FYI.

This story is over 5 years old.

Uber's Response to Hacked Accounts Is More Bad Security

The case of a hacked user exposes Uber’s outdated security practices.
May 15, 2015, 6:04pm
Image: bfishadow/Flickr

On Thursday morning, Isabelle Berner woke up and saw she had received two calls from a British number while she was asleep. She also saw a receipt for 36 British pounds in her email account for an Uber ride in the UK.

But Berner actually lives in New York, and she hasn't visited the UK recently. She quickly realized what had happened. Her Uber account had been hacked, something that many other Uber users have gone through recently, as Motherboard has reported in the last few weeks.

Advertisement

She immediately changed her password, and reached out to Uber support via email.

But, somehow, the hacker was still able to get into her account, and locked her out. It's unclear how the hacker got into her account, but Berner, who is my partner's sister, told me that she originally used a bad password. Perhaps her login was sold on the dark web, perhaps the hackers just guessed the password.

The hacker, whoever he was, used her Uber account one more time, this time spending more than 70 Pounds.

At that point, she couldn't get into her account, and Uber wasn't responding to her emails.

"It was pretty stressful to feel like I'm bleeding money and there's nothing I can do about it."

"It was pretty stressful to feel like I'm bleeding money and there's nothing I can do about it," Berner told me on Friday.

It was only hours later, around 6 p.m. New York time, that she received what looked like an automated email from Uber.

"Thanks for contacting us! Unfortunately we are experiencing some technical issues at the moment, which means that our response may take a little longer to get to you than either of us would like," read the email, which Berner showed to me.

It wasn't until 5 a.m. on Friday that "Adrian A," a customer support agent from Uber, finally addressed her complaints.

"I'm sorry to hear about such a frustrating experience!" Adrian A wrote in an email. "It looks like someone has accessed your account illegitimately."

Advertisement

Then, he made what any security expert would call a rookie mistake: He sent Berner her new password in a plaintext email.

"With this new password you can be confident in continuing to use your account safely," Adrian A added.

Well, not really.

Sending new passwords in plaintext via email is a big no-no for various reasons. In fact, there's a whole website dedicated to shaming companies that do stuff like that.

First of all, email itself is not necessarily secure. Very few email providers encrypt emails in transit, which means the unencrypted emails, and all their content, can be intercepted while travelling across the internet.

Also, if a hacker gets into your email account, it'll be trivial for him to search for "password" and use all those nice plaintext passwords to get into other accounts. The best practice in these cases is for the company to send an email with a one-time reset link that redirects the user to the company's website, where he can change the password, according to Per Thorsheim, the founder of the Passwords conference.

Sending new passwords in plaintext via email is a big no-no for various reasons.

When I showed Thorsheim the email Uber sent to Berner, he said that this proves that the ride-sharing company either has "no procedures for handling incidents like this, or they have an employee who doesn't follow procedure."

It's worth noting, however, that it seems like this is standard practice at Uber. (Uber did not answer to my requests for comment regarding Berner's incident, as well as the company's security practices regarding password resets.)

Advertisement

What's worse, in the very same email, Adrian A "highly" recommended Berner change her email password as well, presumably because the hacker could've had access to her email account too.

But if the hacker had access to her email, is it really a good idea to send her new Uber password to that potentially compromised email address?

Unfortunately, many companies still do stuff like this. But perhaps we should expect better from Uber, which is reportedly worth $50 billion and handles very sensitive information—and a lot of money—from its massive user base.

"These companies act like innovators, but in reality they really are reusing old infrastructures and practices."

"These companies act like innovators, but in reality they really are reusing old infrastructures and practices," George Rosamond, a system administrator with a focus on privacy and security, told Motherboard. "A little time and energy spent approaching the old security questions could go a long way."

Maybe better security would help the company avoid losing customers. Uber has refunded Berner the fraudulent rides, but after the hack, she has lost confidence in the company.

"Could you please delete my Uber account and all corresponding data?" Berner responded to Adrian A on Friday morning. "Your failure to respond for nearly 24 hours while I got hacked repeatedly and had no recourse to freeze my account and prevent further attacks made me feel powerless and violated. You caused me undue stress and frustration and cost me valuable time as I tried in vain to protect myself."