked account tip big and drain it out.


----------



## Daisey77 (Jan 13, 2016)

Stevie The magic Unicorn said:


> I just think it would work a lot easier if it was a hacked driver account (something they were already doing anyway) then they could give fake rides to that hacked account tip big and drain it out.


 The 1st thing is, they'd have to make sure they are the actual driver that gets the ride request. 9 out of 10 times, if we're trying to get matched with a specific rider, we don't even get matched with them. 2nd thing is they'd be a lot quicker to shut down a driver account. All it would take is one complaint from a passenger and Uber would be all over it. Not to mention it would be a lot easier to identify a driver than a passenger. This is of course provided the passenger account is not in on the whole scheme. Now if both accounts like you said were in on it, that could be a different story. I'm sure it's able to be done As mentioned above in the dark Web But not nearly to the magnitude of Passenger accounts doing it to drivers accounts. The process is just a lot easier going from passenger accounts to driver accounts


----------



## Stevie The magic Unicorn (Apr 3, 2018)

Daisey77 said:


> The 1st thing is, they'd have to make sure they are the actual driver that gets the ride request. 9 out of 10 times, if we're trying to get matched with a specific rider, we don't even get matched with them. 2nd thing is they'd be a lot quicker to shut down a driver account. All it would take is one complaint from a passenger and Uber would be all over it. Not to mention it would be a lot easier to identify a driver than a passenger. This is of course provided the passenger account is not in on the whole scheme. Now if both accounts like you said were in on it, that could be a different story. I'm sure it's able to be done As mentioned above in the dark Web But not nearly to the magnitude of Passenger accounts doing it to drivers accounts. The process is just a lot easier going from passenger accounts to driver accounts


it would only work if both accounts were "in on it"

What they would do is pick somewhere in the middle of nowhere and spoof both accounts to be there, then order a ride from hacked passenger account to hacked driver account take them a few feet and tip $100.

the only actual "hacking" skills they would need is like 2 points of Charisma and GPS spoofer software.


----------



## The Entomologist (Sep 23, 2018)

Stevie The magic Unicorn said:


> I just think it would work a lot easier if it was a hacked driver account (something they were already doing anyway) then they could give fake rides to that hacked account tip big and drain it out.


It depends on their resources, hacking a drivers account can get you kicked out of it quickly whereas creating your own account by stealing info can get you an endless line of victims.


----------



## SinCityAngel (Jul 7, 2019)

There could also be a strong degree of phishing going on. Even though Uber uses virtual numbers to allow people to call each other, sometimes the real phone number of either the driver or the passenger is leaked to one or the other. I normally use Google Voice as my primary number because I go through phones almost as fast as a person with diarrhea goes through toilet paper (sorry for the "crappy" analogy) I remember that I was communicating using one of the Uber virtual numbers when I suddenly go through this weird Network issue and suddenly the customers actual phone number was revealed to me on a couple of communications. A devious person could easily take advantage of an opportunity like this and and keep the number. And let's not forget the number of times that we tried to contact a customer by phone and we get a voicemail that states that "the person at [insert actual phone number here] is not available at this time". One could easily document and keep that number or sell it to the closest scammer.

During either of the last elections, did anyone get phone calls or text messages urging them to vote for a candidate? Do you ever wonder how in the heck they got your phone number? Your mobile phone number?

Did anyone get those phone calls about your car warranty being expired? Any phone calls about any services that you know you didn't pay for or initiate using the phone number that they are contacting on?

Phishing is the act of calling a random number and hoping that the person that answers the phone is willing to try and correct the error of being contacted by answering a few personal questions that the "phisher" can use to steal or mimic your identity.


----------



## _Tron_ (Feb 9, 2020)

SinCityAngel said:


> Phishing is the act of calling a random number and hoping that the person that answers the phone is willing to try and correct the error of being contacted by answering a few personal questions that the "phisher" can use to steal or mimic your identity.


I didn't realize it at the time, but 5,000 years ago when I was a teenager my friends and I would gather around a telephone. We would pick a random phone number from the telephone book and dial the number. When the party answered we would tell the person that we were a friend from the past that they hadn't heard from in a long time. We would not give a name, but rather insist that the person guess at who it was.

Invariably the party we had called would inevitably come up with a name. We of course would say yes, it's me! The game was to then carry on the conversation for as long as possible until the party realized they were being punked.

It's a shame we didn't think to try and monetize the scam.


----------

