January 2016

Did you know that your Uber account is wide open to hackers? I do now.

Stretching across my medium thread count sheets in a hotel room in Sydney this morning (it’s about 7am here right now), I grabbed my phone to check the regular updates.

Twitter, Facebook, Insta … woah. Social media immediately takes a back seat to a notification from Uber thanking me for my business and charging me for a trip I had just been charged for in Sandton, Johannesburg.

An impressive feat, given that I’m in a horizontal state, 10 floors up on the east coast of Australia.

I stop breathing. There must be some mistake. Uber’s famous UX means that their magical transaction processing is somehow locked to my phone or mobile number, right? Wrong. Very wrong.

It turns out that anyone with your account details (email address and phone number) could order any Uber trip they like. From anywhere in the world. All while you haven’t even opened your curtains to marvel at the view in a city on the other side of the globe, for instance.

In the last 30 minutes, I’ve changed my password to a ridiculously complex string (that even I have 0% chance of ever remembering), mailed Uber, tweeted the South African crew (@Uber_RSA), heard back from the global support team (@Uber_Support), and paid for a very upbeat passenger’s free trip somewhere in the middle of Sandton. I haven’t, however, been refunded by Uber yet.

Searching Twitter for other conversations about Uber hacking, it seems I’m not the only user to have had a fraudulent transaction come through from Uber in South Africa:

OK. Now what is Uber going to do about this? This tweet suggests that Uber will only refund users in Uber credits:

Thanks for that, but no thanks. You took my money from my credit card, so you’ll kindly put it back there, if you don’t mind.

Before I go, here’s a free suggestion for your product backlog, Uber guys:

Allow users to bump up their own security with a toggle that may hinder your trademark friction-free UX, but that would keep me as a user and make it safe for millions of others. Allow me to receive a unique text code with every order, which needs to be entered in the app before you send out your driver and long before you charge me for the ride. Think about it. Bulletproof evidence of ordering, sleepless nights for users storing their credit card details with you, fewer chargebacks, and zero free trips for the bugger in Sandton who scored a free trip tonight.

While I make a less than stellar cup of tea with an in-room hotel kettle, I’m left a little battered and bruised. I’m sure that Uber, as a right minded startup with a history of being on the side of the common man, will do the right thing and refund me in full. And confirm that my account is now (relatively) secure. That would be nice.

*** Update ***

I’ve just heard back with good news from the @Uber_Support peeps. They’ve taken the following actions:

1. Refunded my credit card for the fraudulent trip. High five. The most important immediate response. Thank you.
2. Automatically changed my password, waiting for me to choose a new one that’s more secure.
3. Put a hold on my payment method in the app until I reconfirm the details (requiring step 2 above) before it can be charged again.

I’m impressed by their excellent turnaround time and no-nonsense approach to correcting the situation. I still think my security feature suggestion would be the first prize solution here, and only hope that the right people at Uber find some space for it on their roadmap.