An error that caused a Philadelphia woman to be charged more than $28,000 through Uber's app should not happen again, the ride-hailing app company said Wednesday.
The problem, the company said, is not an isolated incident and stems from a feature on Uber's app that typically adds convenience.
If a user starts typing a pickup point or a destination into the app, the system will provide a list of addresses that seem close to where a rider may want to go.
The problem occurs when a person is writing an address common to many places. Try typing "300 Market" into the app, for example. You'll see Philadelphia's Market Street first, but you'll also get the option to go to Gloucester City, Camden, or Saddle Brook, N.J., or as far as Chapel Hill, N.C.
On rare occasions, said Melanie Ensign, of Uber's security communications, a user will accidentally select one of the distant destinations. Then an automatic authorization hold for the full cost of that ride gets charged to the person's account.
The hold confirms payment method and is eventually wiped out when the Philadelphian's trip to Chapel Hill is inevitably canceled, but for a period of time the cost of that ride - $525.02 from Center City, in case you're wondering - will show up on the user's account.
That's what happened to the Philadelphia woman whose bank flagged a $28,639.14 transaction from Uber earlier this month, Ensign said.
The woman involved, who has declined to be identified, insists that she did not enter an incorrect address and remains skeptical of Uber's explanation.
Although the transaction would eventually have been erased even if the bank had not stopped it, unexpected charges of that size can cause a big inconvenience. Uber engineers made changes, Ensign said Wednesday, so its system would now reject "high-volume authorization holds." For security reasons, Ensign would not say what amount the system would consider exorbitant and flag as an erroneous ride request.
The unexpected and massive charge seen by the Philadelphia woman raised questions of whether the account had been hacked. That is not unheard of for Uber.
Like many app-based businesses, Uber has had incidents of hackers getting into users' accounts. Cyber-security experts advise that people use a different password for each online account. Using the same log-in information for all accounts could give a hacker who cracked one app, such as Netflix, the key to get into Uber, PayPal, Gmail, or even bank accounts.
If an Uber account is hacked, though, Ensign said, the worst the intruder could do is take rides on the person's account.
Users' payment information is not saved in Uber's computer systems, she said. Every time a person orders a ride, an encrypted message is sent to Uber's system with a person's payment data. That encrypted code is different with every ride request, so even if a hacker got one, it would be of no use.
Meanwhile, users themselves cannot see their full credit card numbers within the app, so getting access to a person's account would not make financial information vulnerable.
"We have to look at what we have that's valuable that other people could try to steal," Ensign said. "If we don't have that information to begin with, it shrinks the attack surface."
Uber's system does sound like a good protection for financial data, said Adam Levin, a cyber-security expert and former head of New Jersey's Division of Consumer Affairs, but that isn't the only information that can be gained when a person's account is hacked.
"An equally important question is how secure is any other information [of a sensitive personal nature] gathered and stored in connection with the Uber experience," Levin wrote in an emailed statement, "such as email addresses, passwords, phone numbers, location data and the like."
Uber, though, said it has other procedures that are designed to protect personal information.
"We have hundreds of security and privacy experts working on these challenges," Ensign said. "It's not something we take lightly."