# First Reported Model 3 Stolen?



## Brokedoc

Model 3 stolen from Mall of America and the thief apparently knew enough to disable remote apps/monitoring so it couldn't be GPS tracked. The owner was smart enough to check his supercharging fees and the car was recovered 1000 miles from where it was stolen.

Based on the article, I think Tesla gets some blame here as the thief was somehow able to access the person's account. With the new firmware versions just released, PIN to start the car is available. Might not be such a bad idea to use it...

http://amp.timeinc.net/thedrive/tec...of-america-using-only-a-smartphone?source=dam


----------



## Gavyne

Key here is he rented the car before and was able to pair his phone prior. Smart renters should only allow card access, and of course now do the PIN code option.


----------



## MelindaV

Brokedoc said:


> With the new firmware versions just released, PIN to start the car is available. Might not be such a bad idea to use it...


this currently is only available on the S/X


----------



## SoFlaModel3

MelindaV said:


> this currently is only available on the S/X


Yeah, can't wait for this on the 3, very smart feature!!


----------



## MelindaV

Not sure if the story was updated after @Brokedoc orig linked to it, but this really seams like much of the blame should be on the rental company and bad security practices. The alleged thief did not hack the car, or otherwise breakin to be able to drive off in it. Tesla has confirmed the car Still had that person's phone in the car's authorized 'keys'. The rental company's lack of precaution allowed the person to drive away with it. There is a reason 'real' rental companies have their car lots secured - because they know a previous renter could have gotten another key made (some cars make this much more difficult, but many even today would still easily be able to be done). It sounds like this came out of opportunity. (If a jewelry store is left unlocked with product on the counter and they are robbed over night, how much of the blame is on the one who didn't secure it vs the thief?)
Why would a renter need to have their phone set up at all? I've rented from turo twice now, and each was given the key card only. The only downside on a couple day rental was needing to unlock the car with the card prior to getting into the trunk. Otherwise using the card was perfectly acceptable in using the car.


----------



## PNWmisty

SoFlaModel3 said:


> Yeah, can't wait for this on the 3, very smart feature!!


I would rather have robust security built into the usual means of unlock/lock. I believe the Model 3 currently has robust security but, of course, anything can be hacked but if it's good enough then there are always easier targets.

One of the strengths of the Model 3 is its extreme simplicity of use. Tesla has managed to reduce the number of steps to drive/park to the absolute minimum. Even if the PIN code could be turned off in the menus, it would be one more option cluttering up the menu and making it incrementally harder to find the setting you were actually looking for. This is a problem if too many optional settings are offered so options should be limited to functions that actually add value. And if the normal method of entry/ start are secure, a PIN option adds no value.


----------



## SoFlaModel3

PNWmisty said:


> I would rather have robust security built into the usual means of unlock/lock. I believe the Model 3 currently has robust security but, of course, anything can be hacked but if it's good enough then there are always easier targets.
> 
> One of the strengths of the Model 3 is its extreme simplicity of use. Tesla has managed to reduce the number of steps to drive/park to the absolute minimum. Even if the PIN code could be turned off in the menus, it would be one more option cluttering up the menu and making it incrementally harder to find the setting you were actually looking for. This is a problem if too many optional settings are offered so options should be limited to functions that actually add value. And if the normal method of entry/ start are secure, a PIN option adds no value.


I think it's a nice failsafe.

My house has locks, it doesn't mean I don't want to have an alarm.


----------



## PNWmisty

SoFlaModel3 said:


> I think it's a nice failsafe.
> 
> My house has locks, it doesn't mean I don't want to have an alarm.


There's not such a thing as "failsafe".

An alarm adds more functionality. If the entry method is secure, an additional pin doesn't add any additional functionality. If you forget to lock your vehicle, it still can't be driven by someone without a key.


----------



## SoFlaModel3

PNWmisty said:


> There's not such a thing as "failsafe".
> 
> An alarm adds more functionality. If the entry method is secure, an additional pin doesn't add any additional functionality. If you forget to lock your vehicle, it still can't be driven by someone without a key.


That's a good point!


----------



## garsh

PNWmisty said:


> There's not such a thing as "failsafe"


Tesla is creating two-factor authentication for driving the vehicle. This is a good, general, modern security practice. 2FA traditionally includes two things:

Something you have
Something you know
The "something you have" is your keycard or phone. The "something you know" is the pin. Each individual aspect is actually kind of weak in the case of a Tesla.

There are multiple keycards & phones that work with the car, and the ease of duplicating a phone depends on what kind of authentication the phone itself is employing. Ideally, there would be a single hardware token that cannot be duplicated.

Likewise, the "pin" in this case is limited to four numbers, making it pretty weak. Also, the keypad on the screen will probably reveal the 4 numbers used via fingerprints, making it somewhat easy to guess.

So, it's good that Teslas have the option of 2FA, but I'd like to see it strengthened a bit.


----------



## SalisburySam

garsh said:


> Tesla is creating two-factor authentication for driving the vehicle. This is a good, general, modern security practice.


As vehicles evolve to computers with ancillary transport equipment, hacking and theft of the sort used to steal data become greater issues. The 2FA approach is one example of an extra layer of security to make access significantly more difficult. But the cost of doing so is convenience. Most online banking today requires some sort of 2FA such as entering a code sent to the customer either as a text message or an email. This code then permits you to complete the login process and do your business. Under normal driving circumstances, this is just an annoyance. Under any other situation, it is a non-starter (pun intended).

In the iOS world, online banking apps with 2FA permit the use of fingerprint or facial scan to take the place of sending a token to you and having you copy or type it in to complete the login. Much faster, less annoying, and arguably equivalent security. I would be willing to press somewhere on the screen to provide a fingerprint or have the inside camera (when enabled) recognize me as an extra security precaution. I am not willing to await a code, type or copy it into the system, and then be able to start my car. Especially with the code having to beam back to Tesla's mothership for authentication in areas with limited or no WiFi or cellular service.



PNWmisty said:


> I would rather have robust security built into the usual means of unlock/lock.


I agree. Although there are likely some use cases where the extra steps required of robust 2FA are perhaps necessary (e.g., rentals maybe?), these extras really will detract from the simplicity of the Model 3 driving experience and generate, at best, lots of complaints. My 2012 Nissan LEAF has this colossally bothersome nag screen you have to act upon every single time the vehicle is started. The complaints in blogs and forums are legion, and even Nissan changed it to a monthly nag in later models. It was the one and only single thing about my entire LEAF ownership that from day one to today I loath about this otherwise great car.

Whew! I guess I've exceeded my posting quota today, for which I humbly apologize.


----------



## PNWmisty

garsh said:


> So, it's good that Teslas have the option of 2FA, but I'd like to see it strengthened a bit.


It's a friggin car! I guess I'm desensitized to theft for a few reasons:

1) I am totally accustomed to starting cars with a metal key. Anyone could copy it. If someone wanting to steal my car didn't have a key they could just twist two wires together, touch two more, and be on their way. Or hammer a BF screwdriver in the key slot and turn real hard. It's just a car.
2) It's just a car.
3) It's insured.
4) Where there's a will, there's a way. And if they want to steal it that badly, they might just force you to go with them to make it easier.
5) I have two legs and more important things to think about.
6) Before I had cars, I only had motorcycles. Anyone, with a couple helpers, could just put them in a van and drive away. I would park them in remote areas when going backpacking. No one ever stole any of my motorcycles, let alone my cars.
7) If I lived somewhere I needed to worry about it, I would move somewhere where I didn't. 
8) The Model 3 can be tracked electronically.
9) It's just a car.

That said, I would be really sad if someone stole my Model 3 because it would take longer than just about any other car to replace and while it's just a car, it's the nicest car I've ever had (but not the most expensive). But it's one of the hardest cars in the world to successfully steal so I'm not concerned.


----------



## garsh

I miss the days when someone could be hanged for stealing a horse.


----------



## Evoto Rentals

*HOW OUR TESLA WAS STOLEN IN CANADA, SHIPPED ACROSS THE WORLD AND WE GOT IT BACK*

A while ago, a renter used a fake id and burner cell phone to rent a Tesla from us. They paid using a prepaid credit card for a long rental. But they had other plans.
They took the car to a crater / container packaging & shipping company to have it packed in a container to ship to the Middle East.

Our rental cars are set up in a way where no one can disable the remote monitoring. So we were able to track the car to the shipping company.
Following the paperwork, we were able to uncover the destination of where our Tesla was heading and the container & ship it was on.

We got suspicious when the rented car was at that location for a few days without movement.*
The Tesla app locator helped us get a warrant to search the place
We involved the police and went to seize the car but we had just missed them and the car was on a ship to the Middle East.

Our management and lawyers involved RCMP and INTERPOL (not an easy task) and the container was seized in Italy and shipped back to us.
Of course this was after lots of lawyer work and paperwork across the ocean, but our Tesla came back in one piece.

We are not sure why car thieves think they can steal a GPS enabled Tesla and ship it to another country (we were guessing UAE or Jordan as they are the only 2 countries with a supercharger network) where Tesla can disable supercharging and other features of the car making it obsolete.

Toronto and Montreal have had record high car thefts and what is referred to as friendly fraud (renting a car under false pretence) in the past few years due to the close access to the Montreal port for shipping and minimal repercussions of the crime. There is a political tug of war between the border force & the local police as well as the Federal police (RCMP) over who needs to police this as well as a lack of funding and time to scan each container but that is a whole other story.
Border officers frustrated at police inaction over stolen cars being exported through Montreal

(The stolen Tesla was put with another ICE car in a container designated to carry scrap metal)

Today we run background checks on every customer & have a second GPS tracking system on our fleet.
I guess the record remains great at 113 out of 116 stolen Teslas retrieved!
Stolen Tesla vehicles in the US have almost all been recovered: 112 out of 115

*Details for this part is for Tesla owners only (we will not be publishing the following): 
_It seems Tesla's native GPS tracker does not register movement if the car is on a flat bed i.e. not using its wheels to drive
It will register an old tow truck since the wheels are spinning but then again the thief can disable the battery
The app will ping the last spot the car had reached before being put on a flat bed or in a container
Though the app did help us locate the car's last known location and obtain a warrant for the search, the triangle was greyed out
We strongly recommend a 3rd party tracking company like TAG in Canada which doesn't rely on the car to power its system
And where the system's logo on your window alone deters thieves in the first place._

_Pin to Drive + TAG is the way to go_


----------



## Evoto Rentals

MelindaV said:


> Not sure if the story was updated after @Brokedoc orig linked to it, but this really seams like much of the blame should be on the rental company and bad security practices. The alleged thief did not hack the car, or otherwise breakin to be able to drive off in it. Tesla has confirmed the car Still had that person's phone in the car's authorized 'keys'. The rental company's lack of precaution allowed the person to drive away with it. There is a reason 'real' rental companies have their car lots secured - because they know a previous renter could have gotten another key made (some cars make this much more difficult, but many even today would still easily be able to be done). It sounds like this came out of opportunity. (If a jewelry store is left unlocked with product on the counter and they are robbed over night, how much of the blame is on the one who didn't secure it vs the thief?)
> Why would a renter need to have their phone set up at all? I've rented from turo twice now, and each was given the key card only. The only downside on a couple day rental was needing to unlock the car with the card prior to getting into the trunk. Otherwise using the card was perfectly acceptable in using the car.


Sometimes you can't do anything if the the person legitimately rents the car and pays for the rental. This is considered "friendly fraud". It happened to us with our Model S read the full story here: https://teslaownersonline.com/threa...ed-across-the-world-and-we-got-it-back.11531/

This is when a person rented the car for 10 days, paid (using a prepaid credit card) and provided an ID that was later discovered to be fake. When we tracked the car, we found he had also taken an ICE car from one of the largest Rental company brands worldwide. We now run background checks and have a third party Tracking installed on all our cars (called TAG in Canada). They have a 100% recovery rate. Another trick they use is they call their credit card company and claim they never rented a car in the first place. The credit card then refunds them the money (someone tried that as well but we contested it and provided proof). There will always be someone that wants to game the system whether its fraud or getting away with something that isn't theirs. Its part of the risk of running any business. The best thing to do is put things in place to minimize this.


----------



## JasonF

Awesome, I hope word gets out about this. At the very least, shady shippers might refuse to take Teslas because they can't be sure that putting just one in a container won't ruin their entire business. Which in turn will make pro thieves avoid them, since they can't sell them to anyone.


----------



## Norm Rechtman

Would be nice if there was a token they could send you to Use the app when you rent and then they can revoke it when the car is returned


----------



## Evoto Rentals

JasonF said:


> Awesome, I hope word gets out about this. At the very least, shady shippers might refuse to take Teslas because they can't be sure that putting just one in a container won't ruin their entire business. Which in turn will make pro thieves avoid them, since they can't sell them to anyone.


Agreed. Many legit shippers refuse to touch or ship any cars (even with proper documentation) now because of these headaches.


----------



## Evoto Rentals

Norm Rechtman said:


> Would be nice if there was a token they could send you to Use the app when you rent and then they can revoke it when the car is returned


Tesla said something like this would / could be possible once rental companies have bigger fleets, say 20 or more cars


----------



## mptpro

MelindaV said:


> this currently is only available on the S/X


Pin-to-drive IS avaiable on M3, and has been for long time.


----------



## FRC

mptpro said:


> Pin-to-drive IS avaiable on M3, and has been for long time.


Did you notice that @MelindaV 's post was from Sept. 2018?


----------



## MelindaV

mptpro said:


> Pin-to-drive IS avaiable on M3, and has been for long time.


You are replying to a post from A LONG TIME AGO, BEFORE it was on the Model 3.


----------



## jsmay311

2FA is now available.

https://teslaownersonline.com/threads/2fa-two-factor-authentication-now-live-on-tesla-com.16983/


----------



## Klaus-rf

jsmay311 said:


> 2FA is now available.
> 
> https://teslaownersonline.com/threads/2fa-two-factor-authentication-now-live-on-tesla-com.16983/


 ONLY for login to the www.tesla.com website.

Nothing to do with the car(s).


----------



## jsmay311

Klaus-rf said:


> ONLY for login to the www.tesla.com website.
> 
> *Nothing to do with the car(s)*.


That is *not *true.

*If your Tesla account credentials are compromised, someone can steal your Tesla* *using the phone app.*

I'll quote another post that explained it more clearly than I probably could:

https://teslamotorsclub.com/tmc/posts/3409903/
_"[E]ven though you can't register a new phone as key without a key card, you can still steal the car if you only have the Tesla account password. I tested this by installing the Tesla app on an iPad that has never been registered as a key.

1) Install app and log in using stolen password
2) Use the app to conveniently locate the vehicle you want to steal
3) If the car happens to sit in a garage, you can open it from outside via the car's Homelink function if Summon is enabled
4) Unlock the vehicle via the app
5) Use the keyless start function in the app with the stolen password to start the car
6) Drive away"_

So without 2FA, a compromised Tesla account password could cost you your Tesla.


----------



## Evoto Rentals

Norm Rechtman said:


> Would be nice if there was a token they could send you to Use the app when you rent and then they can revoke it when the car is returned


This is possible now


----------

