A Toronto woman says she feels she was taken for a ride after being billed for an Uber trip ordered on her account that she didn’t take — 7,000 kilometres away in Krakow, Poland.
Laura Hesp was at home in her apartment in Toronto on Monday when she says she received a text saying an Uber driver would be there in five minutes to pick her up. The problem: she never ordered one.
Hesp says she thought it was it was a glitch and posted about the ride to the Weird Toronto Facebook group.
“Got a phantom text saying my Uber arrived… I open the app and it’s in Poland and for the next 10 minutes I can see this guy dropping someone off… In… Poland. What,” Hesp wrote.
- Woman ‘humiliated’ after Uber driver allegedly offered to accept sex as payment
- ‘He was being racist,’ says Pakistani Muslim woman allegedly assaulted by Toronto Uber driver
- Police charge Uber driver with sex assault after Markham incident
Before long, Hesp was getting replies saying her account had likely been hacked.
‘I kind of felt a little bit violated’
Hesp says she didn’t know that was possible.
However, when the ride ended, she says she got an email with a bill for the equivalent of about $3.75 for the ride.
Hesp says she contacted Uber and told them what happened.
She says Uber refunded the trip, and told her to secure her account by changing her password and deleting her credit card information.
“I kind of felt a little bit violated, like someone else was impersonating me in an Uber… And you can’t really track down who that person was,” she said.
In an email to CBC News, Uber security spokesperson Melanie Ensign said this type of fraud is usually caused by password reuse or phishing scams that trick a user into giving away their password.
Hackers target passwords, says security expert
The company says it doesn’t store credit card information but nevertheless recommends users create a unique password not used for any other site for their Uber accounts.
Toronto-based security engineer Geoffrey Vaughan agrees.
A phishing scam, he explains, usually begins with an email telling a person their account has been compromised. The email will contain instructions for resetting a password and directs a person to a website that looks on the surface to belong to a legitimate company. When the user goes through the steps, they inadvertently give away their password, giving the hacker the keys to their account.
“It’s not much different than any of your banking phishing emails or the Nigerian prince from however many years ago,” Vaughan said.
“That’s probably the easiest way that most people would go after targeting other Uber accounts,” he said, adding the same kind of scams can compromise virtually any online account.
Vaughan recommends people use a password manager — programs that generate and store unique passwords for a user’s many accounts in a secure database, which can be unlocked by a single master password — to keep their login information secure. He says that eliminates the need to remember every password and cuts down on the possibility of being hacked.
‘You should be treating all emails as hostile’
Vaughan says keeping yourself safe from phishing scams all comes down to how much you trust the emails you receive.
“You should be treating all emails as hostile unless you can prove otherwise. You should never be clicking on a link until you’re absolutely sure,” he said.
Hesp may have learned that lesson the hard way, and now says she’s changing all of her passwords.
Even so, she says she’d like to see Uber put in place a way of confirming that the rider getting into the car is indeed the one the ride was meant for.
- Tech-savvy millennials getting scammed more than seniors
- ‘Invulnerability illusion’ leaves younger people exposed to web frauds
“It’s hard because a lot of us order Ubers for other people… but we definitely need to figure out a different way to make sure that that’s the person that ordered it,” she said.
As for who might have ordered a ride on her account half a world away, Hesp says that, because there aren’t generally cameras in Uber cars, there’s likely no way to trace the person’s identity.
“I guess we’re never going to find out.”