This story is over 5 years old.


After Hacked Accounts, Uber Looks at New Security Measures

Because people are never going to use strong enough passwords.
Image: GOLFX/Shutterstock

After some of its users in the United States and Europe complained of fraudulent trips being made on their accounts, the taxi company Uber is looking to implement stronger login verification measures in order to keep the hackers out.

"Uber is developing security features that go beyond relying on email accounts and passwords for verification," an Uber spokesperson said.

Motherboard first revealed that Uber accounts were being sold on the dark web back in March. After that, customers on both sides of the Atlantic have claimed that trips they didn't order were charged to their accounts. Uber denied any breach had been made into its own systems, and a separate Motherboard investigation showed that the accounts were likely accessed because customers had used the same password and email account over multiple sites; hackers had simply entered these combinations into the Uber platform after obtaining them from elsewhere.


Here is the problem: getting customers to use strong and unique password across different services can be very difficult. So Uber is looking at other ways to keep its users' accounts secure.

"Improving the security of our systems is continuous, with experiments of two-factor authentication started some time ago."

"We have been experimenting with two-factor authentication but given its very limited adoption on other services, we are also exploring alternatives that will work for all users," the spokesperson said. He wouldn't go into specific detail on what these measures might be.

Two-factor authentication is when a user requires a password, and something else, such as a verification code sent to them over SMS, in order to log in to a service from a new device.

"Improving the security of our systems is continuous, with experiments of two-factor authentication started some time ago. Recent worries of fraudulent access, caused by using the same log-in details for lots of different online sites, has meant addressing this is an important priority even though users' financial information is not at risk and any money is refunded," the spokesperson continued.

Another possible solution could be a "hidden device-specific key," Ryan Lackey, product manager at website protection company CloudFlare, previously told Motherboard. This would mean that an Uber taxi could only be ordered from a user's registered phone.

Uber is also working on new ways to detect fraudulent activity, the spokesperson added.

"We want to use advanced detection systems that operate behind the scenes and leverage our mobile-first environment," he said. "We are investing in rules engines and machine learning and believe we will be able to create a higher quality experience in the long run by putting resources into technology solutions."

Recently, the Guardian reported that the FBI was investigating the hacked Uber accounts, although Uber denied this, and the paper amended some of its claims.