Lyft customers face potential hack from recycled phone numbers

The problem involves Lyft's use of cell phone numbers to verify customers' identities

Giving up an old cell phone number for a new one may seem harmless. But for Lyft customers, it can potentially expose their accounts to complete strangers.

That's what happened to Lara Miller, a media relations specialist living in California. Earlier this month, she discovered two credit card charges made in Las Vegas, over 400 miles away.

"I thought it was legit fraud on my debit card," Miller said.  

But in reality, another woman had accidentally taken over her old Lyft account. It happened because the phone company had recycled the cell phone number Miller had canceled back in April -- opening the door to the hack.

The problem involves Lyft's login process. The ride-hailing app does away with the hassle of usernames and passwords, and instead signs up customers with their smartphone's cell number.

That phone number, however, can remain tied to the account, even if it changes subscribers. Miller eventually realized this and called Elysia, the woman who now owns her old cell phone number.

Elysia declined to have her last name published. But she too also realized that something was off with the Lyft account she thought was hers.

161024 lyft Martyn Williams

"I got this new number around the fourth of July," Elysia said. "So I was already getting so many text messages meant for her (Miller) from old friends. From Airbnb."

When Elysia signed up for Lyft, she also saw that a pre-existing payment card had been stored into the account. "The app wouldn't let me change the profile," she said. "There was no way to make a new account. They didn't have the option there."

Elysia tried to substitute her own credit card on the account. However, when she was in Las Vegas, she took two rides with Lyft, both of which still charged Miller's payment card.

Miller and Elysia said they find the whole case disturbing. "Now I hope no one is using my old Lyft account from my old phone number," Elysia said.   

However, Lyft said problems like this are rare. The company relies on a "variety of signals" including third-party sources, the Lyft account and the device to verify the user's identity.

"In cases where it appears the user may not be the same, we ask them to verify their identity or to create a new account," Lyft said. "In rare cases this process doesn’t work as intended, and we use those learnings to improve our algorithms going forward."

Nevertheless, other publications have also reported on the problem. Users on Hacker News have also complained.

"So there's a creepy guy taking Lyft rides in San Francisco with my account," wrote one user over a year ago. "The best part is that I can't remove the credit card from that account because I no longer have that phone number."

Lyft, however, has said that users can cancel accounts by contacting its customer support.

To prevent the problem, companies should offer customers stronger forms of two-factor authentication, and not merely rely on a phone number to confirm a user's identity, said Edward Amoroso, former chief security officer of AT&T and CEO of security consultancy TAG Cyber. .

"Unfortunately, however, the industry will probably not shift to improved validation methods unless users decide that they will no longer accept this kind of risk," he said.

Miller is concerned the ride-hailing app hasn't done more to fix this problem. Although Lyft has offered an apology, the company still hasn't refunded the charges from her bank account.

"I'm just annoyed and I want more people to know about this," she said. "I think it's a pretty big flaw in their security."

Although Lyft has suspended Miller's old account, that's left Elysia with no access to the ride-hailing service. 

"Now I can't even log on to Lyft," Elysia said. 

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?