TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Stolen Model 3

Discussion in 'Model 3' started by Shaggy, Sep 14, 2018.

  1. Shaggy

    Shaggy Member

    Joined:
    Aug 9, 2015
    Messages:
    418
    Location:
    Austin
    Has this been posted?

    Tesla Model 3 Stolen From Mall of America Using Only a Smartphone
    Tesla Model 3 rental was stolen by reusing authentication key, thief caught days later in another state

    With cars becoming more connected than ever, cybersecurity is a hot-button topic that extends past your computer screen and into your car. Using a bit of technology, an alleged car thief was able to get his hands on a Model 3 at the Mall of America and drive away without needing a key. The alleged crime was reportedly committed via smartphone.

    A computer forensics specialist who commented on the happenings of the incident was able to narrow down just how the alleged stolen Tesla was taken with such reported ease. The person allegedly responsible for taking the car is believed to have reached out to Tesla's customer support to add the stolen Model 3 to his Tesla account by its vehicle identification number. Once the vehicle was accessible on a smartphone that was signed into this person’s account, he was reportedly able to unlock the car and drive away without ever needing a key.

    Several days later, the alleged car thief was tracked down and arrested in the stolen car in Waco, Texas, more than 1,000 miles south of its starting point in Minnesota. Since this person disabled GPS tracking on the car, the owner had to utilize a different method of tracking down the alleged crook. The owner tracked the location of the car's Supercharging and provided it to local authorities where they promptly located the car and arrested the man behind the wheel.
     
    • Informative x 4
  2. voip-ninja

    voip-ninja Give me some sugar baby

    Joined:
    Mar 15, 2012
    Messages:
    4,115
    Location:
    Colorado
    Tesla is offering a PIN code to drive security feature to combat this. Owners will want to set that up.
     
    • Like x 2
  3. Mike521

    Mike521 Member

    Joined:
    Jul 30, 2018
    Messages:
    12
    Location:
    Long Island NY
    I read the same article earlier. Really pissed me off - seems like he must have tricked a support rep into adding the car to his app. That support rep gave him the car. :mad:
     
    • Helpful x 1
    • Informative x 1
  4. SoCalGuy

    SoCalGuy Active Member

    Joined:
    Apr 22, 2012
    Messages:
    1,405
    Location:
    So Cal & New York, NY
    Surely Tesla must have some phone security questions to verify that the VIN you provide them with is indeed a VIN you own. I feel like something is missing from the story.
     
    • Like x 1
  5. ebmcs03

    ebmcs03 Active Member

    Joined:
    Dec 22, 2017
    Messages:
    2,029
    Location:
    So Cal
    Oh time to cover my vin up from the windshield
     
  6. Shaggy

    Shaggy Member

    Joined:
    Aug 9, 2015
    Messages:
    418
    Location:
    Austin
    Hopefully they add that you have to validate the password of the account it is on now or reply to a text from the phone of record... "Please put in the pin from the car now"... something.
     
  7. woodisgood

    woodisgood It's walnut, beech

    Joined:
    Jul 26, 2018
    Messages:
    1,710
    Location:
    San Francisco
    Yeah seems there must be more to the story, eg an ex or roommate or something.

    Doesn’t make sense that anyone could read off my VIN to a Tesla rep while it’s sitting in a parking lot and have it added to their account.
     
  8. TheLocNar

    TheLocNar Member

    Joined:
    Mar 10, 2018
    Messages:
    932
    Location:
    Chicago
    He had previously rented that car. lol
     
    • Informative x 1
  9. Rotarypower

    Rotarypower Member

    Joined:
    May 3, 2016
    Messages:
    211
    Location:
    Cary, NC
    Well it’s called social engineering, and it can be a powerful technique to play off human psychological vulnerabilities.

    If you have never read (or listened to as I did) Kevin Mitnick’s book, Ghost in the Wires, and you are a true geek or techie and love stuff like that, you’ve gotta read or listen to it. It’s eye opening what one can do with social engineering.

    Ghost in the Wires
     
    • Like x 2
    • Informative x 1
  10. Mike521

    Mike521 Member

    Joined:
    Jul 30, 2018
    Messages:
    12
    Location:
    Long Island NY
    I listened to that book as well and couldn't agree more. I would not be surprised at all if he simply tricked the phone rep into giving him the car.
     
  11. Az_Rael

    Az_Rael Supporting Member

    Joined:
    Jan 26, 2016
    Messages:
    5,495
    Location:
    Palmdale, CA
    I have never been asked for any account verification info when calling Tesla support.

    At least when I had an OnStar vehicle, I had an account PIN I had to use for phone remote unlocks, etc.
     
  12. RGloverii

    RGloverii Active Member

    Joined:
    Jul 1, 2018
    Messages:
    141
    Location:
    Lake Fenton, Michigan
    When you call Tesla support, your phone number comes up on their Caller ID. They already know who you are and your account.
     
  13. PoitNarf

    PoitNarf My dog's breath smells like dog food

    Joined:
    Jun 7, 2016
    Messages:
    2,831
    Location:
    NJ
    Caller ID can be spoofed extremely easy. I must have had at least 4 spam calls yesterday alone that had the same first six digits as my own phone number.

    They should have security questions that they ask you or send you a verification pin via text to the phone number already on the account.
     
    • Like x 1
  14. cpa

    cpa Active Member

    Joined:
    May 17, 2014
    Messages:
    2,857
    Location:
    Central Valley
    When I called customer support to reset our password on our Tesla accounts, the agent asked me which location provided our most recent service appointment before sending me the reset information. This in and of itself is not much of a security feature in remote locations where there is only one service center for a large geographic area. It is a little stronger in urban areas that have several locations.

    I honestly do not know how to implement a fool-proof method of confirming one's ownership in matters like this. Perhaps Tesla needs to take initiative by sending certain updates via email periodically that force us to reset information both in the auto and on our private Tesla page. Or perhaps sending a text message to the phone number of record that requires the recipient to confirm to Tesla over the phone by talking to an agent that they indeed initiated this request.
     
  15. NathanielHrnblwr

    Joined:
    Sep 24, 2015
    Messages:
    770
    Location:
    San Diego (Oceanside)
    The thief had previously rented the car. The owner set up the renter's phone with a phone key which was a poor choice. The phone key was revoked post rental, but thief was able to call Tesla and social engineer they key being restored on his phone. Since they key was previously on the caller's device, there was confidence that the caller was an authorized user of the car. This clearly needs to be tightened up on Tesla's end.

    tl;dr Don't put your key on stranger's phones.
     
    • Informative x 4
    • Like x 1
  16. AnarchyEOD

    AnarchyEOD Member

    Joined:
    May 23, 2018
    Messages:
    273
    Location:
    Magnolia, DE
    There’s a lot wrong with this. Letting someone just transfer the car? I think this is easily solved with a phone password/code. Attach it to your account and it must be repeated before you can transfer a $50-$70k asset from one account to another. Whatever account the car is attached to receives a text verification code... there’s so many options... for now, I’m covering my VIN because F#€k that...
     
  17. Omniver

    Omniver Member

    Joined:
    Jul 5, 2018
    Messages:
    21
    Location:
    Boston
    It would be great if we can get some facts on how “easy” this is. Can someone create a new Tesla account (for a trusted partner/spouse/friend) and call Tesla and have them added and report back? I’d do it, but I’m still waiting for mine.
     
  18. mike123abc

    mike123abc Member

    Joined:
    Aug 20, 2018
    Messages:
    396
    Location:
    Norman, OK
    Toll free numbers like Tesla's number get the ANI, the ANI is very reliable. ANI cannot be blocked like Caller ID

    Automatic number identification - Wikipedia
     
  19. MXWing

    MXWing Well-Known Member

    Joined:
    Oct 13, 2016
    Messages:
    6,991
    Location:
    USA
    And don't tell your wife that the Tesla app that tracks your location!

    Above sounds like what I believe happened.

    You need 2 factor authentication for everything to reduce chances of this.
     
  20. voip-ninja

    voip-ninja Give me some sugar baby

    Joined:
    Mar 15, 2012
    Messages:
    4,115
    Location:
    Colorado
    Another thing Tesla could do that I just now thought of is to add an account notification anytime the app is logged into a new device so an owner is aware their car has been added to a new mobile device.

    They could also turn on two factor authentication for new account sign ins which is actually a pretty trivial thing to do.
     
    • Like x 2

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC