/home/roman/stdout

Phone # authentication done wrong

Sep 28, 2017

It’s pretty typical for telecom providers to reuse abandoned phone numbers. It’s also typical to use a phone number as an authentication method (usually combined with just an SMS or call verification). Notice the issue?

One of the local car hire services1 does exactly that. They ask for your phone number and then you get a message with the code to verify that the phone number is yours. After that’s done it loads all the previous rides and favourite routes. This info is not necessarily yours though… It could be from another person who happened to use the same phone number with the same app before. That’s what happened to me the first time I used that app.

Imagine my surprise when I saw a list of rides that I’ve never done, list of favourite routes that weren’t created by me. Since all this info showed up after I attached a phone number to the app, my conclusion is that two are connected. Again, I just had to prove that the phone number is currently mine.

Rides list
Details of a specific ride
Favorite routes

While for some people trip history and favourite routes (with custom labels) might not be the most private info, I imagine most wouldn’t want to share this with strangers. Even the car hire service lists this information in their “confidentiality policy”.

I’m not quite sure what’s a good way to handle this problem without having separate username and password combination. Perhaps resetting user data when a new phone is connected would be enough to make sure that people’s private data stays private.

Worth noting that there’s also an option to attach a bank card to your account for easier payments. I don’t know if this information is also stored on their servers. Wouldn’t surprise me if it is. Fortunately, it didn’t show up for me. Looks like the previous owner paid for rides in cash.


I tried to report this issue to the company, but unfortunately, there’s no contact email for security issues. I didn’t get any response from the one that is listed on the contacts page. 🤷🏽‍♂️