Skip to main content

Advertisement

Advertisement

Not just ‘phantom rides’, UberEATS customers also charged for food orders they didn’t make

SINGAPORE — More Uber customers here, including those using its food delivery service UberEATS, have come forward with reports of fraudulent credit card transactions.

An UberEATS food delivery scooter. More Uber customers in Singapore, including those using its food delivery service UberEATS, have come forward with reports of fraudulent credit card transactions. Reuters file photo.

An UberEATS food delivery scooter. More Uber customers in Singapore, including those using its food delivery service UberEATS, have come forward with reports of fraudulent credit card transactions. Reuters file photo.

Follow TODAY on WhatsApp

SINGAPORE — More Uber customers here, including those using its food delivery service UberEATS, have come forward with reports of fraudulent credit card transactions.

In response to queries, Uber confirmed on Thurs (Nov 23) that it is also investigating the cases involving UberEATS — days after the company said it was reviewing incidents of its customers being charged for “phantom rides” overseas.

While the ride-hailing app has not uncovered the causes of these transactions, security experts whom TODAY spoke to said these could be due to hacking, a software glitch or poor security monitoring. They also warned consumers here to be more vigilant — for example, by setting SMS notifications to alert them to transactions on their credit cards — as the use of credit cards to pay for goods and services via mobile apps grows.

Uber customer Sherwin Loh, 41, told TODAY that he was charged for two UberEATS orders that he did not make. One was more than S$40, while the other was about S$120.

“I was in the United States when I got two receipts coming into my email within 10 minutes, for UberEATS orders in Russia. I called my credit card company immediately to cancel the transactions, and they said they had to block a third transaction also from Russia, which was coming in,” said the public relations professional. “When I called Uber, they said they would investigate it. I have since deleted the app, and stopped using it.”

In recent days, some Uber users in Singapore have complained of being charged for rides they did not take, amid Uber’s disclosure this week that it paid hackers US$100,000 to destroy personal data from around 57 million accounts they stole from the company. Uber Singapore has told the media that it has “no reason to believe” that the fraudulent transactions were linked to the data breach, which happened last year. “The incident in 2016 did not breach its “corporate systems or infrastructure”, and external forensics experts “have not seen any indication that trip location history, credit card numbers, bank account numbers, NRIC or dates of birth were downloaded”, the company had said.

Nevertheless, The Guardian reported last year that active Uber account details have been found for sale on the “dark web”, a collection of thousands of websites that use anonymity tools to hide their Internet provider address to enable them to carry out criminal activity.

Irish national Caitriona Evans, who is based in Singapore, was among Uber users here who have been recently hit by fraudulent credit card transactions. She said she was first alerted on Wednesday via a message from DBS on signs of unusual activity on her credit card.

The next day, the recruitment professional was shocked to discover that about S$4,500 in Uber transactions had been chalked up on her card since Nov 14 — with one trip even costing S$500.

“I was physically shaken. I could not believe it, that so many transactions have gone through. It’s a substantial amount of money, and they were doing eight to nine transactions in one day… Obviously they became a lot more aggressive,” said Ms Evans, who has not used Uber when outside of Singapore.

Responding to queries, a DBS spokesman said customers who contact the bank to dispute unauthorised transactions would be provided with a temporary refund “until investigations are fully resolved”. “Security is of foremost concern to us and we use industry-leading security technology and protocols to ensure that our customers’ information and money are safe,” the spokesman said.

UBER’S SECURITY MEASURES FOUND LACKING: EXPERTS

In light of the incidents, the experts were critical of Uber’s security infrastructure.

Mr Gary Davis, Chief Consumer Security Evangelist at McAfee, noted that the cyber attack on Uber “illustrates the growing trend to target companies whose rapid growth has strained their ability to properly safeguard sensitive data”.

Mr Bill Taylor-Mountford of security intelligence firm LogRhythm, went as far as to say that Uber has “poor protective controls over their sensitive data archives, and to top it off, a lack of security monitoring, detection, and response capabilities”. He added: “As with almost every breach, you can always take it back to poor IT and security hygiene as the root cause.”

On what could have happened regarding the fraudulent credit card transactions, Ms Eying Wee, Head of Marketing (Asia Pacific & Japan) at Check Point Software Technologies, said Uber’s security infrastructure could have been compromised, or there may have been a glitch in its software.

Other companies which store customers data such as credit card details said they have stringent measures in place to protect the data.

Payment services provider PayPal, which is seen as one of the most secure payment platforms internationally, told TODAY it has a fraud rate of 0.3 per cent for over US$350 billion in payment volumes last year. This is compared to the 1.32 per cent average among merchants, according to previous studies.

PayPal general manager (South East Asia) Rahul Shinghal said the company uses advanced risk modelling and fraud management technologies. “We combine advanced data processing with human oversight to ensure that our system gets smarter with every transaction that goes through our system,” he added. Apart from tapping artificial intelligence, PayPal also has a team of data scientists to identify fraud, he added.

Responding to queries, Grab, which also runs a ride-hailing app, said it has “security and anti-fraud measures in place to ensure that (customers’) personal details remain safe and secure”.

Apart from using SMS notifications, the experts said consumers can take other preemptive measures. These include getting their banks to “issue alternative cards with different credit limits, so that certain cards are meant for transactional experiences perceived as ‘higher risk’ with a much lower credit limit”, said Ms Wee.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.