Deliver-oops! Takeaway pusher's customers burger-ed by hijackers
Baddies stole food, not credit card data, protests firm
Customers of online takeaway firm Deliveroo are getting their accounts hijacked and charged for food they never ordered, according to an investigation by BBC One's Watchdog.
Investigators from the campaigning TV consumer affairs programme uncovered evidence that scores of customers of the newly be-logo-ed Deliveroo are being defrauded by cybercriminals.
Deliveroo customer Judith MacFadyen from Reading told Watchdog: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought this is really odd, so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."
Fraudsters had hacked into Ms MacFadyen's account and ordered chicken, burgers, chips, and milkshakes that were delivered to addresses 30 miles away from her home. More than £240 was taken from a debit card linked to her account.
Ms MacFadyen, who quickly cancelled her card, subsequently discovered hackers changed her address and phone number before ordering food at her expense. Steve Tappin was charged £98 for a delivery from a TGI Friday – 86 miles away from his home in London.
In another case, fraudsters hacked into the account of two student flatmates from Southampton University before ordering four curries, six naans and a kebab to an address in Leicester – 120 miles away. Other fraudulent orders from the same account included three grilled chickens, four pizzas, five cheesecakes, garlic bread and eight bottles of Vodka to multiple locations across London – over 60 miles away from their home.
The pair lost £440 in total after Deliveroo's systems failed to raise fraud warnings about multiple orders to addresses miles apart from each other all on the same night.
Victims have being reimbursed for their losses, the BBC reports. The Watchdog episode is due to air in the UK at 20:00 on 23 November.
Experts quizzed by the BBC team faulted Deliveroo for failing to do enough to prevent fraudulent transactions. The three-year-old startup ought to require the CVV2 code on bank cards as well as checking the address on orders is close to or the same as pre-registered addresses.
It seems that cybercriminals had used stolen passwords from unrelated breaches in order to hijack compromised accounts, a well-known hacker trick sometimes known as credential stuffing. A Deliveroo spokesperson told El Reg:
We are aware of these cases raised by Watchdog – they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone's account. This is why we urge customers to use strong and unique passwords for every service they use.
It is our policy not to comment on specific anti-fraud countermeasures because we don't want to provide public guidelines on how we detect fraud to criminals. That said, we can assure customers that we are constantly improving our security measures, and make regular upgrades to our practices. Recently, this included frequently asking customers to verify themselves when entering a new address.
We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity. This blocks transactions when our system detects suspicious activity.
On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities.
Kevin Cunningham, founder and president at identity firm SailPoint, said that the frauds against Deliveroo customers illustrates the "chaining" or "domino effect" that data breaches can have across multiple organisations. Password reuse, the suspected root cause of the frauds against Deliveroo customers, is very common, he added. ®