Lyft allowed unauthorised access to my account
When I travel to the US I usually buy a pay as you go AT&T sim card to use during my stay. I used to take Lyfts to move around, till today.
If you have a phone with pay as you go service and for some reason you don't pay the bill for a month, you will lose your number. Then a few months later someone buying a new sim card will have your old number, so if they download lyft they will have your account with your credit card. And guess what? They can have free rides charged to your credit card!!!
So there's a creepy guy taking lyft rides in san francisco with my account. The best part is that I can't remove the credit card from that account because I no longer have that phone number, so I can't access my account!
I sent an email to Lyft support but no one answered.
75 comments
[ 5.4 ms ] story [ 142 ms ] threadThe number of times I've followed a companies support channels and heard no response in a weeks time then tweeted and got it resolved in less than 3 hours is staggering and quite disappointing. The squeaky wheel gets the grease....
What I'm saying is that while I do find it mildly annoying that there is no "Delete Account" button there are good reasons for it. Not is this a non-insignificant amount of work to build/maintain but from a business point of view it means spending time/money on a feature that is only for people who no longer want to be your customer so put in that light it's no surprise this feature falls by the wayside often. Also there is the whole "I accidentally deleted my account" (no matter how many warning you put up) and that means you either need to "soft delete" all the data so you can "undo" OR you have to reconstruct the user's data from a backup (either programmatically or by hand).
Keep your number? I love this XKCD on this [0]. I live in a different state that where I got my phone number and when I moved I just kept the number so I didn't have to go through the dog and pony show of updating it everywhere.
[0] https://xkcd.com/1129/
My backup plan at this point is probably a 'quick' reimplementation of the bits of GV that I use in Twilio.
EDIT: As Someone1234 points out, however, caller-ID might be irrelevant, and having GV might not help. Another reason to be very selective about what apps you install.
Are phone numbers insecure? Sure, yes, absolutely. But too many companies have built their entire brand around not requiring registration, that is their USP (e.g. WhatsApp).
What Lyft should be doing at the absolute minimum is merging the phone number with the IMEI (or some other unique hardware ID) and only then allowing people to make purchases without re-entering the CC number.
It won't fix the problem of if your phone got stolen and someone made purchases with it. But it would stop phone number re-use related issues.
Well put. I can think of a half-dozen phone numbers I used to have that have presumably been reused. Though even email addresses can be reused: Yahoo announced in 2013 it was doing this.
From a HN app/service-development perspective, all of these approaches have tradeoffs. Facebook login gives you a scoped unique ID with a low probability of reuse (perhaps zero, I can't recall what the docs say), but some folks don't like logging in with FB or don't have a FB account at all.
What downside is there to reporting the fraudulent charges for what they are, apart from a tiny possibility of being banned from using Lyft in the future?
Leaked Credentials != Unauthorised access to your account
Leaked Credentials == exposing username/email + password (unhashed)
forgot your password? we'll SMS to your phone number on file... YOU'RE WELCOME.
It's definitely something to report to your card's fraud department, because someone is fraudulently using your card.
EDIT: no that doesn't seem to be the case. When you login to Lyft they send a text to the registered number.
Sorta thought the story was going to involve leaked credentials.
First, I'm sure Lyft will take care of it in your favor.
Second, this is certainly an issue when utilizing SMS for authentication/login. I'm not sure the best answer since it can be a good way to support easy login/authentication. If phones send along a device ID, that might work. Not sure the frequency of same number on same "disposable" phone.
Lyft's problem is two-fold: 1) they don't warn users not to use their app on a temporary device 2) they don't allow an easy way to cancel the account without the phone number
...I switched to Uber...
I went to Scottrade and asked them to close my account, back in 2007 or 2008. They said "sure," cashed out the account, left it open, and continued sending me account status emails for almost ten years.
Last week they told me I had a negative balance of $13. I called them and they can't give me any information over the phone, because I don't know my old address or phone number from whenever I opened the account. (I don't know when that is, only that it was before 2007 or so.)
So I have to go into a physical office. And where I live now, the nearest physical office is more than 60 miles away. And they're not open on weekends.
And they can apply fees to this negative balance, spiral those fees out of control, refer it to a collections agency, and put it on my credit report, all without ever once breaking the law.
So I have to drive 60 miles both ways, because almost ten years ago, one of their employees was too lazy to do their job correctly. And I can't even do it on the weekend.
US consumer law has terrific protections for all the problems that were legitimate risks 100 years ago, but it sucks today. Effectively, the burden of proof is now on me to demonstrate that this $13 fee is not my problem.
I cashed & closed it, but the teller must not have actually closed it because they decided to charge it $10/mo for some stupid bank-fee reason. It was diving into negative numbers for months before I discovered it.
We take security and personal information seriously, and did not leak credentials. The relevant teams within Lyft, including product/engineering, have been alerted of this case to continue ensuring the community's safety.
"After reviewing your statement and digging deeper into our payment back-end, it appears that because your phone number had transferred ownership the new owner of this number may have logged in thinking that this was their account. Due to this occurrence, we at this point in time have placed a hold on all logins using this phone number — this in turn will halt any further use of this account."