Customer accounts hacked but Deliveroo denies breach of its systems and urges customers to improve their passwords
British online food delivery company Deliveroo is at the centre of a security breach scare after a BBC investigation revealed a hack of ‘scores’ of its customers who are being charged for food they never ordered.
But the firm has denied that it systems have been compromised and has urged customers to utilise better password security.
It discovered that a “growing number of customers have found that it can be all too easy for fraudsters to use their accounts.”
“I noticed that I had a ‘thank you’ email from Deliveroo for a burger joint in Chiswick,” explained . Deliveroo customer Judith MacFadyen from Reading. “I thought this is really odd, so I went onto my account and had a look and there had been four orders that afternoon to a couple of addresses in London.”
It seems that the fraudsters had hacked into MacFadyen’s account and ordered food that was delivered to addresses 30 miles away from her home. In the end more than £240 was taken from the debit card MacFadyen used on her account.
MacFadyen was alarmed at how it was for the hackers to change her address and phone number, and it should be noted that at this stage it is not clear how the hackers managed to access her account.
Watchdog meanwhile interviewed security expert David McClelland, who criticised Deliveroo for not doing enough to protect customer accounts.
“When we buy things online the more hoops we have to jump through to complete that purchase the more likely we are to go away and do something else instead,” McClelland is quoted as saying.
“Deliveroo realises that – so tries to remove as many of the hoops as possible,” he said. “However some of the hoops that Deliveroo are removing are there specifically for security purposes. So while it may be making it easier for us to place orders, it’s also making it easier for us to be defrauded.”
McClelland believes that Deliveroo should be utilising the CVV2 code on bank cards to help prevent fraud, and should check the address on orders to make sure it isn’t somewhere suspiciously far away from address of the registered account.
But another security expert pointed out that users themselves have to be more careful about password reuse.
“This is an example of one of those instances where passwords have been reused on a site that is possibly considered of secondary importance,” said Mark James, a security specialist at ESET.
“Reusing passwords is bad regardless of the site’s perceived importance,” he warned. “A good unique password is even easier with a password manager of which many choices are available now both paid and free; a lot of them will enable you to score your existing passwords to check their strength and uniqueness.”
Deliveroo meanwhile said that its systems had not been hacked.
“Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem we take it very seriously,” a Deliveroo spokesperson told TechweekEurope via email.
“We are aware of these cases raised by Watchdog – they involve stolen food, not credit card numbers,” said the spokesperson. “These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone’s account. This is why we urge customers to use strong and unique passwords for every service they use.”
Deliveroo refused to comment on its specific anti-fraud countermeasures as it doesn’t make public how it detects fraud.
But it did say that it uses “industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning to track patterns of criminal activity.”
Last November Deliveroo raised $100 million (£66 million) in funding to help it expand into other countries.
What do you know about tech start-ups? Try our quiz!