Montreal woman's Uber Eats account hacked as $300 in food orders sent to addresses in other cities
For months, Michiko Nayuki’s Uber Eats account had sat dormant. The Montrealer hadn’t had a hankering to get a meal delivered to her door in a while, so she was surprised when a few days ago, she started seeing Uber Eats notifications come up on her smartphone. Even more strange, the text appeared to be in Chinese characters.
“It was weird because usually, it’s in English, so that was the first red flag for me,” she said.
Thinking quickly, Nayuki grabbed screenshots of the notifications, then went into her Uber Eats account, and said she noticed an order had been completed and delivered to an address in Scarborough, Ontario.
“I started freaking out,” she said.
Once in her account, she could read addresses, orders and messages in English. Almost immediately, she said another order was placed to an address in British Columbia.
Nayuki said immediately she got on the phone with the police and opened a fraud claim, but while she was on the phone, someone tried ordering through her account again, to another address in B.C.
It all happened within an hour.
She said she worked fast to remove her credit card information from her account and notified Uber’s support team and her bank. While this was going on, she said someone tried to change her address listed on her Uber Eats account and changed her phone number to one with a U.S. area code. She managed to overwrite the changes.
The charges on her account totalled nearly $300 for items such as chicken burgers, iced tea, and a sashimi and sushi tray, she said.
Michiko Nayuki said she started seeing notifications from Uber written in Chinese characters.
Nayuki has no idea how someone accessed her account.
Uber confirmed it is investigating Nayuki’s case to determine what happened.
According to cybersecurity expert Steve Waterhouse, incidents like these aren’t specific to Uber, there have been similar stories from customers using various ordering platforms worldwide. There are also many possible ways Nayuki’s login credentials could have been compromised.
“These types of situations happen once in a while,” he said. While occasionally a platform has vulnerabilities that cybercriminals will happily exploit, he adds “ most of the time we see a lot of accounts that are not properly protected with a good password and a two-factor authentication that most platforms offer but that a lot of people do not opt to use. In that case, perpetrators will try any combination possible [until] they get access and have a fun time ordering whatever they want.”
In some cases, Waterhouse said, credentials are leaked to the dark web, sometimes obtained from third-party platforms, such as the payment platform the ordering platform is using.
“I’m not saying [Nayuki’s] account has been compromised but it’s a strong possibility that from other credentials lying around … that her credentials could have been stolen without her knowledge and then used against her.”
Waterhouse said sometimes it’s a matter of the user visiting a website, where malicious code gets inside their system and can store that person’s username and password when they enter it at some point.
He notes there have also been cases of hackers targeting dormant accounts and using social networks to glean any information they can to make it easy to figure out their passwords.
“With today’s computing power that even a PC has, they can crack a password quite easily,” he said.
In some cases ‘deals’ or ‘coupons’ are offered on social media platforms such as WeChat, that target specific communities. Waterhouse explained a person could order something using a coupon, without realizing that they are participating in fraud.
In those types of cases, the end goal is usually data.
“It is more profitable to sell that data that you harvested from whatever contest or rebate you put online,” he said. “As soon as you get the data you can monetize it. It’s very subtle, and it’s not illegal.”
Michiko Nayuki said she received multiple receipts totalling about $300
HOW TO PROTECT YOURSELF
According to Uber, systems are in place at the company to detect fraudulent activity, and password reuse is the primary cause of compromised accounts.
The company recommends creating strong and unique passwords, and it also offers a two-step verification process, which Waterhouse said many platforms offer and recommends people use it.
He also recommends creating a strong and distinct password for every account, and to manage them with a password manager such as Canadian company 1Password which he says has a good track record.
There are even further steps that can be taken to protect your privacy, he said, including having a separate credit card just for online purchases.
“If it’s compromised, you know it’s only that credit card. Then you can cancel it and order a new one, while your main credit card remains available for normal purchases.“
He said personally, he only does online transactions using a ‘static’ platform, such as his laptop or desktop computer.
“There are more and more vulnerabilities involved in doing online ordering while using a mobile platform, a tablet or smartphone,” he explained. “In the last few years, we’ve seen an increase in malicious activity going from a static platform towards mobile devices. Those devices tend to have more information on you, such as your location, so [using a static device] helps protect your privacy online.”
Uber encourages consumers to report fraud and compromised accounts at help.uber.com so they can investigate.
Michiko said she was refunded, but she still wonders exactly how this happened to her.
A former restaurant server, she lost her job during the pandemic. The whole ordeal was an added stress she didn’t need.
“I’m just scared it’s going to happen again,” she said. “I wouldn’t want someone else to experience this.”