The traditional meaning of people “getting taken for a ride” is that they are victims of a scam.
But in the world of online ride-hailing services, the scammer gets taken for the ride – a free ride – while the victim ends up with the bill.
The scams have come to be called “ghost” or “phantom” rides, made possible when cyber criminals steal login credentials from users of a ride service like Uber, and then sell them to fraudsters on the Dark Web.
It does not appear that a breach of the provider Uber, is the cause of a spike in credentials for sale on the Dark Web, but it is another reminder that popular apps without rigorous security and privacy protections that are implemented by users are an attractive, and relatively easy, target for online thieves.
According to a recent report by Trend Micro on data breach statistics from 2005-2015, Uber logins have been among the hottest, and priciest, items for sale on the underground online marketplace.
That doesn’t mean they cost big bucks individually. The report found that Uber accounts were selling for up to $4 each. But that is much more expensive than Netflix logins, at 76 cents, and credit cards, which were at 22 cents. The only ones with a higher price were PayPal accounts with balances, at an average of $6.43.
Credit: J Kivinen
A threat intelligence communications team of analysts from managed security vendor Solutionary found the price of login credentials for riders ranged from 50 cents to $6. “The upper part of this range typically guarantees that the accounts were not picked at random and have some validation behind them,” the team wrote.
There had been some speculation that the stolen accounts could have been connected to the May 2014 breach of an Uber database that contained the names and driver’s license numbers of about 50,000 current and former drivers.
But that, of course, was just driver, not rider, information. There was more speculation in mid-2015 that the company may have been breached when thousands of user login credentials showed up on the Dark Web. But the company issued a statement saying its investigation showed no evidence of a breach.
And one Dark Web vendor, responding to a reporter’s question of where he had obtained them simply wrote, “Hacked accounts, buddy. I have thousands.”
Breach or not, Uber, which has an estimated 8 million users in 300 cities in 60 countries, reached a settlement three months ago with New York Attorney General Eric Schneiderman that included a $20,000 fine for the company’s failure to notify users of the 2014 data breach, and also required it to be more rigorous about both security and privacy for riders.
Sign up for Computerworld eNewsletters.