I’m on vacation in California (from Australia). I’ve spent close to $300 on Uber so far and $0 on Lyft, so I wanted to try it out. After redeeming a first ride coupon, I lined up a great time to try it out. Here is the story of how I lost my first ride.
Upon attempting to try and order a ride, I realised (only after a user clicks through to book a ride) that the app requires a user to add a US contact number to their profile before they can book a ride. It was unfortunate I had to find that out just as I was trying to get somewhere. So I googled the format of US phone numbers and threw a fake number in there. But the app sends a validation message, so I was not be able to validate using this method. As such, I tried setting up Google Voice to get a US number to use for validation, but discovered that even Google requires a US number before you can use their Voice service.
I was out of luck and the processes involved to actually contact Lyft are can be slow (and they want to prevent this, by attempting to limit user messages via FAQs and automation). But even if you navigate through to a contact form, even that requires a US number to submit. And even if I fake my way through that, they could take days to reply.
I googled some more and decided to use a random service online that provides US numbers and a simple public webpage that displays all the text messages sent to these numbers. I used this to get the validation code and activate my account. Great. I was planning to try it out the following morning.
I end up getting an email during the night, which was a ride receipt thanking me for riding with Lyft and documenting my ride. My first ride coupon was used and it would have charged my credit card if I didn’t have that coupon or if the amount surpassed the value of it.
I now have an educated suspicion that instead of logging in via Facebook, someone logged into Lyft using the same publicly available number I had found online. They would have had to validate the login [I assume] via text message, which was easy since they could also see the webpage I had used. They then were able to access my account; see the last 4 numbers of my credit card, my Facebook profile pic and my email address. They then immediately took advantage of this and ordered a ride within locations in Colorado. Image receipt:
Upon seeing this the following morning, I tried to cancel my account but this is not possible without contacting support. I tried to remove my credit card but this is not possible. I proceeded to change my number to a blatantly fake number in the app (after you have validated a first number, Lyft app does not require validation for subsequent numbers). This would hopefully prevent the user from logging into my account again.
In summary, I understand that my own actions caused what happened and that I used the app in a way not intended for users. Still, it was an uncomfortable feeling to find out users could log in via a phone number and that I couldn’t cancel my account, remove my credit card or contact support in an urgent scenario. If the malicious user had decided to change the email address on the account, I can imagine that they could lock me out and then proceed to charge many unrestricted rides to my credit card. I was also so surprised by how quickly this happened (only hours after).
So, I don’t know why Lyft even has the requirement of a US number for accounts. I have used Uber many many times here and never had a problem locating a driver without the use of a phone.