Ghost Riders: Combatting Account Take Overs

By Sachin Rawat, Engineering Manager, Security Research & Development

Have you ever received an email that looks just a little off? It could be from your bank, asking you to confirm your pin code, but the logo isn’t quite right. Or from a service you occasionally use prompting you to sign in to confirm your membership. These are both examples of phishing, where a fraudster tries to trick you into giving them your information so they can pretend to be you and take over your account

To trick people into sharing their account and payment details, some fraudsters pretend to be Uber. This is known as phishing, and fraudsters use it successfully to get account information from people around the world.

Phishing email sent by fraudsters. To trick people into sharing their account and payment details, some fraudsters pretend to be Uber. This is known as phishing, and fraudsters use it successfully to get account information from people around the world.

Account takeovers are an increasingly common — and costly — form of identity theft. Once your account has been taken over, fraudsters can attempt to do things like clean out your bank account or make expensive purchases in your name. In 2012, the Federal Reserve estimated that account takeovers cost $4.9 billion in the U.S. alone.

Since people often use the same username and password combinations for many accounts, fraudsters know that obtaining a username and password from one account means they can probably get into many. Once they have a username and password combination they’ll systematically check it against sensitive financial or email services like Paypal, Gmail, or Uber, in the hopes that they will be able to log into one of those accounts as well.

But it doesn’t stop there. The Rand Foundation found that fraudsters are particularly clever about leveraging the internet to maximize their profits. Once the fraudsters know a set of credentials work for a website, they’ll sell them on the black markets of the internet to the highest bidder. Credentials are valuable if they are guaranteed to work for a website where there’s money to steal. So fraudsters often ‘brand’ their wares for websites that have a payment system linked to it, like Uber, Amazon, Netflix or Chase.

The privacy and security of our riders and drivers is incredibly important to us at Uber, and we know that ATO’s are a serious problem for everybody online. We have a highly trained engineering security team, with over 35 privacy and security experts constantly working to make our systems stronger and keep the fraudsters at bay. For example, they monitor the black market for any Uber-branded credentials for sale, and if they find any, we immediately prompt the impacted users to reset their passwords. Additionally, our systems detect anomalies. For example, if we know that you live in Dallas, Texas, but you suddenly want to take a trip in Russia, our system may ask for a second type of identity verification. This would be something that’s easy for you to confirm, but would be very difficult for a fraudster to know, like the CVV of your credit card or a one-time code sent to your email or mobile SMS. And in the event of an account takeover, we shut down the fraudsters as quickly as possible by ending their session, resetting the password for the account and notifying our users. We also refund any related fraud trip charges.

If you think that your account has been compromised, you can always contact us through the help features in the app, and find additional information on our website.

While we are always working to stay one step ahead of fraudsters, there are a couple of things you can do to protect your account. Use different and strong passwords for your accounts online, and if remembering all those passwords is easier said than done, you might want to consider using a password manager, which can generate secure passwords for your accounts and remember them for you. You should also change your passwords on a regular basis, so if a fraudster does get their hands on your password, they won’t be able to use it for long. With these simple practices, you can help prevent attacks on your online accounts.