Toronto woman wrongly billed for Uber ride in Poland says she feels ‘violated’

A Toronto woman says she feels she was taken for a ride after being billed for an Uber trip ordered on her account that she didn’t take — 7,000 kilometres away in Krakow, Poland.

Laura Hesp was at home in her apartment in Toronto on Monday when she says she received a text saying an Uber driver would be there in five minutes to pick her up. The problem: she never ordered one.

Hesp says she thought it was it was a glitch and posted about the ride to the Weird Toronto Facebook group.

“Got a phantom text saying my Uber arrived… I open the app and it’s in Poland and for the next 10 minutes I can see this guy dropping someone off… In… Poland. What,” Hesp wrote.

Before long, Hesp was getting replies saying her account had likely been hacked.

‘I kind of felt a little bit violated’

Hesp says she didn’t know that was possible.

However, when the ride ended, she says she got an email with a bill for the equivalent of about $3.75 for the ride.

Uber poland

Laura Hesp says she was at her Toronto home when she received an email from Uber informing her someone had taken a trip using her account about 7,000 kilometres away in Poland. (Laura Hesp)

Hesp says she contacted Uber and told them what happened.

She says Uber refunded the trip, and told her to secure her account by changing her password and deleting her credit card information.

“I kind of felt a little bit violated, like someone else was impersonating me in an Uber… And you can’t really track down who that person was,” she said.

In an email to CBC News, Uber security spokesperson Melanie Ensign said this type of fraud is usually caused by password reuse or phishing scams that trick a user into giving away their password.

Hackers target passwords, says security expert

The company says it doesn’t store credit card information but nevertheless recommends users create a unique password not used for any other site for their Uber accounts.

Toronto-based security engineer Geoffrey Vaughan agrees.

 Geoffrey Vaughan

Toronto-based security engineer Geoffrey Vaughan says phishing scams can affect virtually any account a person has online and recommends people use a password manager to keep their login information secure. (CBC)

A phishing scam, he explains, usually begins with an email telling a person their account has been compromised. The email will contain instructions for resetting a password and directs a person to a website that looks on the surface to belong to a legitimate company. When the user goes through the steps, they inadvertently give away their password, giving the hacker the keys to their account.

“It’s not much different than any of your banking phishing emails or the Nigerian prince from however many years ago,” Vaughan said.

“That’s probably the easiest way that most people would go after targeting other Uber accounts,” he said, adding the same kind of scams can compromise virtually any online account.

Vaughan recommends people use a password manager — programs that generate and store unique passwords for a user’s many accounts in a secure database, which can be unlocked by a single master password — to keep their login information secure. He says that eliminates the need to remember every password and cuts down on the possibility of being hacked.

‘You should be treating all emails as hostile’

Vaughan says keeping yourself safe from phishing scams all comes down to how much you trust the emails you receive.

“You should be treating all emails as hostile unless you can prove otherwise. You should never be clicking on a link until you’re absolutely sure,” he said.

Hesp may have learned that lesson the hard way, and now says she’s changing all of her passwords.

Even so, she says she’d like to see Uber put in place a way of confirming that the rider getting into the car is indeed the one the ride was meant for.

“It’s hard because a lot of us order Ubers for other people… but we definitely need to figure out a different way to make sure that that’s the person that ordered it,” she said.

As for who might have ordered a ride on her account half a world away, Hesp says that, because there aren’t generally cameras in Uber cars, there’s likely no way to trace the person’s identity.

“I guess we’re never going to find out.”