Lyft allowed unauthorised access to my account

[dayanajabif]

When I travel to the US I usually buy a pay as you go AT&T sim card to use during my stay. I used to take Lyfts to move around, till today.

If you have a phone with pay as you go service and for some reason you don't pay the bill for a month, you will lose your number. Then a few months later someone buying a new sim card will have your old number, so if they download lyft they will have your account with your credit card. And guess what? They can have free rides charged to your credit card!!!

So there's a creepy guy taking lyft rides in san francisco with my account. The best part is that I can't remove the credit card from that account because I no longer have that phone number, so I can't access my account!

I sent an email to Lyft support but no one answered.

[extc]

Here's a strange Lyft scenario. I tried to send my friend a Lyft invite so we could both get a discount. He got the invite link, downloaded the app and put in his phone number. It kept rejecting his phone number (it's a CA number and we're in NY, does it matter?). So we thought, maybe we need to put in the phone number of the person that referred/invited him (i.e. me). So we put in my number and it lets him in. He takes his ride home and then I see that his ride was charged to my account. Somehow his phone is now linked to my account and he didn't even enter a password. I emailed Lyft and they don't care, they just explained that I agreed to surge pricing - that's not even on topic to my complaint. Needless to say, neither of us got the referral discount.

[MalcolmDiggs]

I've dealt with the rejected phone number (for a California number) as well. And of course, no responses to my emails. I tweeted about it, they tweeted back, and then continued to ignore my emails.

...I switched to Uber...

[agustinhaller]

EPIC BUG! I can't believe Lyft doesn't care about this

[Kronopath]

This is what I hate about apps and services using phone numbers as primary credentials. Phone numbers can and do change, so they're nowhere near as stable as e.g. a simple email address. I'm recently facing the situation where I may be moving in the near future, and when doing so I'm going to have to change my phone number to a local one in the place I'm moving to. I'm likely going to have to go through every account and app I have my phone number associated with and change it. (Unless there's a better option that I'm not aware of yet.)

[joshstrange]

> Unless there's a better option that I'm not aware of yet.

Keep your number? I love this XKCD on this [0]. I live in a different state that where I got my phone number and when I moved I just kept the number so I didn't have to go through the dog and pony show of updating it everywhere.

[0] https://xkcd.com/1129/

[Kronopath]

That's less useful when you're possibly moving to a different country.

[dublinben]

You can maintain a US telephone number for a few dollars a year by porting it to a VOIP or prepaid cell provider.

[joshstrange]

Agree 100%, that is one situation where this would not work. I apologize for having on my USA blinders :)

[wehadfun]

Wow thanks knew this was correct but never found any documentation.

[hrehhf]

In my experience, it seems like people with land-lines, e.g. private businesses, are less likely to make/return calls to a non-local number.

[joshstrange]

This is probably true as well as EVERY time I call Time Warner they redirect me to the wrong state's offices and it would confuse the person answering the call b/c they couldn't find my account. It got to the point that I would just start the call with that info "Yes my number is an Ohio number but I live in Kentucky, redirect me please". That said I don't think this has happened the last few times I've called. Maybe they got their redirection to take into account phone numbers tied to accounts to redirect instead of just area code.

[ecspike]

Could be a Silicon Valley thing where most aren't from here but most I know don't bat an eye with a non-local number.

[Someone1234]

Unfortunately people hate registration, and while there are alternatives that avoid registration (e.g. Facebook, Gmail, etc login) people hate those for other reasons (mostly spam/abuse).

Are phone numbers insecure? Sure, yes, absolutely. But too many companies have built their entire brand around not requiring registration, that is their USP (e.g. WhatsApp).

What Lyft should be doing at the absolute minimum is merging the phone number with the IMEI (or some other unique hardware ID) and only then allowing people to make purchases without re-entering the CC number.

It won't fix the problem of if your phone got stolen and someone made purchases with it. But it would stop phone number re-use related issues.

[azinman2]

What happens if you get a new phone?

[pbreit]

You go through a more rigorous process. This only happens once every year or two, you know.

[Someone1234]

Re-enter your credit card info.

[calbear81]

You keep your same number and once you resync your phone with a backup, all your apps and data should transfer right over.

[declan]

>This is what I hate about apps and services using phone numbers as primary credentials. Phone numbers can and do change, so they're nowhere near as stable as e.g. a simple email address.

Well put. I can think of a half-dozen phone numbers I used to have that have presumably been reused. Though even email addresses can be reused: Yahoo announced in 2013 it was doing this.

From a HN app/service-development perspective, all of these approaches have tradeoffs. Facebook login gives you a scoped unique ID with a low probability of reuse (perhaps zero, I can't recall what the docs say), but some folks don't like logging in with FB or don't have a FB account at all.

[leephillips]

The better option is Google Voice: a permanent number that you can forward to any temporary cell number you want.

[joshstrange]

I would agree but GV seems to be a forgotten product and I'm not going to tie something as important as my phone number to something Google might shut down on a whim.

[ianburrell]

Google has recently integrated Google Voice into Hangouts. They probably won't update and may deprecate the Google Voice site and apps. They have also been pushing phone calls from Hangouts. My suspicion is that Google will open up the usage of virtual phone numbers in Hangouts.

[leephillips]

I don't think that's going to happen. GV has been around since 2009 - I got my number then and it's been great. This is not Reader - several million people and businesses have GV numbers. Of course it can happen, and there may be other reasons you might not want Google to handle your phone calls, but I estimate the probability of Google just shutting this down as pretty small.

[plorkyeran]

At worst you'll have to transfer your number to some other service. While I wouldn't be shocked by Google shutting down Voice, I would be shocked if it just abruptly vanished one day with no warning.

[wiredfool]

I've got GV -- on a number I've had since before they bought Gizmo and before whatever it was before that turned into gizmo.

My backup plan at this point is probably a 'quick' reimplementation of the bits of GV that I use in Twilio.

[Someone1234]

A lot of apps auto-detect your phone number. Not sure if there is a way of sending the Google Voice number to the apps or having your phone think that is your number (normally the network defines it).

[leephillips]

On Android you can set up the phone to send the GV number as your caller-ID. So when calling Lyft they should see your GV number, which will never get associated with anyone else.

EDIT: As Someone1234 points out, however, caller-ID might be irrelevant, and having GV might not help. Another reason to be very selective about what apps you install.

[Someone1234]

Right, but most apps don't "call up" anything. They just gather your phone number using the OS's APIs and then send it via HTTPS/JSON. Caller ID would play no part in that process.

[joshstrange]

Really think the title of this post should be changed Lyft DID NOT leak your credentials.

[dayanajabif]

so, who did it? It's lyft responsibility not to have this security bugs.

[joshstrange]

What I'm saying is:

Leaked Credentials != Unauthorised access to your account

Leaked Credentials == exposing username/email + password (unhashed)

[dayanajabif]

ok, agree

[zachacole]

Hi there - this is Zach from Lyft. Our support team has been responding to your original email to resolve this case.

We take security and personal information seriously, and did not leak credentials. The relevant teams within Lyft, including product/engineering, have been alerted of this case to continue ensuring the community's safety.

[agustinhaller]

What about this comment: https://news.ycombinator.com/item?id=9355499. How is this happening?

[digitalneal]

Can't you just call the CC and dispute the charges and or freeze charges from that merchant? Granted that doesn't solve the larger problem here but it would at least stop the guy from abusing the system.

[bduerst]

This is exactly why 30 day chargebacks exist, right?

[eli]

Sure, though lyft may well ban you for life.

[wiredfool]

So? They don't know who he is anymore.

[martin_]

Wouldn't his billing info be sufficient to identify him again in the future?

[bduerst]

It doesn't sound like Lyft is retaining too much info on their customers. I would bet if they used another card they would be able to join again.

[gknoy]

I'm surprised he has not yet cancelled the card. The mystery rider will end up having to put in his real card number, problem solved.

It's definitely something to report to your card's fraud department, because someone is fraudulently using your card.

[dedward]

What you do here is tell your credit card company that the charges are fraudulent and that you have informed Lyft that the card is not authorized, but they refuse to do anything about it. Let them handle it - they will.

[pbreit]

But Lyft hasn't refused anything. Best to have Lyft resolve. May take an ounce of patience.

[michaelt]

The guy's e-mailed Lyft support and hasn't got an answer.

What downside is there to reporting the fraudulent charges for what they are, apart from a tiny possibility of being banned from using Lyft in the future?

[eonw]

not responding to your published contact address is the same as refusing... i do believe, its against the card issuer agreement.

[tessierashpool]

TLDR: I feel your pain.

I went to Scottrade and asked them to close my account, back in 2007 or 2008. They said "sure," cashed out the account, left it open, and continued sending me account status emails for almost ten years.

Last week they told me I had a negative balance of $13. I called them and they can't give me any information over the phone, because I don't know my old address or phone number from whenever I opened the account. (I don't know when that is, only that it was before 2007 or so.)

So I have to go into a physical office. And where I live now, the nearest physical office is more than 60 miles away. And they're not open on weekends.

And they can apply fees to this negative balance, spiral those fees out of control, refer it to a collections agency, and put it on my credit report, all without ever once breaking the law.

So I have to drive 60 miles both ways, because almost ten years ago, one of their employees was too lazy to do their job correctly. And I can't even do it on the weekend.

US consumer law has terrific protections for all the problems that were legitimate risks 100 years ago, but it sucks today. Effectively, the burden of proof is now on me to demonstrate that this $13 fee is not my problem.

[bduerst]

Same thing happened to a Chase checking account I had.

I cashed & closed it, but the teller must not have actually closed it because they decided to charge it $10/mo for some stupid bank-fee reason. It was diving into negative numbers for months before I discovered it.

[slayed0]

This is a very serious issue and you should not stop pursuing all available support channels until you get an answer. I can guarantee you that such a glaring bug will immediately get high priority in their issue tracking system. The last thing Lyft wants is for something like this to get reported on and shake confidence in the platform they are trying so hard to build.

[leephillips]

The problem is that it's not a bug, it's the foolhardy way that the system is designed.

[slayed0]

I guess it's a semantic disagreement but I would still call this a bug. If they considered this use-case when they designed the system and then decided it was not worth designing for then I suppose it is not a bug, but I find it hard to believe that is the case.

[icebraining]

I don't (find it hard to believe). A few chargebacks are nothing compared to adding friction to the signup of the majority of users, financially speaking.

[NearAP]

My opinion leans towards - they considered the use-case but ruled it as uncommon and so didn't design for it (or pushed it down the priority queue). This is because it seems that most people in the US (at least those with smart phones) are on some form of contract rather than use a pay-as-you go; it also seems to me that those on contract would most likely retain their number even when they move (within the US).

[leephillips]

I understand your point, and I wish I could also find it hard to believe. But there is nothing in the article to suggest that the system is not working as intended. Of course they knew that phone numbers change hands, yet they designed their system to let the number act as both identification and authentication, knowing that it would lead to a certain number of fraudulent charges.

[djb_hackernews]

This might be a stupid question but does this mean that if I have a phone emulator and configure it to have some number and download one of these apps that use the # for account lookup that I could essentially hijack peoples accounts like this?

EDIT: no that doesn't seem to be the case. When you login to Lyft they send a text to the registered number.

[captn3m0]

I think Lyft login/auth would require you to be able to _receive_ messages sent to that number.

[MichaelGG]

It might send an SMS to re-verify account ownership.

[JohnHaugeland]

Tell your bank that you did not authorize the charges. You get the money back; they can't charge you anymore; the banks ding lyft statistically in rates and trust.

[ackim]

Sounds like you merely need to inform the bank of the charges on your credit card and let them know that you made an effort to contact the company. Contact the credit card issuer to reverse the charges. Lucky for you you didn't use a debit card then you would have had a real problem.

[notsurewhat]

I just emailed this thread to John Zimmer, co-founder & president. Expect it to be handled shortly.

[joshstrange]

As happy as I am that things like this can happen (IDK if you know John or just sent it to his email) it annoys me that problems like this cannot be fixed without complaining on social media/sites like HN.

The number of times I've followed a companies support channels and heard no response in a weeks time then tweeted and got it resolved in less than 3 hours is staggering and quite disappointing. The squeaky wheel gets the grease....

[BinaryIdiot]

The only real solution is to redesign the way they create accounts as this is inherently insecure but I'm going to assume that maybe they'll fix OP's issue and stop at that.

[dayanajabif]

Lyft support answered my email:

"After reviewing your statement and digging deeper into our payment back-end, it appears that because your phone number had transferred ownership the new owner of this number may have logged in thinking that this was their account. Due to this occurrence, we at this point in time have placed a hold on all logins using this phone number — this in turn will halt any further use of this account."

[dayanajabif]

"thinking that this was their account'??? So now their name is Dayana, and they didn't notice? come on!

[eyeareque]

It's a pain but it sounds like you need to cancel your credit card. Or you can wait and see if this post gets any attention. Obviously they have a gap in their authentication that they need to address.

[pbreit]

Current headline: "Lyft leaked my credentials"

Sorta thought the story was going to involve leaked credentials.

First, I'm sure Lyft will take care of it in your favor.

Second, this is certainly an issue when utilizing SMS for authentication/login. I'm not sure the best answer since it can be a good way to support easy login/authentication. If phones send along a device ID, that might work. Not sure the frequency of same number on same "disposable" phone.

[bstrom]

Lyft's support team seems nonexistant. I've sent several emails to them and never received a reply.

[netik]

Lyft is not the only company that will do things like this. Twitter tried this with Twitter Digits, and Yahoo offers single-factor phone based recovery. In all of these cases, companies are sacrificing convenience for security.

[joshstrange]

"companies are sacrificing security for convenience" FTFY

[agustinhaller]

You are right. After reading this I requested Uber to delete my account as i was using a prepaid phone while visiting the US. I was very disappointing as they don't have an easy way to delete an account, you need to send an email explaining why.

[joshstrange]

Just to be fair account deletion is not a super easy thing. It may seem easy "DELETE FROM users WHERE id = '123';" but you also need to delete all of their related records. Let's say you have a user table with use username, hashed password, and id in it and then all that address/DOB/etc in a users_data table or similar. Now you need to delete the users_data record as well. But that's not all, what about all the transactions in the "rides" table. They are related to the user but we need to keep them for historical data and/or reports. It can get messy VERY quickly and if the application is changing quickly then your "delete user" logic might leave behind new user data that it doesn't account for.

What I'm saying is that while I do find it mildly annoying that there is no "Delete Account" button there are good reasons for it. Not is this a non-insignificant amount of work to build/maintain but from a business point of view it means spending time/money on a feature that is only for people who no longer want to be your customer so put in that light it's no surprise this feature falls by the wayside often. Also there is the whole "I accidentally deleted my account" (no matter how many warning you put up) and that means you either need to "soft delete" all the data so you can "undo" OR you have to reconstruct the user's data from a backup (either programmatically or by hand).

[aptwebapps]

So how long has it been since you emailed them?

[zobzu]

even if the sim isnt changed, phone number assignements are not safe in any way. just a number in a database. it could be changed by anyone for a few mins and you wouldn't know. it could be social engineered away. etc.

[wehadfun]

Chances are some low level engineer brought up this possible issue but some idiot with a bigger mouth than brain just dismissed it

[johnnyg]

This isn't the proper medium for your complaint. Maybe it'll be resolved somewhat faster but the way you did it wasn't right.

[drivingmenuts]

You're the one who forgot, or chose not to, pay your bill and got your phone number cancelled. And you chose to use an app that tied your phone number and your credit card together. So, you share some responsibility here.

Lyft's problem is two-fold: 1) they don't warn users not to use their app on a temporary device 2) they don't allow an easy way to cancel the account without the phone number