Inside of an Uber car
Uber code texts don’t stop trips you never took being charged to you. Photo by Dan Gold

Your money can be stolen from your Uber account with shady Uber code texts

7   |

Surprise:

  • Your password and 2 factor authentication (the code sent via SMS to your phone supposedly to protect your account) won’t stop people stealing money off your credit card via your Uber account
  • If the value of your currency has changed in the meantime relative to the one you were charged in, or if you’re charged foreign transaction fees, they’ll refuse to return those amounts, leaving you out of pocket
  • They don’t allow you to remove your stored credit card, unless you add a PayPal account
  • They’ll discourage you from deleting your account with “Just keep in mind this is not reversible”

Also: Why Uber doesn’t deserve your business - and Uber alternatives

Your account isn’t secure and the 2 factor authentication won’t save you

I installed the Uber app on my new phone, but hadn’t logged in. Minding my own business one evening, I received an SMS saying “Enter Uber code 5483 to confirm your number”. Thinking some other user entered their mobile number incorrectly, and assuming - as I had my phone with me - that my account was safe, I ignored the message.

10 minutes later, a push notification showed the “Your ride is on it’s way” message, as if I had ordered an Uber. I proceeded to freak out, and open the Uber app, hoping to cancel the unwanted trip. The app asked me to login, I attempted to do so, it asked for my email address, but refused it saying “Your email address is in use”. I then contacted Uber support.

To recap, a trip was ordered by someone else against my Uber account and credit card, I couldn’t log in to cancel the trip, and both my email address, password, and 2 factor authentication with Uber did nothing to protect my money and details. I don’t know if the trips were actually made, or they were ghost trips just to get money from my account, but the money indeed left my account, hundreds of dollars worth.

The charges

7 Trips over 2 days appeared on my account in Russia of all places (I’m in Australia). Some were absurdly long, leading me to believe that the purpose of the trips was to extract my money, rather than for legitimate travel. See the screenshots below for the trip details. The total cost was 💸$418.25💸. Lucky I didn’t need that for rent or bills at the time. However I was also charged foreign currency transaction fees of $10.76.

Uber’s response

(I pasted the content of the emails at the end)

Uber quickly agreed to refund the money. Problem is, the value of the currency had changed, so the money refunded was less than the money stolen: $406.70, which including the foreign currency transaction fees left me out of pocket a total of $22.31.

Not a cripplingly large amount, but through absolutely no fault of my own, my money was stolen. I sent Uber screenshots of the fees and the amounts refunded, and asked for the difference to be refunded also, as Uber was clearly responsible for not safeguarding my data. Long story short, they refused, and said the bank will refund the fees, and ignored the matter of the conversion fees, leaving me out of pocket due to their negligence.

They later offered to refund the transaction fees, but only in credit, which seeing as I planned on deleting my account, wasn’t very helpful.

Not an isolated issue

I personally know at least 2 other people who have had the exact same thing happen to them. The earliest example I personally witnessed happened to a friend many months ago, meaning our accounts have been unsecure for months, and the issue not resolved. I’ve included the correspondence with the Uber support person below. You’ll note that he or she ignores questions about ongoing security, and doesn’t address the fact that 2 factor authentication security codes sent to my phone did nothing to safeguard my account and credit card.

See below for the charges and the emails

The SMS codes and trips

Uber code SMS failing to protect my account
Uber code SMS failing to protect my account

The emails

Me

I was already an uber user but just got a new phone. I was minding my own business when I received an SMS with the uber login 4 digit code - even though I hadn’t touched the app. I ignored it as a glitch. Later I saw a notification briefly saying that uber was finding my ride! Again I didn’t ask for a ride etc or even login to the app. So I went to login, and when it got to the email step, it told me my email was already registered and gave no further options, even for support. Bad UX there. So I used a different email address and then it said no trips past or upcoming. I’m concerned someone else is using my payment info? I recently ported my old number to a new SIM also. Could you please verify that my account or card isn’t compromised? My email is as listed below. Thanks.


Uber

Thanks for bringing this to my attention, redacted.

redacted here from Global Operations Team at Uber. Stepping in to assist you further.

I’m so sorry to hear for any alarm this may have caused. Your account’s security is a top priority at Uber and I appreciate you flagging this issue so we could make it right.

As a security precaution I have changed your account password and reverted your credentials to email redacted and phone to redacted on your account, this will sign you out of all devices signed into your account. You should receive instructions on how to reset your password on the original email address linked to your account.

I also refunded the unauthorized charges and resent the updated receipts. This adjustment will show on your account within the next few business days.

1) 4,665.13 RUB - pfb2jyzd
2) 1,132.00 RUB - 33zqva4a
3) 1,323.00 RUB - ka48tsj1
4) 1,869.00 RUB - 1ghcanem

Here are the transaction IDs for this refund. You’re welcome to verify the refund’s status with your bank directly.

I want you to know that we absolutely take situations like this seriously. While it looks like your account was impacted here, I want to reassure you that our team is working hard to enhance account security and add additional protective features to keep your information safe.

If you haven’t done so already, please create a strong and unique password when you reset your password. As a general best practice, I recommend using different email and password combinations across your accounts to prevent unauthorized access.

When you next log in to your app, you may be prompted to re-add a payment method that you currently have on your account to verify your account ownership. Please double check that you’re not trying to add a new card or payment method, as that won’t clear the restriction. Once you re-add an existing payment method, you’ll be able to log in and make a request. You should also confirm that your account details (name, phone number, etc.) are correct.

Again, thank you so much for letting us know about this! If you see any further questionable activity, please reach out. I’m happy to help further.


Me

Hi redacted, you mention using different passwords for emails, does this mean someone guessed my password? I received pins sent tby SMS to my mobile number - how did the thief get into my account without this PIN? I’m concerned my credit card still isn’t safe. Could you please advise how this will not happen again and what went wrong in the first place? How did the they get access to my account? Thanks


Uber

Thanks for responding, redacted.

I certainly understand your concern and I want to make sure that we’ve addressed this appropriately as well.

We do not show any signs of a data breach. However, your sign-in information seems to have been compromised/phished from another website and then tested on our platform. This kind of fraud is highly sophisticated. As mentioned before it’s best to reset your password to something new and unique. I would also do this on any other website or platform where you use this login and password.

Here are some basics:

1. Never use potentially familiar personal information in a password
2. Do not use the same password for multiple accounts
3. Avoid passwords that are similar to your User’s name
4. Use passwords that combine letters, numbers and symbols
5. Change your passwords on a regular basis
6. Avoid sharing your passwords with anyone, and when sharing is essential, never do so via email

You can learn more about our Privacy Policy here, and can learn more about our payment processor’s security practices here.

We appreciate your patience. If you see any further questionable activity, please let us know. We’re glad to have this sorted out for you.


Me

Thanks redacted, Am I to understand then that the SMS PIN code does not ensure access is limited to someone controlling my phone? I can’t imagine how else someone can login with my PIN. I will otherwise do the steps that you suggest but I’m very tempted to close my account. Am I able to operate an uber account without keeping my card details stored? Thanks


Uber

Thank you for writing back, redacted.

I’m sorry to hear about such a frustrating experience. I’ve checked your account details, and it appears that someone may have accessed your account illegitimately. However, that doesn’t mean we’re not taking precautions. Our team is working hard to enhance account security and add additional protective features to keep your information safe.

In the meantime, you can use your account without adding your full credit card information. Some of our riders have been adding their PayPal as their payment method.

If you’d still like to delete your account, I can go ahead and do that for you. Just keep in mind that this process is not reversible.

Looking forward to hearing back from you.


Me

Thanks for the speedy response and for the clarifications. About deleting my account, you say it is not reversible, does that mean I can’t sign up again in future? Thanks


Uber

Thanks for your response, redacted.

What this means is that all trip history and personal information will be deleted as well. Of course, you can always sign up for a new account at uber.com/go.

The deletion process will proceed in accordance with our privacy policy. Please be aware that we may retain certain information about you as required by law and for legitimate business purposes permitted by law.

Please don’t hesitate to get in touch if you need anything else.


Me

Hello, I just checked the refunds that came back to my bank account and they’re for lower amounts than the original trip. My guess is this is because of currency conversion but obviously this is not ok - that I’m stolen from and less money is returned. I’ve also been slugged with a foreign currency conversion fee which is not my fault at all. Could uber please refund the full amounts. I’ve included screenshots of my account. Thanks redacted

Attachments:

Screenshot_20170612-104514.png

Screenshot_20170612-104545.png

Screenshot_20170612-104532.png


Uber Happy to help, redacted.

My pleasure to get this sorted out for you. I’m sorry to hear this wasn’t the 5-star experience you expect with Uber. We hope this is the first and last time something like this happens.

I’ve looked on our end here and saw that the charges for these trips have been refunded on our end in full. It could be that the discrepancy between the these charges on your statement is due to currency conversion and/or any international transaction fees. Certain banks add an international transaction fee when their cardholder makes a purchase as well as currency exchanges.

We do not control whether your bank chooses to add such a fee. We recommend asking your bank to waive any international bank charges.

Let me know if you have questions about this process and I’d be glad to help.


Me

Hi redacted, yes I believe the different values are because of currency conversion, but the reason this is necessary at all is because my money was stolen due to Uber’s security practices, and I don’t see why I (or my bank) should have to foot the bill. I can attempt to contact my bank about the fees but I doubt they will agree that they should pay for Uber’s security issues. I also believe I shouldn’t be paying anything for this as none of it is my fault. Does Uber think I should be out of pocket for their own security issues?


Uber

Hi redacted,

Thanks for letting me know about this situation, and I can totally understand your frustration here.

Additional charges like Foreign transaction fees are something that we do not have control with.

In cases like this, we usually ask our riders to contact their financial institution to waive off or to stop the charges. At this point, we can offer to issue the remaining amount in Uber credits rather than let extra time go by without reimbursement.

Your Uber credits can be used toward future rides and you can also choose to toggle on or off your credit as a payment option. You’ll always be able to see your Uber credit balance at any time by signing into your Uber app and clicking the Payment tab.

Please let me know how you’d like to proceed.


Get the unlike kinds newsletter
An infrequent summary of top articles in your inbox