I am a happy customer of Ola. I decided to try Uber. I installed the Uber app on my wife’s Android mobile and tried to register with her email address and got the message "Email address already in use". I don’t recall registering with Uber and thought that my wife had done so. However, a check of her email revealed no such registration: instead I found several messages from Uber-Kolkata. I assumed that the registration email somehow got lost and tried "forgot password", got the link in the email, reset the password and logged in. I found that someone had ‘registered’ with Uber and given my wife’s email address! As you can see below, the Uber profile page shows "Not Verified" next to BOTH the email address AND phone number!!
Figure: Uber Security Sucks: both email and mobile are unverified.
Even worse, on the Uber app, when I tried to register with Uber using my wife’s Google+ account, it immediately takes me to the account of the person who used her email address to register.
I couldn’t believe that a company like Uber allowed one to register without verifying their email address (and phone #). Makes you wonder: if they don’t do this basic security check then how good is their ‘security team‘ and their processes to protect users’ privacy? Scary to think that this company has started doing driver-less trials in Pittsburgh.
I hope, for the sake of other vehicles and pedestrians in Pittsburgh, that their driver-less trials are better implemented than their security-less registration process.
This may not appear to be a big deal in that there is no foul play or attempt to cheat.
But legitimate owners of the email address will have their inbox cluttered with email that is meant for someone else.
In addition, if the ‘victim’ wants to use the service, they cannot register with their email address.
The idiot, who inadvertently or deliberately registered with Uber using an email address that didn’t belong to him, will not get any emails from Uber — and his profile info has been leaked to an unrelated 3rd party. If the owner of the email has malicious intent, he can log in, get the profile info and do some mischief.
Sadly, Uber is not alone. The same thing happened with the mobile services operator DoCoMo. A different idiot registered with my email address: his name has no semblance to my email address and so it cannot be an honest mistake. I keep getting monthly statements and other notices from DoCoMo.
Wait, there is more. In addition to Uber and DoCoMo, other companies who are clueless about security are "HDFC Bank", "City Union Bank", "Asianet Mobile TV", as evidenced by the email we get from them even though we don’t use their services.
When it comes to banks, it gets a lot more serious as there is potential for identity theft and fraudulent money transfers. Bank statements, if not encrypted, can reveal personal info including account #s, balances, addresses, transactions etc. If the password can be reset using "Forgot password" link, there is potential for more damage.
The saving grace for "HDFC Bank" and "City Union bank" was that their monthly statements were encrypted with customer id and it appears that the customer id was delivered by a method other than email. However, given that an account # is typically of fixed length and format, the encrypted data is vulnerable to offline dictionary attacks. Also, thankfully, transaction summaries did not include the full customer id.
The email from "Asianet Mobile TV" said "Your Asianet Mobile TV User Account has been successfully created with following Login Details" and included the login id and password! In this case, it could also be a deliberate attempt by the company to spam by creating an automatic registration.
It is possible that Uber is no longer stupid and has fixed this security hole. If not, this is a serious issue. If they have fixed it for future registrations, then they should scan their database for accounts with unverified email, send email asking them to confirm. If there is no response, and calls to the number don’t resolve the issue, then the account should be deleted or the email address should be removed from that account. Then Uber should send an apology email to the person(s) who were spammed, invite them to join Uber and give them coupons for a few free rides.