The recent news about the live streaming of the unnerving passengers by an Uber/Lyft driver in the St. Louis area coupled with the Fraudulent “Extra Service” claims by the Uber Drivers in Miami area have certainly raised a concern on the Privacy and the Credit Card Frauds.
Both the cases have not raised much support from the Government or Local Authorities. More so, there is no communication heard from Uber either. Though in other countries, Uber had received notices from the local government for not aligning to the security and the privacy of the passengers, in US there is no defined guideline to that effect and neither the Law Makers nor the Law Enforcement agencies are even thinking on that side. This certainly posses a serious risk for the Customers who have to deal with the breach of Privacy and the “Legalized Fraudulent Charges” on their cards.
Though the first one would be tough to handle unless strict guidelines are issued by the Law Makers and Uber for itself draws the line for the code of conduct for the Drivers. However, in the second case, the case where Uber Drivers in Miami have been reported to use fraudulent pics and claims cleaning and other services ranging from $80 to $150, Uber must take a step to modify its process to verify the case with customer rather than simply slapping the customer with the Charge as claimed by the Uber Driver. Additionally, Uber should also look at ensuring that if the customer raises a concern on the charges, there is a fair investigation rather than simple revert of sharing the pics as updated by the Uber Driver. Until then, Uber can’t claim to be customer focused organization.
The learning from the two incidents for Security, Risk & Compliance Professionals would be –
- Ensure that adequate User awareness is captured in the Organization to help avert any uneventful situation to impact Organizations Risk and/or Compliance Posture
- Ensure that they carry out periodic reviews of the Low Hanging Risks that may otherwise expose organization to legal / financial impact
- Ensure that the Organizational Policies, Processes, Procedures and Practices take into account the latest (even if rare) situations that develop in the Industry or in the life in general. This needs to be looked at form the perspective that if someone in routine life could find a way to exploit a loophole, in Corporate cases, that would be more possible due to more skilled and trained resources taking a shot at the loopholes
- Ensure that technical measures are adequately implemented to close the probable vulnerabilities and threats that can be exploited by any malicious user
- Ensure that there is adequate Incident Reporting and Response mechanism in place along with a grievance cell that would handle any such incident as may be reported and that would ensure that there is a thorough review before a decision is effected.