CYBER CRIMINALS USED HACKED DELIVEROO ACCOUNTS TO ORDER FOOD ON VICTIMS’ CARDS
Deliveroo customers’ accounts have been accessed and used to buy food they did not order, according to reports. An investigation by the BBC’s Watchdog programme found that hundreds of pounds’ worth of food and drink had been bought fraudulently through the delivery service.
As with many online services, users can save their payment information. Although it is not fully visible when an order is placed, this means purchases can be easily made.
One customer, whose suspicions were raised by an unexpected confirmation email, found more than £200 had been spent through her Deliveroo account in a single afternoon.
Deliveroo said no financial data had been compromised. It said passwords stolen in other data breaches had been used to access its customers’ accounts.
“We are aware of these cases raised by Watchdog – they involve stolen food, not credit card numbers,” it said. “These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach.
“The stolen password is then used to fraudulently access someone’s account.”
It said that in such cases it works with customers to secure their accounts, reimburses them for the fraudulent transactions and “where appropriate” works with the authorities.
Security experts said the incident was an example of why users should use strong security practices to protect their information across different sites and services.
“This is a perfect example of why people need to be using different password/username credentials for different sites,” said James Romer, chief security architect EMEA at SecureAuth. “Using the same combination is the equivalent of a skeleton key to your online life. It makes it too easy for bad actors to gain entry to more and more information.
“This is of monumental importance, particularly on sites like Deliveroo where customers save their card details for convenience, leaving them left with holes in their bank accounts too.
“This laid-back consumer attitude is no longer acceptable and companies also need to be doing more to add extra layers of authentication to login processes, which don’t have to impact the user. Multi-factor, adaptive authentication renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts.
“This also removes the hoops to purchase without impacting the user experience.”