Uber is not only synonymous with comfort but has also revamped the definition of ridesharing. Serving over 60 countries and close to 1,000 metropolitan areas, Uber established itself as the standard for safer ridesharing. Throughout its decade-long existence, the San Francisco-based corporation has had its share of misfortunes: data leakages, sexual harassment charges, marketing guerilla tactics, sexism, and the list goes merely on. Events of such magnitude would often weaken one’s trust in the brand.
So, as to the question at hand – is Uber safe? The short answer is yes; Uber’s ridesharing app handles sensitive data of this caliber daily. But you’re not looking for the short answer, aren’t you? Well then, tag along, and let’s discover just how safe your Uber app and account really are. I’ll be going through security incidents, the difference between personal and corporate accounts, and much more. Enjoy and stay safe!
The Uber Affair – A Timeline.
As I’ve mentioned in the intro, Uber had its share of mishaps, some of them totally unrelated to cybersecurity. Obviously, I will not be covering those in this article, because ours is not to question why, but mostly to criticize lackadaisical online security practices. Anyway, back to Uber. In late September, the Federal Trade Commission decided to pursue criminal charges against Joseph Sullivan, Uber’s ex-CSO.
According to the FTC, Uber’s former Chief of Security purposefully absconded the details of the data breach of 2016. I would like to remind the reader that in 2016, Uber found itself in the midst of a data confidentiality scandal, after leaking phone numbers and personal email addresses of over 50 million passengers and contracted drivers.
As to the “hows” and “whys” of this incident, the Northern American ridesharing service refused to comment. However, based on the available data, it was later discovered that the hackers behind the attack managed to infiltrate the company’s data-based through an Amazon web server. They were able to gain access in the first place by using the credentials of a forgetful Uber engineer. Apparently, the employee simply ‘forgot’ his credentials in a GitHub repository. It’s easy enough to figure out what happened next.
‘Twas not the only time Uber found itself in the middle of a data leak scandal. Back in July, Twitter users received a rather cryptic message in regards to a Bitcoin, double-or-nothing raffle. The incident report suggested that the Twitter Bitcoin scam was gunning for HVTs: business-owners, politicians, television celebrities, and so on. Uber was also on the hit list.
One couldn’t conclude the expose of Uber’s affair without saying a few words about the so-called God View mode. A rather obscure affair, vastly overshadowed by the 2016 imbroglio. So, in or around 2014, the US’s AG (attorney general) publicly expressed concern over some of Uber’s practices, chiefly the covert surveillance of ‘undesired’ individuals (i.e. journalists).
Online eavesdropping has definitely increased. It goes to reason that steps should be taken to remedy this situation. Heimdal™ Security, Thor Foresight Enterprise uses DNS traffic filtering to root out eavesdropping kits hiding out in the DNS traffic.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
Is our next gen proactive shield that stops unknown threats
before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
Getting back to God View mode, the incident involved an Uber general manager who abusing a legal loophole, actively spied on a Buzzfeed reporter through a tool called God View. The instrument, which was labeled for ‘internal use only’, could pinpoint the exact location of the reporter, as well as other Uber clients. Uber’s GM as well as his accomplice got reprimanded. At the same time, it reassured its customers and contractors that the personally identifiable information of contractors has been removed.
Is Uber Safe? Key cybersecurity & data privacy aspects
Strictly speaking from a cybersecurity standpoint, there’s no distinction between an Uber personal account and a business account. Let me rephrase that for more clarity – securing your Uber account, whether it’s personal or business, should cover the same aspects. Remember when we spoke about the great breach of 2016? There’s a reason why most topics about the safety of Uber’s app revolve around this most unfortunate event. So, the first item on the list would be data confidentiality.
Just how confidential is ‘confidential’ for Uber? For that, we’ll need to dig into the company’s Privacy Notice. According to the document I’ve just named, Uber reserves its right to collect the following type of data:
1. Data provided by users
2. Data created during the use of Uber services.
3. Data from external sources.
User-provided data includes, but is not limited, to the following: phone number, name, email, profile picture, banking and payment info, physical address, driver’s license, governmental identification information, user setting, emergency contact info, car insurance info, and health records.
User-created data during the registration process includes location, transaction info (i.e. type of service, order details, amount charged, distance, and payment method), usage data (i.e. the Uber app harvests information through tracking technologies such as pixels, tags, and cookies), device data (i.e. hardware models, IP address, software, languages, UDIs, serial numbers, sensor-gathered motion data, mobile data network), com-related data (i.e. call and text history, file transfers, customer-support inquiries), rental devices data (i.e. info on rented devices such as time of use, route, distance, and location), and audio recordings.
Data collected from third-party includes user feedback (i.e. online ratings), referral programs, account owners requesting services on behalf of another party, claims & disputes info, business partners, public resources, marketing service providers, etc. As you can clearly see, Uber collects quite a lot of information from our devices, whether they are personal, business-issued, or even rented ones. You can review the full Privacy Notice here.
There’s a reason why I chose to lay out the entire shebang in front of you – collecting and handling this much information can become problematic, especially when it concerns a full-steam-ahead company such as Uber. Every bit of collected (and unsecured) data can be used for nefarious purposes, whether we’re referring to the 2016 incident or the insider threat of 2014.
Now that we got a glimpse into how Uber collects and stores customer information, let’s talk about the security aspects.
Again, I have to recall the data breach of 2016. The implications of this incident are far too many to recount. However, one thing’s for certain – better data protection, both in transit and at rest, is warranted. Despite Uber’s reassurances, the incident did indeed cast a shadow over the company. Increased compliance, changes in data-processing, and handling policies were committed, all the names of averting a disastrous outcome.
At the moment, the ridesharing company employs the same type of security as before the incident. However, rumor has it that Uber, through its research partners – The Swiss Federal Institute of Technology Lausanne and the University of Lausanne – has been working on a new type of encryption framework that could, theoretically, transform customers into undercover agents.
More specifically, the technology developed by the two universities can significantly reduce the data required to complete the negotiation process between the driver and the customer.
ORide is the name of the prototypical privacy-preserving service, and, as far as Uber is concerned, it may very well be the next milestone of RHS (ridesharing service) confidentiality. This novel approach is based on a cryptography technique called homomorphic encryption. I’ll get to that in a second. The “O” in ORide” stands for “oblivious”.
So, what’s the deal with this obliviousness? Remember the God View tool abused by Uber’s GM to spy on the Buzzfeed journalist? With ORide, the feature is dead and buried, meaning that the application itself doesn’t need to track the exact location of the subject in order to negotiate the transaction.
Speaking on behalf of the Swiss research team, Jean-Pierre Hubaux declared that with this approach, eavesdropping becomes next to impossible. At the same time, the application will require fewer data to complete the transaction. Back to the fun part.
According to the paper submitted by the Swiss research team, the service uses a “somewhat-homomorphic encryption”. In this particular case, the “somewhat” stands for less time spent doing math. Now, in full-fledged homomorphic encryption, the system is capable of performing calculations on the data while it’s being encrypted.
Pretty neat, isn’t it? As you would imagine this is a time-consuming process, this being one of the reasons why ORide uses a trimmed version of this cipher. In Hubaux’s words: “in homomorphic encryption, a decrypted four can be expressed as the sum between an encrypted two and another encrypted two.”
Yes, I agree that it all sounds a little dry and sciency, but if you substitute the “encrypted twos” and the “decrypted four” with geolocational data it will all start to make sense. Once the layer is applied to both sides (i.e. rider and customer), it will begin encrypting the coordinates of each actor. The ORiding service will receive both sets of coordinates in an encrypted state. Subsequently, the service will begin making the computation, matching the driver with the client based on the proximity factor.
When a match is found (i.e. X driver is close to the client’s Y location), a secure comm channel will be established between the two parties. After the driver picks up the customer, the driver’s host device opens up a secure, short-range communication channel with a radio protocol to confirm the rider’s authenticity.
This connection also ensures that no one else intercepted the conversation between rider and driver. With the two connected, a route can be determined and a fare computed. The report of the transaction (i.e. fare report) is digitally signed by a secret key that is store on both devices.
It all seems exciting and magic and even whimsical on paper, but there’s no indication of Uber implementing this system or if the POC has left the prototypical phase.
How to protect your Uber account against fraud. Is Uber safe?
Meanwhile, you should take some precautions against fraud. Here are a couple of tips on how to secure your Uber account. Applies to both personal and business accounts.
- Change passwords on a regular basis. You should change your Uber password at least once per month. For extra security, you could try a password generator.
- Two-factor authentication. 2FA decreases the chances of unauthorized entry through hijacking or brute-force attacks. To enable 2-step verification for your Uber account, please consult the official documentation.
- Don’t share your Uber credentials. Whereas cybersecurity is concerned, sharing is not caring. It’s a liability. If you need to access your Uber account in public, please ensure that your credentials are not visible. Moreover, if you plan on attaching a new card to your account, do it at home, or in a place, no one can make out your debit card’s CVV2 code.
- Mobile protection. Extra security means fewer chances of your account getting hacked. Thor Mobile Security is the perfect companion for your smartphone. Packing the mobile version of our DarkLayer Guard™ engine, Thor Mobile will stop an attack before they have a chance to reach your device.
Is Uber safe? It’s as safe as any application of this caliber can be. Sure, it has seen its share of mishaps, but this doesn’t mean that you should purge the application from your smartphone. Use it wisely, keep your account secure, and don’t forget to upgrade your protection.