I recently received a suspicious text message with an "Uber code," though I wasn't using the ride-hailing app. Terrified that someone was trying to hack into my Uber account, I opened the app to remove my credit card information. But Uber wouldn't let me.
Uber requires users to maintain at least one payment method in its app. "Deleting your only active payment method is not allowed," a prompt read when I tried to remove the last of two credit cards. I continued to freak out, imagining a fraudster wreaking havoc with my credit card.
I sought answers on Uber's help page. Under "I think my account has been hacked," the company recommended resetting the password. OK, but what I really wanted to do was remove my credit card!
An Uber spokesperson said in an email, "We require a payment method on file in the event of failed charges due to a number of scenarios such as bank declines, insufficient funds, or fraud scams." This is a measure the company put in place to ensure payment and "prevent fraud or failed charges" by users. Unlike e-commerce platforms where the site has time to complete the transaction before products are shipped, "when you request a ride, a driver shows up within minutes and the trip ends before your final fare is calculated and fully processed, including any tips added post-trip."
Uber's security team looked into my case and confirmed that yes, someone else was trying to log in to my account. The text I got was part of its two-factor authentication protection, and it prevented the hacker from accessing my account.
A spokesperson said in a statement, "The reason you received a [two-factor authentication] text message was because we detected someone trying to login to your account from a new device."
But Uber still wouldn't let me remove my credit card information.
In other words: if I wanted to keep an Uber account, I had no choice but to link it to a credit card number. Otherwise, I could delete my account. If you use Apple Pay and link it to your Uber account, you do have the option of deleting your credit cards — but then you can't unlink Apple Pay.
The spokesperson said the credit card number "is both encrypted and hidden so all that's visible are the last four digits and expiration date. This is to prevent someone from stealing your credit card number even if they're able to gain access to your Uber account."
"All that said, it's our policy to refund riders for any unauthorized charges on their account, so they're not on the hook for trips they didn't take," Uber's statement said.
Realizing my card is also stored on a bunch of other apps, I checked on a few of those to see if my information was being held elsewhere.
Lyft wouldn't allow me to delete all my credit cards from within the app either. But the company says that if your account is hacked, customer support can help you remove all your card information. A Lyft spokesperson referred us to the company's terms of service, which said, "you can review and edit certain account information."
However, I was able to take all payment info off my other ride-hailing apps, including Curb and Juno.
I was also able to remove it from my Apple ID, Amazon, Starbucks, and Dunkin' Donuts accounts, which was nice and reassuring.
Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, told BuzzFeed News, "Given the threats, it would be really helpful for companies to allow you to remove your credit card."
Last year's massive Equifax breach (almost 148 million people), along with past breaches at Yahoo (more than 1 billion accounts) and LinkedIn (more than 100 million accounts), has made it clear that no one online is truly safe from identity theft.
Uber itself was hacked in 2016, compromising the information of 57 million accounts, including users’ names, email addresses, and phone numbers, as well as the names and driver's license numbers of drivers — and then the company paid hackers $100,000 to conceal the hack from the public.
Other people have also wondered why they can't seem to remove their credit card from Uber and Lyft.
And despite Uber's efforts to protect customers with encryption, even that isn't totally safe. Gary Davis, McAfee's chief consumer security evangelist, told BuzzFeed News, “While encryption is an important tool, it alone does not guarantee that a credit card can’t be compromised. ... At the end of the day, the surest way to make certain that a credit card will not be compromised is to not store it within the app.”
I felt that, by denying me the ability to remove all my payment information, Uber and Lyft were asking me to give them control of my credit card in order to remain a customer.
Despite assurances from Uber that I wouldn't be responsible for unauthorized charges and that my credit card information was safe by encryption, I still wanted my payment information off the app — it's my credit card after all, and I want the choice to remove and reenter it from the app at my will, without having to delete my account.
And security experts agree that giving people the option to easily do this would be the safest thing for Uber and Lyft to do. "Limiting the number of places where this information is stored is a good basic security practice to follow," said Simon Migliano, head of research and operations at the online privacy site Top10VPN.