Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Cellphones

A Fake Uber Driver Borrowed Phones, Then Stole $200K in Cryptocurrency, Police Say (gizmodo.com) 48

Posted by EditorDavid from the where-the-money-is dept.
"A man is accused of several felony charges after he allegedly posed as an Uber driver and then stole hundreds of thousands of dollars in cryptocurrency from customers in Scottsdale," reports Arizona news channel Fox 10.

"Prosecutors have called it an 'extremely sophisticated electronic fraud,'" reports Gizmodo, " and it's a strange approach to scamming that makes it sound unique in several ways." Nuruhussein Hussein, 40, allegedly picked up two unsuspecting people who were looking for Uber rides they'd ordered in Scottsdale — one in March and the other in October according to Fox 10 — by shouting their names on the street outside a hotel. It's not clear how Hussein may have known these people were looking for rides and court documents give no indication how he accomplished this or knew the victims would have crypto accounts, according to Fox 10, though a hotel does make sense as a target-rich environment for those looking to get picked up.

Once the victims were in the car, Hussein allegedly obtained the phones of the victims through some kind of pretense, including problems with his own phone and the need to look something up as well as a need to connect with the Uber app, according to NBC News. Hussein would then allegedly open up the victim's Coinbase account. "While manipulating the unsuspecting victim's phone the suspect transferred cryptocurrency from their digital wallet to his digital wallet," police reportedly explained in a statement.
This discussion has been archived. No new comments can be posted.

A Fake Uber Driver Borrowed Phones, Then Stole $200K in Cryptocurrency, Police Say More

A Fake Uber Driver Borrowed Phones, Then Stole $200K in Cryptocurrency, Police Say

Comments Filter:
  • How is handing a phone that linked to your Coinbase account is any different from letting someone hold a suitcase full of cash?

    • It's no different than people having all their banking information on their phone. Lose your phone, lose your money.

      • Re: Carrying suitacse full of cash (Score:4, Interesting)

        by oldnuskeet ( 6194988 ) on Sunday December 15, 2024 @08:02AM (#65014621)
        I donâ(TM)t know how it works in USA but any bank account in Europe wants your bank passwords for everything and often some sort of auth external to the phone to move money, like a coordinates card or some sort of pass that you need to give positions of. No one with my unlocked phone would be able to transfer money.

        • I donâ(TM)t know how it works in USA but any bank account in Europe wants your bank passwords for everything and often some sort of auth external to the phone to move money, like a coordinates card or some sort of pass that you need to give positions of. No one with my unlocked phone would be able to transfer money.

          Which begs the question; how the fuck do you even write a wallet app that doesn’t have secondary security above and beyond the damn device it’s on?

          I remember when thieves couldn’t do jack shit with my ATM card without a PIN. That’s decades old security.

          • Re: (Score:1)

            by Anonymous Coward

            I remember when thieves couldnâ(TM)t do jack shit with my ATM card without a PIN. Thatâ(TM)s decades old security.

            I remember when the ATM cards recorded the PIN on the magstripe. That's decades old security!

            • I remember when the ATM cards recorded the PIN on the magstripe. That's decades old security!

              My question is along those lines. Were these crypto apps really totally unprotected once the phone was open? Or did he have to do something at least moderately clever, analogous to making a card skimmer out of the magnetic head from an 8-track deck?

              • He might have just failed to rob a bunch of people, unless they kept their password on their phone.

              • coinbase requires a pin and biometrics or an authenticator code from a separate app (which itself should require biometrics or a pin) to move money. That is unless of course those security features have been disabled.

            • Re: (Score:2)

              by narcc ( 412956 )

              Terrible ... but still good enough to thwart the overwhelming majority of thieves and opportunists.

              Just because it's not perfect doesn't mean its worthless.

          • The problem isn't that the app doesn't have that security (it does), the problem is users disable that security.

        • Re: (Score:2)

          by alvian ( 6203170 )
          This is why I don't allow any financial apps to automatically log in and even save the username of the account. Thinking about this made me realize that someone can order their overpriced products on the Amazon app and order it without any additional authentication as long as the phone is unlocked.

        • No one with my unlocked phone would be able to transfer money.

          But I SHOULD be able to lend my phone to someone to use just as a phone, without giving them access to anything else on it. There could be a separate entry code which allows only the phone function to work, and there could even be a specified expiry time.

          AFAIK there are no phone operating systems that allow this.

          • But I SHOULD be able to lend my phone to someone to use just as a phone, ...

            Android allows you to pin an app so it's the only thing that can be used. Unpinning requires you to unlock the phone. So you could pin the phone app...

          • One Plus oxygen lets you create a separate user with no access to the main user's data. unihertz lets you freeze apps until you enter a code to unfreeze them and also has student mode that disables all apps not whitelisted. samsung one touch has a maintenance mode that disables all your personal apps and creates a new account with only access to stock apps and none of your personal data which is isolated, and removed when you enter your password and restore your normal account, designed to be used when y

        • ... wants your bank passwords ...

          Like Google Wallet, this didn't involve the bank directly. Also, Google Wallet doesn't have a password: Once the phone is unlocked, anyone can charge a sale to the stored credit card. Security, if it exists, depends on the phone PIN, so once you kindly hand-over that, because anti-theft steps are inconvenient when you want someone to use your phone, they have unlimited access to the wallet.

          • You have google wallet configured wrong then. I have to re-enter my pin to use it. unlock phone with pin, flip open google wallet, tap, enter pin again, tap again. Always confuses the cashier, when nothing happens after the first tap & I start fucking around on my phone. Then the second tap and approval. I have to tell them it's me not them sometimes, so they don't prematurely terminate the transaction.

            • ... configured wrong then.

              I looked in 'Google Settings : Wallet Settings : (Security) Verification Settings' and nope, I can put a PIN on my other cards but not my credit card.
              An online search reveals this advice.

              ... require screen lock verification. After the verification times out ...

              I think it means, if I've just unlocked the phone, the PIN might not be required a second time.

              ... is as high as €50 [$52 USD] or $100 AUD [$63 USD] ...

              Most of my transactions are below this threshold, hence the lack of verification.

              • It's not the same for everyone. I think it's in the agreement between the bank google, each of my cards behave differently. my cashapp card requires a pin for every transaction. My American Express requires fingerprint verification for all transactions. My american express is from my bank, its not the american express fromthe american expresses bank (capitol one) or the direct american express handled directly by american express without banks.
        • I just tested coinbase again on my phone. I had to enter my pin to open the app, switched to my authenticator to get the code, enter the pin to get into the authenticator, then enter my pin again just to switch back to coinbase so i can enter the authenticator code, then enter the authenticator code. then click a link sent to my e-mail if my IP has changed AND enter my pin again to switch back to coinbase again since I was just in the email client, then if I switch apps again for any reason, I have to enter

        • Re: (Score:2)

          by mjwx ( 966435 )

          I donâ(TM)t know how it works in USA but any bank account in Europe wants your bank passwords for everything and often some sort of auth external to the phone to move money, like a coordinates card or some sort of pass that you need to give positions of. No one with my unlocked phone would be able to transfer money.

          Sadly over here bank security is only marginally better.

          https://www.bbc.co.uk/news/articles/cy8y70pvz92o [bbc.co.uk]

          It's pretty easy to make your bank app insecure. One of the reasons I don't like using them. Banks would still rather adsorb the cost of fraud than do anything that might make people use their products less. Having to just write off £21,000 is cheaper than a fraction of a percent of people not using their cards, apps, loans, et al. because it's slightly more difficult to access.

          Banks won't

      • Very different. If you hand me your phone I likely can't do shit with your banking app without getting your fingerprint or password as well. These cryptobro made apps just have rubbish security.

        • or people are lazy idiots and disable the security so they don't have to keep reauthenticating.

          • Which points me back to shitty apps, I *can't* disable the security on my banking app. It's simply not an option. Why do crypto apps allow this?

          • i worked on an app that was quite sensitive.

            1. It refused to work on an iPhone without password set. 2. It refused to work on an iPhone with any kind of jailbreak noticed. 3. It required you to set up a separate passcode. No access without that passcode.

            Alternatively, you could access it with the app itself asking for fingerprint / faceid. Fingerprint / faceid could only be changed by entering the passcode.

      • It's no different than people having all their banking information on their phone. Lose your phone, lose your money.

        Well, no. My banking information is on my phone. Doesn't mean you can get into it. That's what passcodes are there for.

    • This isn't about a phone being linked, it's about fucking stupid security policies. My bank is linked with my phone as well, that doesn't mean anyone can do shit with the app when I hand my phone to them (even if it is unlocked).

      • My bank is linked with my phone as well, that doesn't mean anyone can do shit with the app when I hand my phone to them (even if it is unlocked).

        Is your bank one of them that will not send an SMS password reset or get into just by that method alone?

  • Inside job. (Score:4, Interesting)

    by Petersko ( 564140 ) on Sunday December 15, 2024 @07:51AM (#65014605)

    Too many things have to be known for this to work. If this is indeed how it went down, the likely conspirator should be blindingly obvious.

    • As a follow up to my own post (bad form, I know), it could be an extremely sophisticated plot... or it could be one of a group of bros who all got into crypto at the same time. They all use the same platform, use the same apps, and were out as buddies, so they knew who called the uber. Look in the seat next to the caller... or at the caller. No better cover than appearing to be a victim.

      This is Penn and Teller making the submarine vanish. It's not complicated unless you choose to make it so.

      • ..it could be one of a group of bros who all got into crypto at the same time.

        Whatever happened to Bros before Coinbro, oh wait. Well, shit.

        Look in the seat next to the caller... or at the caller.

        * Glances at wallet nickname labeled “Juicy Smooyay” *

        SON of a..

      • He would have had to do a fair bit of research to identify his targets because there's no sense in trying to randomly pull this on someone who doesn't have crypto. I'm assuming that he used social media to identify his targets based on posts they made and being able to identify them as an actual person instead of some anonymous poster. If there was a co-conspirator I'd put money on whoever was supposed to pick the targets up, though it's certainly reasonable to assume that people waiting outside of a hotel

  • I guess... (Score:5, Insightful)

    by nospam007 ( 722110 ) * on Sunday December 15, 2024 @08:14AM (#65014635)

    ...cellphones need a guest mode.

    • Or maybe crypto apps should do basic security such as ask for a pin / fingerprint when transferring money, like Banking apps have done for 20 years now.

      • Re:I guess... (Score:5, Interesting)

        by Locutus ( 9039 ) on Sunday December 15, 2024 @12:44PM (#65015013)
        nah, this is just a one in a million fluke and therefore it'll be perfectly fine to switch the US government to crypto.
        What could possibly go wrong when people like Trump and Musk are behind the curtain?

        LoB

    • ...cellphones need a guest mode.

      Android allows you to (a) pin an app so it's the only thing that can be used, and unpinning it required you to unlock the phone; and (b) you can create multiple profiles (de-coupled from the main user info), so one could be for a guest. Android on a tablet also allows you specify/restrict the apps in those other profiles, which I'd like for phones. I don't know about iOS, but imagine they may offer similar things.

    • Re: (Score:2)

      by mjwx ( 966435 )

      ...cellphones need a guest mode.

      Or maybe... just maybe people shouldn't be giving their phones to people they don't know.

      Just a thought.

      Next week we'll cover the importance of not accepting candy from strangers.

      The advanced series on "there are no puppies in that van" starts next month.

      I suspect at least some /.ers might be security minded... as a thought experiment how much damage could someone do to you if they gained access to your phone without your knowledge for just 4 hours? I suspect for most people, especially not the

  • Wanna bet he hasn't fled? (Score:3)

    by clovis ( 4684 ) on Sunday December 15, 2024 @11:06AM (#65014847)

    "The department says the thefts totaled more than $300,000, although court documents say it was around $223,000."

    He stole $300,000, and they set bail at $200,000?
    I bet he's already gone.

  • Not news at all. If your phone is in use as a security device, do not frigging hand it to somebody else!

  • This is exactly why I use a hardware app like Trezor or Ledger, with the BIP-39 recovery code saved off. In fact, I reset the device, generate the recovery code, reset the device again, restore from that code, to make 100% sure it is recoverable from my backups. If one wanted to be more secure, do a share split like 2 of 3 .or 4 of 5, store the recovery codes in separate locations. This way, the PIN is entered only on the hardware device, and the transaction is approved on the hardware device.

    With Bitcoi

  • If they got your fare in the first place their comms work and any driver (or anyone else unless living in abject poverty in which case they don't have a car) with fewer than two chromosomes has a backup phone ready to use because time is money.

  • Um, I don’t think so. He identified a few wealthy people through internet research, parked in front of a hotel, shouted their names, posed as an uber driver, and then social engineered-them into handing their unlocked cellphones over. So far, not bad but nothing too sophisticated. Then, he MOVED THEIR CRYPTO INTO HIS OWN ACCOUNT, leaving a mile-wide trail of his actions. The only thing that could have gotten him caught faster would be if he had driven straight to the police station and confessed.

    I

    • Re: (Score:2)

      by cstacy ( 534252 )

      Then, he MOVED THEIR CRYPTO INTO HIS OWN ACCOUNT, leaving a mile-wide trail of his actions. The only thing that could have gotten him caught faster would be if he had driven straight to the police station and confessed.

      The victims probably did not know the transfer happened until sometime later. Would they even know it was done from their phone? I didn't see anything in the article about Coinbase, but anyway that doesn't mean the destination account was on Coinbase. Presumably his "crypto account" is an anonymous wallet, and the coins were presumably from the destination walltet instantly mixed and dispersed into a difficult-to-trace trail. Which ends in some offshore money laundering cash-out broker.

      There are too many

      • Re: (Score:2)

        by cstacy ( 534252 )

        I take it back: One of the linked articles DOES have a lot of the answers. Yes, he just did a Coinbase transfer into an identifiable account. Interesting mismatch in the intelligence impedance there, after social engineering those whole thing. Also, after he took their phones, they got nervous and wanted them back. At which point he threatened them with a gun.

        So they probably DID know something bad was going on. Cuz, you know, normally Uber drivers do not threaten you with a gun when you ask for your phone

  • Who is to blame ? (Score:3)

    by Slashythenkilly ( 7027842 ) on Sunday December 15, 2024 @04:54PM (#65015455)
    When you literally hand a criminal your money, what do you think is going to happen? Seems pretty clear this guy scoped out his victims pretty well by listening in on their conversation and plans. Its not complicated just short-sighted seeing as how they knew exactly who did it.. All of it could have been thwarted with "no, im not handing you my phone"

  • Transfers should require additional auth? (Score:3)

    by linuxguy ( 98493 ) on Sunday December 15, 2024 @06:47PM (#65015645) Homepage

    I don't have Coinbase or any cyrpto. I do have the Fidelity app on my phone. When I need to open it, it always asks me to login, even if my phone is unlocked. And if I want to transfer any funds, it asks for me to login yet again to confirm. I assumed that all apps that can transfer money do something like this at minimum. Maybe not?

Slashdot Top Deals

We cannot command nature except by obeying her. -- Sir Francis Bacon

Close