Quote:

How Secure is the most Popular Ridesharing App? Protecting Your Uber Corporate Account from Fraud

Uber is not only synonymous with comfort but has also revamped the definition of ridesharing. Serving over 60 countries and close to 1,000 metropolitan areas, Uber established itself as the standard for safer ridesharing. Throughout its decade-long existence, the San Francisco-based corporation has had its share of misfortunes: data leakages, sexual harassment charges, marketing guerilla tactics, sexism, and the list goes merely on. Events of such magnitude would often weaken one’s trust in the brand.

So, as to the question at hand – is Uber safe? The short answer is yes; Uber’s ridesharing app handles sensitive data of this caliber daily. But you’re not looking for the short answer, aren’t you? Well then, tag along, and let’s discover just how safe your Uber app and account really are. I’ll be going through security incidents, the difference between personal and corporate accounts, and much more. Enjoy and stay safe!

The Uber Affair – A Timeline.

As I’ve mentioned in the intro, Uber had its share of mishaps, some of them totally unrelated to cybersecurity. Obviously, I will not be covering those in this article, because ours is not to question why, but mostly to criticize lackadaisical online security practices. Anyway, back to Uber. In late September, the Federal Trade Commission decided to pursue criminal charges against Joseph Sullivan, Uber’s ex-CSO.

According to the FTC, Uber’s former Chief of Security purposefully absconded the details of the data breach of 2016. I would like to remind the reader that in 2016, Uber found itself in the midst of a data confidentiality scandal, after leaking phone numbers and personal email addresses of over 50 million passengers and contracted drivers.

As to the “hows” and “whys” of this incident, the Northern American ridesharing service refused to comment. However, based on the available data, it was later discovered that the hackers behind the attack managed to infiltrate the company’s data-based through an Amazon web server. They were able to gain access in the first place by using the credentials of a forgetful Uber engineer. Apparently, the employee simply ‘forgot’ his credentials in a GitHub repository. It’s easy enough to figure out what happened next.

‘Twas not the only time Uber found itself in the middle of a data leak scandal. Back in July, Twitter users received a rather cryptic message in regards to a Bitcoin, double-or-nothing raffle. The incident report suggested that the Twitter Bitcoin scam was gunning for HVTs: business-owners, politicians, television celebrities, and so on. Uber was also on the hit list.

One couldn’t conclude the expose of Uber’s affair without saying a few words about the so-called God View mode. A rather obscure affair, vastly overshadowed by the 2016 imbroglio. So, in or around 2014, the US’s AG (attorney general) publicly expressed concern over some of Uber’s practices, chiefly the covert surveillance of ‘undesired’ individuals (i.e. journalists).

Online eavesdropping has definitely increased. It goes to reason that steps should be taken to remedy this situation. Heimdal™ Security, Thor Foresight Enterprise uses DNS traffic filtering to root out eavesdropping kits hiding out in the DNS traffic. 

Getting back to God View mode, the incident involved an Uber general manager who abusing a legal loophole, actively spied on a Buzzfeed reporter through a tool called God View. The instrument, which was labeled for ‘internal use only’, could pinpoint the exact location of the reporter, as well as other Uber clients. Uber’s GM as well as his accomplice got reprimanded. At the same time, it reassured its customers and contractors that the personally identifiable information of contractors has been removed.

Is Uber Safe? Key cybersecurity & data privacy aspects

Strictly speaking from a cybersecurity standpoint, there’s no distinction between an Uber personal account and a business account. Let me rephrase that for more clarity – securing your Uber account, whether it’s personal or business, should cover the same aspects. Remember when we spoke about the great breach of 2016? There’s a reason why most topics about the safety of Uber’s app revolve around this most unfortunate event.  So, the first item on the list would be data confidentiality.

Data privacy

Just how confidential is ‘confidential’ for Uber? For that, we’ll need to dig into the company’s Privacy Notice. According to the document I’ve just named, Uber reserves its right to collect the following type of data:

1. Data provided by users
2. Data created during the use of Uber services.
3. Data from external sources.

User-provided data includes, but is not limited, to the following: phone number, name, email, profile picture, banking and payment info, physical address, driver’s license, governmental identification information, user setting, emergency contact info, car insurance info, and health records.

User-created data during the registration process includes location, transaction info (i.e. type of service, order details, amount charged, distance, and payment method), usage data (i.e. the Uber app harvests information through tracking technologies such as pixels, tags, and cookies), device data (i.e. hardware models, IP address, software, languages, UDIs, serial numbers, sensor-gathered motion data, mobile data network), com-related data (i.e. call and text history, file transfers, customer-support inquiries), rental devices data (i.e. info on rented devices such as time of use, route, distance, and location), and audio recordings.

Data collected from third-party includes user feedback (i.e. online ratings), referral programs, account owners requesting services on behalf of another party, claims & disputes info, business partners, public resources, marketing service providers, etc. As you can clearly see, Uber collects quite a lot of information from our devices, whether they are personal, business-issued, or even rented ones. You can review the full Privacy Notice here.

There’s a reason why I chose to lay out the entire shebang in front of you – collecting and handling this much information can become problematic, especially when it concerns a full-steam-ahead company such as Uber. Every bit of collected (and unsecured) data can be used for nefarious purposes, whether we’re referring to the 2016 incident or the insider threat of 2014.
...