X

Uber fights off scammers every day. Here's how it learned the tricks

An exclusive look at the ride-sharing service’s never-ending battle against cybercriminals.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
5 min read
Uber logo on a car's windshield

Scammers, beware. Uber's onto you.

Sarah Tew/CNET

For a while, scammers have been getting away with fake rides on Uber, lining their own pockets with money from stolen credit cards, the company said.

Using stolen credit cards, scammers would run efficient schemes to pull as much money out of Uber as they could. The methods included using GPS-spoofing apps, as well as messaging boards and chat rooms offering fake discounts on rides, luring numerous victims over the years, Uber said.

Scams have existed online since the internet started. They usually come in emails, stealing millions from victims, but as technology advances, so does the fraud. Uber, and ride-sharing apps like it, give scammers a new path to easy money. Con artists have come up with creative ways to skim money via Uber, like drivers in China using disturbing images as their profile pictures to pocket the cancellation fees.

Uber has been using machine-learning tools to keep pace with the crooks, relying on data coming in from millions of people using the app every day. Ting Chen, Uber's data science manager, said it has more than 600 different signals as red flags warning it of new scams.

Watch this: Uber knows when scammers are using GPS spoofing apps. Here's how.

These signals can come from how you search for a ride to how fast your driver is traveling during the trip to how many taps a person makes on a smartphone screen.

The scams

One of the most common scams occurred through GPS spoofing, in which fraudsters used two phones, one as a new rider and one as a driver. The new rider account has a stolen credit card signed up with it and requests a ride, which the scammer accepts using the driver account.

But the "ride" never goes anywhere. Both the phones have GPS spoofing apps, which trick the devices -- and any app on them -- about its location.

Watch this: Uber knows when scammers are using GPS spoofing apps. Here's how.

"They can sit at home and use the app to simulate a trip, and from Uber's side, everything looks like a real trip," Chen said.

It's a way to pocket money via stolen credit cards, essentially using Uber as a makeshift money laundering service. Scammers take as many trips as possible, Chen said, to suck out all the value quickly.

If they do it enough times, the scammers also end up stealing money from Uber's incentive programs. The company offers bonuses like an extra $500 if you finish 125 trips in one week.

screen-shot-2018-06-12-at-11-53-37-am

A fake discount scheme using WeChat.

Uber

That might sound like a lot of driving, but for a scammer who can finish each ride by tapping a few times on the phone, it's an easy $500.

The GPS spoofing scam was so prevalent that thieves would provide instructions on the Dark Web, Motherboard reported.

In some cases, Uber drivers would use it to bump up rider fares, according to Quartz

Another widespread scam, Uber said, happened through fake discount agents.

Fraudsters go on messaging boards, or chat apps like WeChat, offering discounts on rides. The victim thinks it's a harmless deal and pays the third party -- the thief -- instead of using Uber directly.

The scammer keeps the victim's money and uses a stolen credit card to order the ride through Uber's app. But once the credit card is reported stolen, both the driver and the card's owner end up losing money, not the thief.

Uber ends up covering all the losses, if the scam is reported. The company reimburses the credit card owner, as well as the driver who could have lost a day's earnings because of the fraud.

"People are literally trying to defraud the platform every single day," said Melanie Ensign, Uber's security spokeswoman.

Too close to the sun

Because of how often scam attempts happen, Uber needs to rely on machine learning to help it deal with the scourge.

With GPS spoofing, the company started noticing a high level flaw with the scammers' tactics.

The difference between a GPS-spoofed ride and a real ride's altitudes. The fake ride is in red, and hundreds of feet in the air.

Uber

"They created some very weird altitudes," Chen said. "These trips were actually flying in the sky."

While these spoofed trips were en route, the altitudes were completely off, Uber noticed. The company would compare the altitudes against legitimate drives, and if they didn't match up, Uber knew that it was a GPS spoof.

Other factors tied in too, like the driver's speed. GPS-spoofed trips would be going abnormally fast, because the scammers are looking to finish as many trips as possible, Chen said.

Instead of immediately busting the scammers, though, Chen said Uber tries to play the thieves along for as long as possible. Uber's patience gave it a data set to learn from for the fight against future scammers and to prevent thieves from repeating schemes.

"We want them to send as much money as they can trying to defraud us, and then we block them. Letting them spin their wheels is a way to get them to waste resources," Ensign said.

The ride-sharing service first rolled out its scam detection last August, and the number of spoofed trips from GPS apps has since been cut by 85 percent, the company said.

pastedimage0

Behavioral analytics from a scammer using Uber.

Uber

Behave yourself

Uber has also been keeping track of how scammers work when they're posing as fake discount agents.

Every behavioral detail is captured, from how quickly someone adds a credit card number and orders a trip, to the amount of time to takes to order a trip immediately after. After identifying enough scams, Uber was able to compare how scammers use the app to how normal people use it.

For example, normal people spend most of their time comparing prices on Uber, while scammers spend more time adding different credit cards on the account.

The company started this type of analysis last summer, and since then, it's been able to spot 60 percent more scams, Chen said.

But Uber knows that scammers are creative -- and fast. Its machine learning tools have been able to slow down the current stream of schemes, but it's already concerned about the next trick it doesn't know yet.

"We need to move super-fast on the technology side," Chen said, noting that some scams can evolve within months. "When we change something, they also change, so we need to keep ahead."

Correction, June 15 at 5:22 a.m. PT:  This story originally misstated the time period involved in an Uber driver qualifying for the $500 bonus. It is one week.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.