Singaporean gets $1,000 bill for Uber rides she never took

She rarely checks her e-mails but when she did on Feb 4, the amount of Uber receipts she found shocked her.

Ms Audrey Kua, 24, found 11 unauthorised transactions made in Toronto, Canada.

The transactions, spanning three days beginning Jan 28, totalled C$962.69 (S$956).

"I was shocked, especially when I saw that the amount for the trips was not little," said the financial analyst.

Ms Kua said she has not been using the Uber app for more than a month.

She also has not been to Toronto or even Canada. Neither does she have any family or friends living there.

Uber is a ride-hiring app. You pay using credit or debit cards and the cost of your ride is e-mailed to you after your journey ends.

The first sign of trouble was when Ms Kua saw a dip in her bank account after withdrawing money on Jan 30.

"I have a bad habit of not checking my bank account regularly so when I saw that my account balance had decreased, I thought it was because I spent a little too much," she said.

Ms Kua added: "Sometimes, when I go out with my friends I also offer to pay first and split the bill later."

After going through the Uber receipts and realising that the amount deducted from her bank has reached close to $1,000, Ms Kua immediately called the bank to cancel her debit card that was synced to her Uber account.

She also went down to Uber's headquarters at Sin Ming Lane on the same day.

"The thing that I feared the most is whether there was a breach on my personal information," said Ms Kua.

"Uber got back to me the next day and said that they will be processing the refund. Since I have already terminated my debit card, I had to make another trip to the bank for a replacement and inform Uber about the new card details," she added.

When The New Paper contacted Ms Kua on Wednesday, she said that she had already received the full refund for the unauthorised transactions.

Uber spokesman Karun Arya declined to give details of what may have happened.

But he said: "This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services."

Mr Michael Lee from IT security company RSA APJ said that a situation like this could be what is called an opportunistic attack.

"An analogy will be if a car manufacturer creates only a few keys that can open a specific car model. So another person who has a key can try it on hundreds of different car models and will probably stand a chance to find one that fits," said Mr Lee.

Looked into my email account to find out that someone from Toronto has hacked into my uber account and is using it like...

Posted by Ruiling Audrey Kua onĀ Wednesday, February 3, 2016


He also urged users to avoid using the same password for multiple sites, especially if the passwords are weak.

Pinsent Masons law firm partner Bryan Tan said: "The bank and vendor might push the blame away and refuse to refund the money so the user, who is caught in the middle, has to bear the liability."

Mr Tan urged the victim to make a police report in Toronto so that the Canadian police can carry out further investigations.

He advised: "Users should be vigilant and always in the loop about their online transactions; the best person who can detect and stop unauthorised transactions is the user himself."

Ms Kua is grateful that she managed to get her money back even though she had to go through a lot of trouble for it.

"It's a lesson for myself and others to be aware of online transactions. I have also started to check my e-mails consistently just to keep track," she said.

This article was first published on Feb 12, 2016.
Get The New Paper for more stories.