Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Deliveroo Under Fire After Hungry Hackers Defraud Firm

Takeaway delivery service Deliveroo has come under criticism after an investigation revealed customers have had their accounts broken into and used to run up huge bills.

BBC’s Watchdog program discovered some users of the popular service were left several hundred pounds out of pocket.

"I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick,” Judith MacFayden, from Reading, told the program. “I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.”

Deliveroo claimed the accounts were hacked because customers reused credentials from other accounts which were compromised in a data breach.

It added that no financial data had been stolen as a result.

Deliveroo claimed it didn’t want to comment on which anti-fraud measures it has in place, for obvious reasons, but said it’s always working to improve such measures.

“Recently, this included frequently asking customers to verify themselves when entering a new address,” it added.

“On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

However, it does appear as if the firm’s checks were found wanting, for example by not being able to spot a single ‘customer’ creating multiple orders for delivery at addresses far from their home.

It’s also been argued that Deliveroo failed to ask returning customers to add their CV2 number to pre-saved account details – a simple step which would have made it impossible for hackers who broke into their accounts to complete orders.

James Romer, chief security architect Emea at SecureAuth, claimed firms need to add extra layers of authentication to the log-in process, as long as this doesn’t impact the user.

“Multi-factor, adaptive authentication, renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts,” he argued.

What’s Hot on Infosecurity Magazine?