That included stripping the PII (personally identifiable information) of riders from the company’s internal tracking system, known as “God’s View” – an aerial view of the movement of Uber cars in real time.
Under the settlement, Uber agreed to, “encrypt rider geo-location information, adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices.”
A year ago, the company also announced that any change in the name, number or email address of a user would require a text verification.
Still, the “ghost” rides continue, although most recently reported ones are not in the U.S. Recent Twitter posts under #UberAccountHacked included this one: “I had a great ride in China this morning. Except, weird, I wasn’t in China this morning.” And another: “I am in Bangkok now. But my account showed I am riding in France.”
Experts say that eliminating, or at least minimizing, the fraud will take a combined effort by both service providers and users themselves.
Far too many users use the same credentials – user name and password – for multiple apps. That is asking for trouble – if criminals get login information for one account or app, they will try it on others as well. And if users fall for phishing emails or social media attacks that are much more credible and sophisticated than in the past (the Nigerian princess offering millions of dollars is long gone), one mistake can lead to an individual’s entire online life being compromised.
Ed Cabrera, vice president of cybersecurity strategies at Trend Micro, said users should adopt two-factor authentication (2FA), “whenever it is available.”
The idea is to authenticate a user through something he has and something he knows, such as a debit card that requires a PIN, before a transaction is authorized.
Uber did not respond to a request for comment, but other experts say the security changes it is making are good. Steven Rogers, CEO of Centripetal Networks, said 2FA is, “becoming a standard criteria for authenticating users and is a good sign of improving security.”
Some scammed users have wondered if the company could troll the Dark Web itself to find accounts for sale, and then cancel them until the real user establishes new credentials.
That is possible, experts say, but is also difficult. The Solutionary team said the company, “would need to develop a team of security experts with a deep and thorough understanding of the Dark Web. And, since some of these markets are closed markets, finding them and gaining membership can be impractical. The Dark Web is not a thing that can just be searched.”
Sign up for Computerworld eNewsletters.