An anonymous student studying applied mathematics and computer science at a university in Pretoria, South Africa, has raised serious concerns about a prevalent Uber Eats scam they observed between November 2024 and February 2025. The student wishes to remain anonymous and does not want to disclose the specific university.
The scam involves exploiting vulnerabilities in the Uber Eats platform to make unauthorized purchases using other people’s credit or debit card details. The student recounts multiple incidents where individuals, including a residence mate and strangers on campus, asked to use their phone or Uber Eats account to place Police say these actions may constitute a crime, and the student emphasizes the importance of raising awareness to prompt action from banks and Uber Eats.
How the Scam Works:
Scammers log into a legitimate Uber Eats account and attempt to add a card by entering the first 12 digits of a card number, which are often identical for cards issued by the same bank with the same expiry date (e.g., 2029 or 2030).
They guess the last four digits by systematically trying combinations (e.g., changing the final digit from 0 to 9).
For the CVV (three-digit code on the back of the card), they input “000,” claiming these are masked zeros.
Once a valid card is added, purchases can be made without bank authorization, exploiting a security flaw.
The student notes that orders placed through this method may not appear in the account’s order history, yet the food is delivered, indicating fraudulent activity. Concerned about being complicit in a crime, the student deleted their account and urges others to test this vulnerability by attempting to add cards with guessed digits to verify the issue.
Call to Action:
The student challenges the X community to share this information widely to raise awareness and pressure banks to implement stronger security measures, such as requiring user authentication (e.g., a password or security code) within banking apps for all purchases. They also call for Uber Eats to verify card ownership before allowing transactions.
Security Concerns:
As a mathematics and computer science student, the individual questions why banks have not addressed this vulnerability, suggesting an algorithm to prompt user confirmation for purchases. The scam highlights significant security risks for bank customers and the need for systemic changes to protect cardholders.
Note: The student’s claims about the scam’s mechanics, particularly the ability to guess card numbers and use “000” as a CVV, align with some known vulnerabilities in payment systems but may oversimplify the complexity of such exploits. Banks and payment platforms typically have fraud detection systems, but the reported success of these scams suggests potential gaps in real-time authorization or verification processes. Users are advised to monitor their accounts, enable two-factor authentication, and report suspicious activity to Uber Eats and their banks immediately.
This issue was observed at an unnamed university in Pretoria, and the student seeks to protect their identity while urging action to address this critical security flaw.