Food-for-who? Deliveroo feeds fraudsters

The BBC's Watchdog programme has revealed its investigation into food delivery app Deliveroo which has been sending food to criminals who are using stolen login credentials to get into accounts.

Should Deliveroo be providing extra security in its app to prevent this from happening again?
Should Deliveroo be providing extra security in its app to prevent this from happening again?

The BBC's Watchdog programme has detailed how customers of food delivery app Deliveroo have had their accounts fraudulently used by criminals who have run up huge bills for food.

Deliveroo has claimed that criminals are getting into Deliveroo accounts using login credentials acquired from other major data breaches.

One user told Watchdog that £200 was spent on burgers delivered to several addresses.

Mark James, security specialist at ESET told SCMagazineUK.com: “This is an example of one of those instances where passwords have been reused on a site that is possibly considered of secondary importance. We are often cautious about sites that are considered financial or high risk but often don't apply the same level of concern over the lower ones. This of course can lead to exactly the issue we see here, data taken elsewhere reused to see ‘if it works'.”

James added: “Reusing passwords is bad regardless of the site's perceived importance. A good unique password is even easier with a password manager of which many choices are available now, both paid and free; a lot of them will enable you to score your existing passwords to check their strength and uniqueness.”

Speaking with the BBC, Deliveroo customer Judith MacFayden said: "I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London."

“Margaret Warner, from Manchester, was charged £113.70 for chicken, waffles and chips that she did not order while Steve Tappin was charged £98 for a delivery from TGI Friday which was 86 miles away from his home.”

According to the BBC, all customers who complained have had their money refunded, and Deliveroo has denied that any financial information had been stolen.

Speaking with the BBC, Deliveroo said: "Customer security is crucial to us and instances of fraud on our system are rare, but where customers have encountered a problem, we take it very seriously. We are aware of these cases raised by Watchdog – they involve stolen food, not credit card numbers. These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach."

Deliveroo urged customers to use "strong and unique passwords for every service they use".

Kevin Cunningham, founder and president at identity company SailPoint, told SC: “This illustrates an interesting ‘chaining' or ‘domino effect' that data breaches can have across multiple organisations.”

Cunningham explained: “Identity has become the new attack vector. And hackers are all over that fact – finding those orphaned accounts to grab and log into behind the scenes without an IT admin even knowing about it. Or, taking stolen credentials from one breach and using them to access another website. All because a user chose to reuse a password across multiple sites – a very common occurrence.”

According to Cunningham this can be avoided. “Often, it comes down to password hygiene as the starting point to stronger and smarter access management. Use a unique password for every application. Make sure the password is long and more complex – ideally twelve characters should be thought of as a minimum.”

Sign up to our newsletters