"It's an incredible underground ecosystem. There is a high level of competition for these criminal buyers and there are a lot of different types of forums. It's incredibly diverse, but incredibly mature," said Ed Cabrera, Trend Micro's vice president of cybersecurity strategy.Cybercriminals will often use stolen Uber credentials to book “ghost rides,” in which they create a fake driver account and charge nonexistent rides to stolen accounts, experts say. Another way fraudsters leverage this information is to simply build a fuller picture of a victim for identify theft. “They are doing their own market research or where they can find the data that’s most valuable in the criminal underground and they develop their attacks accordingly,” said Cabrera. Meanwhile, Forrester research analyst Andras Cser adds these incidents highlight the need of these service providers to be more cognizant of sudden changes in user's account behavior. “If a user suddenly takes a cross country ride versus following their usual movements, that should spark an alert,” Cser said. To address the issue of fraudulent transactions, Uber is reportedly testing its version of two-step authentication, which would require users to enter additional credentials when logging in from an unknown device. Cser says the time has come to move away from passwords. "[Companies] should be looking at behavioral biometrics solutions to authenticate users—how the user actually behaves, how they hold a phone, how big their fingers are and how hard they press the touch screen," said Cser.