Lyft customers face potential hack from recycled phone numbers

The problem involves Lyft's use of cell phone numbers to verify customers' identities

Giving up an old cell phone number for a new one may seem harmless. But for Lyft customers, it can potentially expose their accounts to complete strangers.

That's what happened to Lara Miller, a media relations specialist living in California. Earlier this month, she discovered two credit card charges made in Las Vegas, over 400 miles away.

"I thought it was legit fraud on my debit card," Miller said.  

But in reality, another woman had accidentally taken over her old Lyft account. It happened because the phone company had recycled the cell phone number Miller had canceled back in April -- opening the door to the hack.

The problem involves Lyft's login process. The ride-hailing app does away with the hassle of usernames and passwords, and instead signs up customers with their smartphone's cell number.

That phone number, however, can remain tied to the account, even if it changes subscribers. Miller eventually realized this and called Elysia, the woman who now owns her old cell phone number.

Elysia declined to have her last name published. But she too also realized that something was off with the Lyft account she thought was hers.

161024 lyft Martyn Williams

"I got this new number around the fourth of July," Elysia said. "So I was already getting so many text messages meant for her (Miller) from old friends. From Airbnb."

When Elysia signed up for Lyft, she also saw that a pre-existing payment card had been stored into the account. "The app wouldn't let me change the profile," she said. "There was no way to make a new account. They didn't have the option there."

Elysia tried to substitute her own credit card on the account. However, when she was in Las Vegas, she took two rides with Lyft, both of which still charged Miller's payment card.

Miller and Elysia said they find the whole case disturbing. "Now I hope no one is using my old Lyft account from my old phone number," Elysia said.   

However, Lyft said problems like this are rare. The company relies on a "variety of signals" including third-party sources, the Lyft account and the device to verify the user's identity.

"In cases where it appears the user may not be the same, we ask them to verify their identity or to create a new account," Lyft said. "In rare cases this process doesn’t work as intended, and we use those learnings to improve our algorithms going forward."

Nevertheless, other publications have also reported on the problem. Users on Hacker News have also complained.

"So there's a creepy guy taking Lyft rides in San Francisco with my account," wrote one user over a year ago. "The best part is that I can't remove the credit card from that account because I no longer have that phone number."

Lyft, however, has said that users can cancel accounts by contacting its customer support.

To prevent the problem, companies should offer customers stronger forms of two-factor authentication, and not merely rely on a phone number to confirm a user's identity, said Edward Amoroso, former chief security officer of AT&T and CEO of security consultancy TAG Cyber. .

"Unfortunately, however, the industry will probably not shift to improved validation methods unless users decide that they will no longer accept this kind of risk," he said.

Miller is concerned the ride-hailing app hasn't done more to fix this problem. Although Lyft has offered an apology, the company still hasn't refunded the charges from her bank account.

"I'm just annoyed and I want more people to know about this," she said. "I think it's a pretty big flaw in their security."

Although Lyft has suspended Miller's old account, that's left Elysia with no access to the ride-hailing service. 

"Now I can't even log on to Lyft," Elysia said. 

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?