Just a month after the dramatic (some would say tragic) exit of Uber from the mobile ride-hailing duopoly here in Singapore, Grab has entered headlines again.
Apart from the newly-minted dominant player Grab, also filling the vacuum left behind by Uber’s sudden exit are smaller ride-hailing firms like Jugnoo, Ryde and FILO.
These smaller firms have been kept in the shadow of Grab’s operations, which span eight countries in the Southeast Asian region. Founded in Malaysia, Grab’s operations have been met with great success, expanding exponentially even during its price war against global giant Uber – which itself had faced controversy worldwide. That’s not to say that Grab has not been met with scandals of its own.
In a recent exposè, Grab might have a role to play in rival Ryde’s SGD50,000 misadventure – all involving 300 spoof accounts which had made 2,000 phantom bookings.
What’s In It For Grab?
Ryde, which claims to be Singapore’s first and largest carpooling app, matches GPS coordinates with that of drivers going the same way. Users then pay the drivers directly to defray some of the cost of carpooling. There are some definite technical differences between the operation of both firms. Grab’s operations involve dedicated drivers picking up customers who pay the company, who in turn disburses benefits to driver-partners.
However, both services remain in competition as close alternatives: drivers in both platforms aren’t ’employees’, and riders use an app to hail their ride.
It might then seem that Grab might have some impetus to block the advance of the rapidly growing Ryde, which has expanded to Hong Kong just last year. However, it seems ludicrous that the multi-national, multi-million dollar Grab would want to expose itself to criminal activity, especially at a time where the public has voiced apprehension about its monopoly and concomitant price hikes and service issues.
Furthermore, with 50 million Google App Store downloads against a measly 100 thousand, it is absurd that Grab, a regional giant would worry enough about Ryde to put so much on the line.
And if they were out for blood, why do it in their offices where it can be tracked?
All information we know at present is provided by Ryde Technologies Pte. Ltd. and has not been verified by external parties and investigators. We are simply explaining the circumstances and do not claim to have any special knowledge and do not wish to insinuate the blame on either party.
Ryde, in a statement released both on its website and on its Facebook page, announced DDOS-like ‘attacks’ which occurred mid-May and continued to worsen over the course of six weeks. This activity was recorded, and a report was lodged to the police on June 26. Other regulatory bodies in Singapore like the Land Transport Authority and Consumer Commission of Singapore were notified.
These ‘attacks’ originated from IP addresses 126.96.36.199, 188.8.131.52 and 184.108.40.206. Using Ryde’s own GPS and location services, they identified the geo-coordinates Midview City and The Herencia, with the geodata they had attributed to the “Ryde Database”.
Of course, it took digital sleuths little time to find a potential perpetrator. GrabTaxi Holdings Pte. Ltd. owns offices in the named locales, Midview City and The Herencia. These were also listed as Grab Driver Centres, where individuals show up to sign up as a partner. It might even seem that Ryde had intended to call out their digital assailant when it specifically named the buildings in their press release, though it stopped short of naming Grab outright.
Ryde had also alleged that a total of 300 spoof accounts were created during this period in order to initiate 2,000 “phantom” bookings on their platform.
All About IP Addresses
IP Addresses are usually represented by four sets of numbers that are separated by periods. These are used as identification markers that are affixed to individual devices in an Internet Protocol network (AKA on the internet), allowing the network host to identify clients.
Accessing information on the internet requires two-way communication between host and client (that’s you, the user). Inputs from the client side are sent as packets to the host networks, which respond with a packet to the source address. Usually, there are many devices and networks involved in this global relay, so IP addresses are unique enough for you to get a response back.
To see this, open up Command Prompt on Windows, and Network Utility if you’re on a Mac. On Command Prompt, enter tracert www.vrzone.com. On Network Utility, search for www.vrzone.com. Both processes would show multiple addresses your data has to traverse in order to reach the destination.
IPv4, which is the standard that has been used from the beginning of the Internet, is 32-bit, which means it only has 232 permutations. This means there are only roughly 4.3bn unique IP addresses, much fewer than there are internet-connected devices on the planet.
This means that IP addresses aren’t exactly unique. What happens instead is IP addresses within a locale (a housing unit, building, organisation) are collated by the local network, which submits a combined packet to the host server. In turn, packets received from the host server is sorted by the local network and disbursed to the respective devices. This is a process called Network Address Translation.
This process also means that there is no unique IP address, ever. Check any of your friend’s IP addresses (get them to Google “IP address”), and you’ll see that it’s pretty similar.
IP addresses are pretty easy for anyone in the network to find out, since your device has to know the addresses of the other device it interacts with.
However, it is incredibly easy to mask or spoof your own IP address. You can’t make a new one, but you can always hide behind another existing IP address. VPN services do this by redirecting and masking your IP address, meaning that your data is redirected from a new address that everyone will see as the source address. Web proxies work in a similar way, though data between your device and the new source is not encrypted.
So we have a few problems right here.
- IP addresses are pretty complicated.
- IP addresses are not unique identifiers.
- IP addresses are very spoofable.
Try placing your IP address (remember, Google it) in any geolocation service on the web. See how it knows your general location but fails to provide a specific reading. I consistently get “Singapore” across several websites. They know my Internet Service Provider (ISP) which in Singapore are companies you pay like Starhub, Singtel, etc., but there’s not much more information than that.
Ryde, however, apparently has a database of IP addresses that have geographical data, which allowed them to narrow down their search to the networks in two office buildings in The Herencia near River Valley and Midview City in Bishan.
Is Grab To Blame?
On one hand, it is pure stupidity for any company to engage in illegal activities. Legal and criminal costs are high, and individuals responsible for initiating these actions will face the full brunt of the law. So much more Grab, a consumer-oriented brand which relies on its public image, PR and marketing heavily for sales figures.
There’s a case to be made that third parties, presumably who have an issue with Ryde, Grab or both firms, had spoofed Grab’s IP addresses via a web proxy, pretended to be Grab, and attacked Ryde. That’s very possible, though it’s not my favourite theory. There aren’t many parties unhappy with both companies, though cabbies could a possibility – or maybe a very disgruntled customer.
But what if Grab is indeed responsible for the SGD50,000 hit on Ryde?
The first IP address, 220.127.116.11, points to Grabtaxi Pte Ltd, based on data provided by https://www.iplocation.net/.
The second IP address is based in Singapore but is linked to US company DigitalOcean LLC. This firm provides a cloud hosting service, which is a solution for developers to host software like applications and programmes.
Grab is an app, after all, and requires a data management service to host their wealth of data. DigitalOcean LLC has also opened a new data centre in Singapore just recently.
The third IP address is linked to OneAsiaHost, a Virtual Private Server that is also used for enterprise-level networking. Most companies have a physical server for storage of records, shared files and applications, but can be prohibitively priced for smaller companies. Grab’s core operation is small, so it wouldn’t be surprising if this one’s linked to them too.
What might have transpired is someone’s brilliant idea to exploit a loophole in Ryde’s user interface. But what happened instead was a trial run on the company network, before they wisened up to utilise their proxy services to mask their actual address – leaving Ryde and the Singaporean internet sleuth community a huge hint as to the culprit.
By not requiring credit card information as users of Ryde typically remunerate their drivers in person, Ryde also opens itself to spoof users. The penalty system is also unable to curb further exploitation since there is no way to bill the spoof ‘user’.
On comparative apps like Grab and Uber, users who are late, or who cancel confirmed trips are met with harsh penalties that usually amount to about half the fare to be charged.
Whatever the verdict, this episode is an apt reminder for all companies and perhaps all individuals to examine vulnerabilities in the systems we are responsible for.
Technically Speaking is a weekly op-ed where VR Zone’s Chief Editor Ian Ling probes prominent issues for hidden truths and offers technically-minded insights.