Uber wants to ditch the email-and-password login -- here's why
Two weeks ago, my brother got an alert: His Uber was arriving.
This was a fairly normal occurrence for him, except that he was firmly seated at his office in Madison, Wisconsin, and the Uber on the screen was on the outskirts of London.
The text and email from Uber confirmed his fear: his email and password had been changed.
He was locked out with a $31 bill for the London joyride.
Like my brother, many Uber users have found their accounts taken over since March after stolen account information was posted for sale on the Dark Web.
The company investigated and found no breach in its system. While the spate of London-based account takeovers are ultimately a reflection on poor password management of its users rather than a problem with Uber's security, the company is still working to get ahead of larger-scale account lockouts.
Part of that includes ultimately ditching the email-and-password system that hackers use in favor of a mobile-first approach.
"Uber is committed to developing security features that go beyond relying on email accounts and passwords for verification," the company told Business Insider. "We are investing in rules engines and machine learning and believe we will be able to create a higher-quality experience in the long run by putting resources into technology solutions."
The machine-learning system takes time to train as new types of fraud emerge. The London-based account takeovers meant the company had to add even more rules, the source said.
Uber is also being more aggressive about actively acquiring account information when it is posted on sites such as Pastebin and notifying users if their accounts could have been compromised, the source said.
My brother, unfortunately, didn't receive this friendly heads-up.
Since the hacker had somehow acquired his login information, he or she was able to go in and update the account information with nothing more than a text sent to my brother telling him to email support if it wasn't him. (Uber has since refunded the trip cost and reinstated his account access.)
To prevent that from happening in the future, Uber is testing two-factor authentication in one market. That means my brother would have received a text on his phone when the hacker was trying to change his account. He would have realized something was wrong, and the hacker never would have gotten to hijack his account.
A recent privacy-policy update included language that will help enable two-factor authentication within the application itself, rather than going to a separate text message and entering a code, a source said.
"We have been experimenting with two-factor authentication in one market and also exploring alternatives," Uber said. "We may invest more heavily in this area in the future, but given the very limited adoption of second-factor authentication on other services, are focusing even more right now on security that will work for all users."
More from Business Insider:
Uber's growth in China is stunning
Uber investor Chris Sacca thinks Carl Icahn made a 'big mistake' backing Lyft
We need a 'third class of worker' for people like Lyft and Uber drivers, says investor
More than 1M people have now worked as an Uber driver