x
Breaking News
More () »

Uber accounts hacked to fuel overseas money laundering scheme

Been charged for a Uber or Lyft trip you didn’t take? You may have been on a ghost ride.

ATLANTA — Just about everyone has had their identity compromised in the past year, from data breaches to credit card fraud. It happens because it’s easy to do and hard to stop - unless you’re the person with a foot on the brake. Literally.

11Alive Investigator Rebecca Lindstrom followed behind an Uber driver one day, watching as, ride-after-ride, she took nobody -- somewhere. The driver was still getting paid, but why - and how?

The driver, who has asked not to be identified, invited Lindstrom to tag along to expose what some in the industry have termed ‘ghost rides’. We took our findings to Uber and found out that they have a name for it as well - acupuncture. Whatever the name, it’s unethical, if not illegal. 

Credit: WXIA

Melanie Ensign with Uber’s security team says the ringleaders for these schemes usually operate out of China or India. The person giving orders in Atlanta appeared to be based in an Indian city near the border with Pakistan.

OTHER DATA BREACHES | Cyberattack hits Atlanta computers: 'Everyone who has done business ' with city may be at risk

That person uses online chat groups and other social media to reach out and recruit Uber and Lyft drivers for the scheme. Uber says that part is key, because if there are no drivers willing to participate – there is no scheme.

Once on board, the drivers can say where and when they want to take a ride, allowing them to make money on everyday errands or even long distance trips they were already planning to take for personal reasons.

Ensign says the ringleader overseas initiates the ride by hacking into existing Uber accounts. Uber says credit card and personal information are encrypted, so there’s no concern about identity theft, but weak and leaked passwords are allowing crooks to manipulate the service. 

People usually never even know their account has been hacked because their credit card information gets swapped out with a stolen card to pay for the ride. The industry calls this acupuncture because the ride request is made right where the driver is located - ensuring they get the gig.  

Once the driver makes it to the destination, the man in India gives the driver a good review and a tip with the understanding that 40 percent of all money made will get wired back.

Essentially, stolen money pays for the trip. Clean money gets wired back to India.

“If you look on the dark web where personal information is being bought and sold by a criminal, credit card numbers are incredibly inexpensive,” said Ensign.

While Uber says it’s the company that foots the bills for fraud, consumers have the headache of proving they didn’t take the ride and clearing their name. 

Patrick Kelley, the chief technology officer for Critical Path Security, said welcome to modern day money laundering. 

Credit: WXIA

WATCH | The Reveal airs Sundays at 6 p.m. on 11Alive 

“I guess I was stuck between 'Wow, this is a thing,' and 'how ingenious',” said Kelley. “It may seem like just a little bit of money per transaction. But if you’re looking at this exponentially, then it adds up pretty quickly.”

Already, crooks are trying to skim more out of the deal using Uber Eats to place fake food orders. In this scheme, a restaurant agrees to receive a food order but never makes anything. The driver shows up, picks up nothing, but drives to another spot pretending to drop it off anyway. 

Kelley said schemes like these can be used to launder money from more than credit cards. He pointed to ransomware payments, drug trafficking, human trafficking, and even money from child exploitation.

It’s not just Uber. During this investigation, we met one driver with Lyft who admitted to taking ghost rides for weeks. 

Credit: WXIA

A spokesperson for Lyft said they have security measures in place to prevent this kind of activity, as does Uber. Sometimes the companies say they allow the rides to take place to determine who else might be involved. 

Both Uber and Lyft said the account of any driver involved in fraud is eventually terminated and they warn that drivers could face charges for wire fraud.

PREVIOUS | Uber to pay $148 million over undisclosed data breach that ex-CEO paid hackers to keep quiet

Uber hopes that educating drivers on what’s really going on and about the risks involved will deter them from participating. 

Ensign said riders can also do their part. By changing their password and using two-step verification, riders can prevent their account from being hacked and used in the scheme. 

The Uber driver we followed said she never wired any money back to India. She claims she only took a handful of ghost rides to expose what was going on. On the road, there’s black pavement and white lines. For her, there is no gray. 

RELATED | The 21 scariest data breaches of 2018

The Reveal, a show dedicated to investigations that make an impact, airs Sundays at 6 p.m. on 11Alive.  

More of The Reveal:

Their stuff missing, money gone. Here's why it's not a crime. 

Man who posed as war hero to scam women across the country, sentenced to 24 years

Marine mom works through heartache and humiliation to honor her son

Before You Leave, Check This Out