The Chinese hackers made $3000 by hacking into shared bike accounts

On September 25^th, the Shenzhen City Procuratorate arrested two suspects—Yang and Wu—on the suspicion of using third-party software to modify personal accounts on shared bicycles and over 20,000 RMB (around $3000)  from 34 different users.

It is noticed that shared bicycle companies always launched a variety of promotions and gave out red pockets to users. And because of this, many are unaware of how much money they have remaining in their accounts. This indirectly provides a chance for criminals to steal money.

As we all know, a deposit must first be paid before using a shared bicycle. Most people link their Alipay accounts to their bank accounts via their banking cards and pay from the app. After using a shared bike, the app will automatically deduct the appropriate charges from either your bank account or from Alipay depending on your preference.

Some companies even have promotions where additional credit could be added to personal accounts. For example, bike users may “adopt” one or a few shared bikes and then receive additional credit from others riding these so-called “adopted bikes”.

According to the official WeChat page of the Shenzhen procuratorate, suspects Yang and Wu met online. After learning of the possibility of extracting user information via third-party programs, Yang informed Wu of the possibility of transferring money from other accounts to their own.

Since Wu was more well-versed in computer programming, he further discovered that aside from being able to get a full return on the deposit, the additional credit made from the “adopted bikes” were also transferable to his own account. He immediately informed Yang about this upon discovery.

After extensive planning, the two suspects plotted to illegally access various personal accounts of shared bikes through disposable computers and cellphones in just two days. The two were able to loot over 20,000 RMB from 34 different accounts altogether.

Some users noticed their empty accounts immediately and reported back to the shared bicycle companies. The procuratorate expressed that after the theft, the bicycle companies immediately froze their systems and went under maintenance.

The company engineers noticed the loophole in their system where if users don’t link their shared bike accounts to their WeChat accounts, a potential chance for illegal access can be made possible. The company itself may edit the personal information of users, which indirectly provides a chance for their systems to be hacked and information to be changed by outsiders.

Currently, the company has compensated for the loss to their users. On September 25^th, the Shenzhen procuratorate arrested Yang and Wu on the charges of theft.

This article originally appeared in Leiphone and was translated by Pandaily.

Click here to read the original Chinese article.