Car2Go’s service launched in Austin in 2010, and the capital remains its only Texas market. Owned by Daimler—but with its North American headquarters in Austin— the company rents cars by the minute. Its customers use an app to locate, reserve, and unlock one of Car2Go’s local fleet in any of 25 cities worldwide. Then they just hop into a Mercedes (or Smart car, in some places), pull the keys from the glove compartment, and go.
The system is elegant and convenient and, as the company learned in Chicago this week, not entirely secure. More than 100 of the company’s 400 cars in the Windy City were stolen—using the company’s own mobile app. It’s unclear exactly how the heist was accomplished. Early reports described the incident as a hacking, which led Car2Go to clarify that the cars were stolen through fraud rather than by exploiting the app’s code. The scam appears to have involved forged or stolen driver’s licenses—the company requires users to provide identification—as well as counterfeit credit cards.
Clarification: We were not hacked. This is an instance of fraud, isolated to Chicago, and we are currently working with law enforcement. None of our member’s personal or confidential information has been compromised. No other SHARE NOW North American market has been affected.— car2go joins SHARE NOW (@car2go) April 17, 2019
Whatever the crooks’ MO, Chicago police have recovered all the vehicles. The local CBS affiliate reported that 21 arrests had been made, with all but one of the suspects charged with misdemeanor trespassing of a vehicle. The only person charged with felonies is a 19-year-old accused of counterfeiting credit or debit cards and stealing the identity of a victim older than 60.
While the Car2Go theft isn’t the kind of hacking that we saw in The Fate of the Furious, the fact that the app was fooled by deceptive documentation highlights a different vulnerability of app-based systems. A teenager attempting to obtain a car by using the identity of a senior citizen is the sort of thing that a worker at a traditional car rental counter would sniff out in a matter of seconds. Uber and Lyft have experienced similar fraud, with drivers selling accounts created with stolen information to people who wouldn’t pass the company’s background check process. Money transfer service Zelle has been plagued by scams since its inception.
The Car2Go theft ring in Chicago was foiled quickly. Regardless, the fact that a creative teenager can steal a hundred rental cars in a day tells us that our brave new app-based world has some insecurities we need to contend with.