Mercedes Thieves Showed Just How Vulnerable Car-Sharing Can Be
(Bloomberg Businessweek) -- April 15, a Monday, should have been sleepy this year for the Chicago team at Car2Go, a car-sharing service that automaker Daimler AG introduced more than a decade ago. Weekdays were generally slow, and Chicago’s streets were slushy the day after an unusual late-season winter storm. Who wants to deal with a rental car in the snow?
On that day, apparently, a lot of people did. There was a spike in rentals for Car2Go’s higher-end cars, Mercedes CLA sedans and GLA sport utility vehicles. And these rentals lasted much longer than Car2Go’s average 90-minute ride—in fact, many of the Benzes weren’t being returned at all. Instead, employees at Car2Go headquarters in Austin watched on a digital map as dozens of their vehicles congregated on a few blocks in West Chicago, in a neighborhood right outside the company’s coverage area.
Car2Go sent several workers to retrieve the vehicles, only to find that a group of thieves had claimed them as their own. Some blocked the vehicles in to prevent repossession; others threatened the company’s employees, according to someone with knowledge of the situation who spoke on condition of anonymity. Car2Go has the ability to remotely disable vehicles, but the confusing situation made it tough to know which ones to target in time to do much good. Previously unreported accounts of the few days that followed from people with knowledge of the thefts, along with police reports and contemporary social media posts, offer a surreal lesson in the risks of businesses built on smartphone-enabled car-sharing. “This was a unicorn incident for us as a company,” says Kendell Kelton, a Car2Go spokeswoman. “We’ve never seen this type of fraudulent activity at this scale ever, ever.”
Just as Car2Go was beginning to notice the strange traffic, ads on Facebook began pitching Chicagoans on short-term Mercedes rentals. Then came the photos and videos of joyrides, with a heavy dose of the laughing-so-hard-I’m-crying emoji. People posted messages bragging about their new Mercedes, asking where they could get one, or lamenting that they were missing out. “It was crazy. Every half-mile you’ll see a CLA or GLA Mercedes,” says a neighborhood resident who gave his name only as Justin because he was discussing a crime. “Some were totaled, some were abandoned. There were even some that were gutted out.”
After its failed attempts to recover the cars itself, Car2Go asked the Chicago Police Department for help. By midweek the company suspended service in Chicago altogether, an acknowledgment that it couldn’t figure out how to distinguish legitimate customers from the group of thieves. Kelton says about 75 cars in total were compromised. All were eventually recovered, though some only after being stripped of doors, seats, and other parts.
Although the incident was unique in the short history of smartphone-enabled car-sharing, it’s an extreme example of some familiar risks inherent to networks of shared, internet-connected vehicles. Just as putting a network of internet-connected electric scooters on a city’s sidewalks tends to lead to a bunch of scooters ending up in nearby trees and rivers, sprinkling expensive, easily accessible cars around town is a good way to get some of those cars vandalized or stolen.
Over the past decade-plus, car-sharing networks have struggled to match the explosive growth of, say, Uber Technologies Inc. or Lyft Inc. Car2Go operates in seven American cities; ReachNow, BMW’s car-sharing network, is in two. The two companies merged earlier this year, in the hopes of strengthening their operations and broadening their appeal.
The Mercedes plot owed to one strategy Car2Go’s management implemented to draw in new members: making it easier to sign up. For the past several years, Car2Go has subjected all its users to background checks conducted manually by humans. They take a day or two to complete, a lag that seemed onerous to customers used to the immediate gratification that other mobility services offer. “You see Uber or Lyft, or Airbnb, or all the scooters—they all have instant verification,” Kelton says.
The executive team in Europe, where rates of fraud are much lower, was eager to lower barriers to entry. So in April, Car2Go stopped conducting the manual background checks. The company says that on April 13 about 20 people who went on to orchestrate the Mercedes thefts set up some 80 phony accounts in Chicago, using fake or stolen credit cards as their payment methods. It’s unclear whether the timing was a direct response to Car2Go’s policy change or just an illustration of how often its systems were being probed for weaknesses.
There was little indication that the people who took the cars had more than joyriding in mind. According to police reports, all the pilfered cars had functioning GPS trackers and license plates that started with the letters AX, and many still had visible Car2Go stickers on them, so officers patrolling the area had little trouble spotting them. On a single day they arrested almost two dozen joyriders. Many of those protested that they had innocently rented the vehicles from people in the neighborhood without realizing anything was amiss, according to police records. The only person charged with a felony was a 19-year-old found with a pocketful of phony credit cards.
A coordinated attack on this scale was unprecedented, but there has been a near-constant stream of smaller incidents, according to three people with knowledge of the industry who spoke on condition of anonymity because of nondisclosure agreements. When Enterprise Holdings Inc. stopped operating its car-sharing service in Chicago in 2017, it also cited high rates of fraud and vandalism. When ReachNow introduced its service in Brooklyn, N.Y., in 2016, so many vehicles began disappearing that it was difficult for paying members to find any. The company, which had used an automated approval process, suspended its service and switched to manually reviewing new applications, according to a former employee who asked not to be identified disclosing private operational decisions. ReachNow resumed service but stopped operating in Brooklyn permanently in 2018, a decision resulting in part from continued fraud.
For Car2Go, it hasn’t been unusual for customers to create legitimate accounts, check out high-end vehicles, then lease them to nonmembers for short periods at inflated prices, according to someone familiar with its fraud problems who wasn’t authorized to discuss them. This practice, a violation of Car2Go’s rules, has been an issue in Chicago since the company started operating there, the person says. In several cases, hackers with lists of email addresses and passwords have written scripts to locate car-sharing accounts using those credentials. Once they find the accounts, they sign out cars and disable their GPS trackers, causing them effectively to disappear.
Car2Go periodically updates its password protection requirements to keep customer accounts from being breached, Kelton says. But it quickly reverted to manually reviewing new accounts and says it hasn’t had any serious issues in the two months since then. She adds that the other types of fraud have been rare at Car2Go and that its GPS trackers can’t be physically disabled. There are no reliable industrywide statistics on fraud rates.
Nicholas Hill, who’s worked for both ReachNow and Car2Go and now leads North American car-sharing operations for French automaker Groupe PSA, says there’s always a tension between convenience and security, and all companies are going to be tempted to favor the former. “Less restrictive,” he says, “is a better experience.”
To contact the editor responsible for this story: Jeff Muskus at email@example.com, Eric Gelman
©2019 Bloomberg L.P.