Insinia recently worked with LBC to put together a radio news piece discussing the Uber hack and why so many of Uber's user accounts are getting exploited by hackers. Insinia discovered that a lot of Uber users were affected by this attack, often left with extortionate charges on their credit cards and no easy way of even contacting Uber, let alone resolving it.
Upon investigation; it was found that over 85,000 working Uber accounts were for sale on the dark web, by one single retailer alone, for as little as $0.50 each. The potential cost to the victim user could run in to the thousands.
Insinia, along with LBC, began to probe in to the Uber app to discover how this hack was working, and how so many people were affected.
WHAT IS UBER?
Uber is an International Transport Network which uses an app on your phone to order and facilitate the usage of private hire vehicles. You simply open the Uber app (which shows you an interactive map with your location), hit the "Pick Me Up From Here" button, select the type of car you want to ride in (economy, executive etc) and voila.... Your chariot arrives!
HOW DOES UBER WORK?
Uber uses a range of facilities on your smart phone, including geographical data. When you sign up for an Uber account you provide your personal and credit card details. These details are stored, securely, on Uber's server, meaning that only your account has access to your credit card details.
Once you put your details into the system on registration you never have to provide them again. Every time you open the Uber app it uses a session to automatically, and seemlessly, log you in to Uber's service. This negates the requirement for you to enter a long and boring e-mail address and password every time you open the app, which would be inconveneint and put you off using the Uber app. And Uber couldn't risk that. They want your money.
This means that your payment details are always stored and accessible by the app every single time you log in. Uber are effectively giving you permission to use your credit card, and they're authenticating that permission through a stored session on your phone - effectively your stored e-mail and password. You don't have to confirm it's you using the app... Simply open it up and away you go! Convenient, but open to a plethora of attacks.
SO WHY IS UBER GETTING HACKED?
Well, we'd like to say that they've been targeted by an intricate state-sponsored attack but, in reality, it's difficult to describe Uber's problem as a "hack" at all! You, as a user, are simply giving your data to the hackers... And Uber don't seem to be too interested in doing anything to stop it!
THE EXECUTION OF THE ATTACK:
Firstly; based on the information above; we now know that anyone with your e-mail and password, who can pretend to be you when logging in, has access to your account. Access to your account means that anyone with your login credentials can simulate being you; the legitimate user.
On this basis... Having your e-mail address and password gives a hacker full control of your Uber account. And that's a bad situation to be in.
Once you've given your credentials to an attacker (we'll discuss how you're being tricked in to doing so later); you've given away the keys to the kingdom, and a hacker's about to become the new king. The hack's effectively complete.
When the hacker makes it in to your account for the first time (which takes seconds) they start causing the real problems. They're interested in one thing; retaining the back end part of your account with your stored credit card details. But if they leave your other account info the same (e-mail, password etc) then you'll just log back in, change your details to something they don't know and log them out. That's the last thing a hacker wants - all that work for nothing. So, once in, they immediately change your e-mail and password. This makes your legitimate login details defunct. They're now free to spend as they wish, and there's nothing you can do about it. You don't even know the login e-mail to your account anymore. Chances are that you'll remain blissfully unaware until you see your credit card statement or go to use your maxed out card.
HOW ATTACKERS ARE STEALING YOUR DATA:
Attackers, hackers, crackers and even low level scammers are harvesting your login data through a method called "Phishing". This is a Social Engineering attack where hackers trick you in to providing your data.
How it works (in 4 simple steps!):
1. A hacker duplicates the Uber login page and hosts it on their own website service.
2. The hacker sends you an e-mail with the subject "Your Uber account - please login now", telling you that there's a problem with your account and you need to log in. The e-mail has a link which appears to take you to Uber, but it really takes you to the previously duplicated login page.
3. You visit the link, which appears to take you to Uber's website, and proceed to put your e-mail and password in to the Uber login page. The only problem is that the page you're on isn't Ubers... It's the hackers.
4. HACK COMPLETE
You've now given your login details to the hacker, and you've been cleverly forwarded to Uber's real site. You login again and everything appears normal. You have no idea you've been hacked, whilst the hacker has successfully harvested your credentials and is now sitting on a ready-to-use Uber account.
This attack is so successful that hackers physically can't use the amount of accounts they're hacking quickly enough. They therefore sell these hacked login credentials, which now have a real monetary value, to other hackers and criminals. These accounts sell for as little as £0.30 each! Yes - you can own a hacked Uber account for less than the price of a cheap coffee.
Your credit card details are never visible to the attacker, but they don't need to be seen to be used. The hacker simply logs in as you and has the same access you do. They never actually need to see or even check your credit card data at all. Uber does all that for them. This means there's no requirement by the hacker to brute force or decrypt secure data - they just use it in the same way you would. Effortlessly. You'd soon go off the idea of using Uber if you had to put your credit card details in each and every time, and hackers exploit that vulnerability.
Uber have traded off security for usability, which is often the case with large organisations who want to encourage you to use their service.
SO WHAT CAN BE DONE TO STOP THIS?
The advice and solutions that Uber should have implemented months ago:
WHAT YOU CAN DO AS AN UBER USER:
1. CHANGE YOUR LOGIN DETAILS - RIGHT NOW!
This should be the number one thing you do. Follow the instructions below.
Log in to your Uber account by visiting https://www.uber.com/log-in. DO NOT follow any links from e-mails and/or web forums. You shouldn't even follow the link on this website - there's no way of you knowing that we haven't been hacked.
2. USE A STRONG PASSWORD
Use a strong password of over 8 characters, and make sure your password includes lower case letters, upper case letters, numbers and special characters. Don't use any easily guessable passwords such as "taxiride" or "t4XiR1d3" - use a random combination such as D£p(kC1p03.
Do not use the same password(s) as you use for other apps. If you use the same password as your Facebook, for example, then if a hacker hacks your Facebook then they also gain unprecedented access to your Uber, Amazon, eBay and other accounts. Use different passwords for each app.
3. ALWAYS NAVIGATE TO THE UBER SITE - DO NOT FOLLOW LINKS
Always type the full web address in to your address bar, as formatted above, paying special attention to the s in https. This initiates a secure connection that most likely won't be present on a phishing site. Either way; never follow any links in e-mails or on forums / websites.
WHAT UBER SHOULD BE DOING AS A MULTI-BILLION £ COMPANY:
Insinia recently e-mailed Uber the following list of protocols and procedures that they could (and should) put in place to stop this type attack. Unsurprisingly; they never got back to us and are yet to put any of these steps in place.
1. CHANGE E-MAIL SHOULD INITIATE CONFIRMATION OF CARD DETAILS
When a hacker logs in to your account and changes you're e-mail address they should be asked to verify your registered card details again. The hacker never has your full card details (they may have access to the last 4 digits, that's it), so this thwarts the attack as soon as they try to make changes to your account.
2. EACH TRIP SHOULD BE VERIFIED BY TEXT MESSAGE / TFA
Rather than just clicking "Pick Me Up Here" you should be directed to another page to carry out "Two Factor Authentication". You can read about TFA here: TFA Wiki.
This means that when you click "Pick Me Up Here" you're sent a text message with a 4 digit code. You enter the code in to the app and your vehicle arrives. This proves to the app that you have your login details and your physical phone.
Hackers never have access to your phone or text messages during the process of this hack, so this would stop their attack immediately. Combined with number 1 above, if they tried to change the registered phone number to one they have access to; it would ask for card detail verification and would stop the attack.
3. UBER SHOULD GEO-LOCK YOUR ACCOUNT
There have been reports of people using accounts in the UK & the US at the same time. Come on Uber... Really?! I think there's enough said on that one.
4. UBER SHOULD COMMUNICATE MORE
Uber have known about this attack for months, but there's not been one update, one patch or one piece of advice. Uber need to be more responsible in helping their clients, and they need to do more to respond to attacks far more quickly. Getting hacked's one thing; doing nothing about it's another.
5. UBER SHOULD BE FAR MORE RESPONSIBLE!
So far Uber's reponse to this large scale attack has been... nothing! Nothing at all. They've not responded to our research, not updated the app or clients, not put out a press release. Not a whisper.
If that's a company that you're happy to give credit card details to then you're braver than us! Uber need to take steps to make their users more secure - they owe it to their hard working customers.
We'd expect them to do something, anything, at least one single thing! But nope, nothing's been done, and that doesn't sit right with us here at Insinia. Hackers are smart, and the best of us are sometimes exploited by intelligent people - it happens. But burying your corporate head in the sand, as a multi-billion $ company, is not the way to run a predominantly electronic-based business.
Uber; you've got some serious explaining to do!
The hack scenario detailed above is not the only way of carrying out this type of attack, and is not the only way of an attacker stealing your information. Following the steps above does not guarantee your security. The steps to protect yourself will not prevent attacks where hackers have breached Ubers internal servers or systems, will not protect you if somebody steals your physical device and will not protect you if an attacker has gained access to your e-mails. To better protect yourself; utilise two factor authentication wherever possible, don't provide any personal information unless absolutely required and use services with due care and attention.