Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Cellphones

A Fake Uber Driver Borrowed Phones, Then Stole $200K in Cryptocurrency, Police Say (gizmodo.com) 34

Posted by EditorDavid from the where-the-money-is dept.
"A man is accused of several felony charges after he allegedly posed as an Uber driver and then stole hundreds of thousands of dollars in cryptocurrency from customers in Scottsdale," reports Arizona news channel Fox 10.

"Prosecutors have called it an 'extremely sophisticated electronic fraud,'" reports Gizmodo, " and it's a strange approach to scamming that makes it sound unique in several ways." Nuruhussein Hussein, 40, allegedly picked up two unsuspecting people who were looking for Uber rides they'd ordered in Scottsdale — one in March and the other in October according to Fox 10 — by shouting their names on the street outside a hotel. It's not clear how Hussein may have known these people were looking for rides and court documents give no indication how he accomplished this or knew the victims would have crypto accounts, according to Fox 10, though a hotel does make sense as a target-rich environment for those looking to get picked up.

Once the victims were in the car, Hussein allegedly obtained the phones of the victims through some kind of pretense, including problems with his own phone and the need to look something up as well as a need to connect with the Uber app, according to NBC News. Hussein would then allegedly open up the victim's Coinbase account. "While manipulating the unsuspecting victim's phone the suspect transferred cryptocurrency from their digital wallet to his digital wallet," police reportedly explained in a statement.

A Fake Uber Driver Borrowed Phones, Then Stole $200K in Cryptocurrency, Police Say More | Reply

A Fake Uber Driver Borrowed Phones, Then Stole $200K in Cryptocurrency, Police Say

Comments Filter:
  • How is handing a phone that linked to your Coinbase account is any different from letting someone hold a suitcase full of cash?

    • It's no different than people having all their banking information on their phone. Lose your phone, lose your money.

      • Re: Carrying suitacse full of cash (Score:4, Interesting)

        by oldnuskeet ( 6194988 ) on Sunday December 15, 2024 @08:02AM (#65014621)
        I donâ(TM)t know how it works in USA but any bank account in Europe wants your bank passwords for everything and often some sort of auth external to the phone to move money, like a coordinates card or some sort of pass that you need to give positions of. No one with my unlocked phone would be able to transfer money.

        • I donâ(TM)t know how it works in USA but any bank account in Europe wants your bank passwords for everything and often some sort of auth external to the phone to move money, like a coordinates card or some sort of pass that you need to give positions of. No one with my unlocked phone would be able to transfer money.

          Which begs the question; how the fuck do you even write a wallet app that doesn’t have secondary security above and beyond the damn device it’s on?

          I remember when thieves couldn’t do jack shit with my ATM card without a PIN. That’s decades old security.

          • Re: (Score:1)

            by Anonymous Coward

            I remember when thieves couldnâ(TM)t do jack shit with my ATM card without a PIN. Thatâ(TM)s decades old security.

            I remember when the ATM cards recorded the PIN on the magstripe. That's decades old security!

            • I remember when the ATM cards recorded the PIN on the magstripe. That's decades old security!

              My question is along those lines. Were these crypto apps really totally unprotected once the phone was open? Or did he have to do something at least moderately clever, analogous to making a card skimmer out of the magnetic head from an 8-track deck?

            • Re: (Score:2)

              by narcc ( 412956 )

              Terrible ... but still good enough to thwart the overwhelming majority of thieves and opportunists.

              Just because it's not perfect doesn't mean its worthless.

        • Re: (Score:2)

          by alvian ( 6203170 )
          This is why I don't allow any financial apps to automatically log in and even save the username of the account. Thinking about this made me realize that someone can order their overpriced products on the Amazon app and order it without any additional authentication as long as the phone is unlocked.

        • No one with my unlocked phone would be able to transfer money.

          But I SHOULD be able to lend my phone to someone to use just as a phone, without giving them access to anything else on it. There could be a separate entry code which allows only the phone function to work, and there could even be a specified expiry time.

          AFAIK there are no phone operating systems that allow this.

          • But I SHOULD be able to lend my phone to someone to use just as a phone, ...

            Android allows you to pin an app so it's the only thing that can be used. Unpinning requires you to unlock the phone. So you could pin the phone app...

      • Very different. If you hand me your phone I likely can't do shit with your banking app without getting your fingerprint or password as well. These cryptobro made apps just have rubbish security.

    • This isn't about a phone being linked, it's about fucking stupid security policies. My bank is linked with my phone as well, that doesn't mean anyone can do shit with the app when I hand my phone to them (even if it is unlocked).

      • My bank is linked with my phone as well, that doesn't mean anyone can do shit with the app when I hand my phone to them (even if it is unlocked).

        Is your bank one of them that will not send an SMS password reset or get into just by that method alone?

  • Inside job. (Score:4, Interesting)

    by Petersko ( 564140 ) on Sunday December 15, 2024 @07:51AM (#65014605)

    Too many things have to be known for this to work. If this is indeed how it went down, the likely conspirator should be blindingly obvious.

    • As a follow up to my own post (bad form, I know), it could be an extremely sophisticated plot... or it could be one of a group of bros who all got into crypto at the same time. They all use the same platform, use the same apps, and were out as buddies, so they knew who called the uber. Look in the seat next to the caller... or at the caller. No better cover than appearing to be a victim.

      This is Penn and Teller making the submarine vanish. It's not complicated unless you choose to make it so.

      • ..it could be one of a group of bros who all got into crypto at the same time.

        Whatever happened to Bros before Coinbro, oh wait. Well, shit.

        Look in the seat next to the caller... or at the caller.

        * Glances at wallet nickname labeled “Juicy Smooyay” *

        SON of a..

      • He would have had to do a fair bit of research to identify his targets because there's no sense in trying to randomly pull this on someone who doesn't have crypto. I'm assuming that he used social media to identify his targets based on posts they made and being able to identify them as an actual person instead of some anonymous poster. If there was a co-conspirator I'd put money on whoever was supposed to pick the targets up, though it's certainly reasonable to assume that people waiting outside of a hotel

  • I guess... (Score:5, Insightful)

    by nospam007 ( 722110 ) * on Sunday December 15, 2024 @08:14AM (#65014635)

    ...cellphones need a guest mode.

    • Or maybe crypto apps should do basic security such as ask for a pin / fingerprint when transferring money, like Banking apps have done for 20 years now.

    • ...cellphones need a guest mode.

      Android allows you to (a) pin an app so it's the only thing that can be used, and unpinning it required you to unlock the phone; and (b) you can create multiple profiles (de-coupled from the main user info), so one could be for a guest. Android on a tablet also allows you specify/restrict the apps in those other profiles, which I'd like for phones. I don't know about iOS, but imagine they may offer similar things.

  • Wanna bet he hasn't fled? (Score:3)

    by clovis ( 4684 ) on Sunday December 15, 2024 @11:06AM (#65014847)

    "The department says the thefts totaled more than $300,000, although court documents say it was around $223,000."

    He stole $300,000, and they set bail at $200,000?
    I bet he's already gone.

  • Not news at all. If your phone is in use as a security device, do not frigging hand it to somebody else!

  • This is exactly why I use a hardware app like Trezor or Ledger, with the BIP-39 recovery code saved off. In fact, I reset the device, generate the recovery code, reset the device again, restore from that code, to make 100% sure it is recoverable from my backups. If one wanted to be more secure, do a share split like 2 of 3 .or 4 of 5, store the recovery codes in separate locations. This way, the PIN is entered only on the hardware device, and the transaction is approved on the hardware device.

    With Bitcoi

  • If they got your fare in the first place their comms work and any driver (or anyone else unless living in abject poverty in which case they don't have a car) with fewer than two chromosomes has a backup phone ready to use because time is money.

  • Um, I don’t think so. He identified a few wealthy people through internet research, parked in front of a hotel, shouted their names, posed as an uber driver, and then social engineered-them into handing their unlocked cellphones over. So far, not bad but nothing too sophisticated. Then, he MOVED THEIR CRYPTO INTO HIS OWN ACCOUNT, leaving a mile-wide trail of his actions. The only thing that could have gotten him caught faster would be if he had driven straight to the police station and confessed.

    I

    • Re: (Score:2)

      by cstacy ( 534252 )

      Then, he MOVED THEIR CRYPTO INTO HIS OWN ACCOUNT, leaving a mile-wide trail of his actions. The only thing that could have gotten him caught faster would be if he had driven straight to the police station and confessed.

      The victims probably did not know the transfer happened until sometime later. Would they even know it was done from their phone? I didn't see anything in the article about Coinbase, but anyway that doesn't mean the destination account was on Coinbase. Presumably his "crypto account" is an anonymous wallet, and the coins were presumably from the destination walltet instantly mixed and dispersed into a difficult-to-trace trail. Which ends in some offshore money laundering cash-out broker.

      There are too many

      • Re: (Score:2)

        by cstacy ( 534252 )

        I take it back: One of the linked articles DOES have a lot of the answers. Yes, he just did a Coinbase transfer into an identifiable account. Interesting mismatch in the intelligence impedance there, after social engineering those whole thing. Also, after he took their phones, they got nervous and wanted them back. At which point he threatened them with a gun.

        So they probably DID know something bad was going on. Cuz, you know, normally Uber drivers do not threaten you with a gun when you ask for your phone

  • When you literally hand a criminal your money, what do you think is going to happen? Seems pretty clear this guy scoped out his victims pretty well by listening in on their conversation and plans. Its not complicated just short-sighted seeing as how they knew exactly who did it.. All of it could have been thwarted with "no, im not handing you my phone"

  • I don't have Coinbase or any cyrpto. I do have the Fidelity app on my phone. When I need to open it, it always asks me to login, even if my phone is unlocked. And if I want to transfer any funds, it asks for me to login yet again to confirm. I assumed that all apps that can transfer money do something like this at minimum. Maybe not?

Slashdot Top Deals

We must believe that it is the darkest before the dawn of a beautiful new world. We will see it when we believe it. -- Saul Alinsky

Close