Giving up an old cell phone number for a new one may seem harmless. But for Lyft customers, it can potentially expose their accounts to complete strangers.
That’s what happened to Lara Miller, a media relations specialist living in California. Earlier this month, she discovered two credit card charges made in Las Vegas, over 400 miles away.
“I thought it was legit fraud on my debit card,” Miller said.
But in reality, another woman had accidentally taken over her old Lyft account. It happened because the phone company had recycled the cell phone number Miller had canceled back in April—opening the door to the hack.
The problem involves Lyft’s login process. The ride-hailing app does away with the hassle of usernames and passwords, and instead signs up customers with their smartphone’s cell number.
That phone number, however, can remain tied to the account, even if it changes subscribers. Miller eventually realized this and called Elysia, the woman who now owns her old cell phone number.
Elysia declined to have her last name published. But she too also realized that something was off with the Lyft account she thought was hers.
“I got this new number around the fourth of July,” Elysia said. “So I was already getting so many text messages meant for her (Miller) from old friends. From Airbnb.”
When Elysia signed up for Lyft, she also saw that a pre-existing payment card had been stored into the account. “The app wouldn’t let me change the profile,” she said. “There was no way to make a new account. They didn’t have the option there.”
Elysia tried to substitute her own credit card on the account. However, when she was in Las Vegas, she took two rides with Lyft, both of which still charged Miller’s payment card.
Miller and Elysia said they find the whole case disturbing. “Now I hope no one is using my old Lyft account from my old phone number,” Elysia said.
However, Lyft said problems like this are rare. The company relies on a “variety of signals” including third-party sources, the Lyft account and the device to verify the user’s identity.
“In cases where it appears the user may not be the same, we ask them to verify their identity or to create a new account,” Lyft said. “In rare cases this process doesn’t work as intended, and we use those learnings to improve our algorithms going forward.”
Nevertheless, other publications have also reported on the problem. Users on Hacker News have also complained.
“So there’s a creepy guy taking Lyft rides in San Francisco with my account,” wrote one user over a year ago. “The best part is that I can’t remove the credit card from that account because I no longer have that phone number.”
Lyft, however, has said that users can cancel accounts by contacting its customer support.
To prevent the problem, companies should offer customers stronger forms of two-factor authentication, and not merely rely on a phone number to confirm a user’s identity, said Edward Amoroso, former chief security officer of AT&T and CEO of security consultancy TAG Cyber. .
“Unfortunately, however, the industry will probably not shift to improved validation methods unless users decide that they will no longer accept this kind of risk,” he said.
Miller is concerned the ride-hailing app hasn't done more to fix this problem. Lyft offered an apology, and claims it refunded the charges from her bank account last week. Miller said she finally received the refund Tuesday.
“I’m just annoyed and I want more people to know about this,” she said. “I think it’s a pretty big flaw in their security.”
Although Lyft has suspended Miller’s old account, that’s left Elysia with no access to the ride-hailing service.
“Now I can’t even log on to Lyft,” Elysia said.
Editor's note: The third-to-last paragraph has been updated to reflect Miller receiving the refund.