back to article Deliver-oops! Takeaway pusher's customers burger-ed by hijackers

Customers of online takeaway firm Deliveroo are getting their accounts hijacked and charged for food they never ordered, according to an investigation by BBC One's Watchdog. Investigators from the campaigning TV consumer affairs programme uncovered evidence that scores of customers of the newly be-logo-ed Deliveroo are being …

  1. Anonymous Blowhard

    "These issues occur when criminals use a password stolen from another service unrelated to our company"

    If this is true, then there's not much Deliveroo can do about it. Punters should really be moaning to the source of the compromised data (anyone know who that is?) and make sure that they don't reuse passwords.

    Lesson for punters: don't use the same password on multiple accounts.

    Lesson for <whoever>: don't store passwords as plain text!!!

    1. Little Mouse

      Didn't Hungry House have the same or similar issue a while back? They chose to reset the passwords of affected accounts and the indignant masses just whinged at them because of the "inconvenience".

    2. Dan 55 Silver badge

      There's not much Deliveroo can do about it - but they're not even trying

      Deliveroo can monitor for compromised data, if they find it wipe CC information, send an e-mail explaining why, and force a password reset.

      And why are they allowing deliveries to new addresses without making people re-enter their CC info?

      1. a_yank_lurker

        Re: There's not much Deliveroo can do about it - but they're not even trying

        Delivering to different address is plausible particularly is someone is traveling. Two things should have alerted for fraud by someone: distance and time interval. If the distance between two deliveries does not make sense for the time interval, such as the speed which one would have to drive from point A to B is only possible on a racetrack. Also, if one orders dinner at 6PM, they not likely to be hungry at 8PM. It sounds like the fraud detection was either lacking or inept to be polite.

        1. G Watty What?

          Re: There's not much Deliveroo can do about it - but they're not even trying

          I agree with your scenario but blimey what an edge case!

          I use my uncompromised account to order food, once a month lets say (I try to stay healthy but not too healthy). So your fraud detector won't fire unless, I order some food, the cheeky-chappies hack my account, on the same night, and also order food.

          Now imagine I order once a week not once a month. There's still a 6 in 7 chance that your fraud detector won't spot it.

          As other have said, forced re-entering of card details for different delivery addresses seems a really sensible solution here.

      2. SEKURITEH

        Re: There's not much Deliveroo can do about it - but they're not even trying

        This is definitely a grey area legal-wise, if not a straight up illegal.

        You would need to get access to the data dumps first, and you would then be handling personal data of hundreds of thousands of living individuals, and cross checking this against your own customer DB.

        I have considered it for our biz, but lawyers weren't keen on it. You'd need to be really sure it was OK to do so, quite a ballsy move but one that needs industry wide attention. If there was a common ethical database of breaches (eg. HIBP) that allowed approved biz's to compare their customers accounts against, and then reset PWs for etc.. that could work. But there is so much ethical and legal question here.. most will not do it.

    3. John Brown (no body) Silver badge

      "Lesson for punters: don't use the same password on multiple accounts."

      Just as important, don't use the same username/email address on multiple accounts.

      That way, if an account is compromised in a data breach on site A, they don't even have and account on site B or C to try the password on.

  2. Anonymous Coward
    Anonymous Coward

    "The three-year-old startup ought to require the CVV2 code on bank cards..."

    Never mind the CVV2 code - I still don't understand why companies insist on holding the card information for any longer than it takes to make the payment.

    1. Geoff Campbell Silver badge

      Re: "The three-year-old startup ought to require the CVV2 code on bank cards..."

      Convenience. Who wants to enter a card number every time? Even with form-completion stuff in the browser it soon gets pretty old.

      GJC

      1. SVV

        Re: "The three-year-old startup ought to require the CVV2 code on bank cards..."

        "Who wants to enter a card number every time?"

        Well, I certainly do. For the same reason I'm happy to endure the minor inconvenience of using a key to unlock my door when I come home.

        Frankly, the credit card companies should be liable when this sort of stuff happens. Then they'd insist on companies using their services to stop storing these details and use verification services instead. Problem solved, and if companies don't like it, let them find an alternative.

        Security is always more important than convenience when financial transactions occur within IT systems.

        1. Anonymous Coward
          Anonymous Coward

          Re: "The three-year-old startup ought to require the CVV2 code on bank cards..."

          Regardless of payment method, is there anything these delivery apps/platforms can do to prevent fraud without eliminating the convenience factor that justifies their existence?

          Would it be a BAD thing if they can't?

          1. Adam JC

            Re: "The three-year-old startup ought to require the CVV2 code on bank cards..."

            Well yeah, not allowing four different orders of food within the same evening to four separate addresses more than 100 miles away would be a start. I can't imagine it's that hard to add some sort of warning/sanity check! That's a pretty darn easy to spot red flag there.

      2. Anonymous Coward
        Anonymous Coward

        Re: "The three-year-old startup ought to require the CVV2 code on bank cards..."

        Convenience. Who wants to enter a card number every time?

        Me… because it at least suggests you haven't been storing the material for later abuse.

        Then again, I'm a luddite that uses a post-office issued debit card maybe once or twice a month. If it did get compromised, the thief would get no more than about $20 off it.

    2. Anonymous Coward
      Anonymous Coward

      Re: "The three-year-old startup ought to require the CVV2 code on bank cards..."

      That's fine provided that they hold it correctly.

      Deliveroo fails PCI compliance.

      If my memory is correct, adding a new goods delivery address to an account for a card payment requires re-authentication of payment details - at the very least CVV2 or stronger confirmation methods.

      Deliveroo have FAILED to do that and the punishment for failing PCI is plain and simple - revocation of credit card processing rights and/or mandatory verification of all purchases via SecureKey/Verified by Visa/Secure Code.

      So who the f*** is their payment processor and why they have failed to enforce the PCI code on them?

      1. SEKURITEH

        Re: "The three-year-old startup ought to require the CVV2 code on bank cards..."

        That's not how PCI works. PCI passes on fines to their merchant, who will then fine Deliveroo.. only in the event of a BREACH. There is no fine or punishment for non-compliance. If you're seriously non-compliant, and have no plan to fix this.. then yes, you may have your ability to take card payments revoked.. but it is incredibly unlikely.

        I know PCI DSS pretty well and have never seen anything related to needing to re-auth when changing the delivery address.. however - this is a common sense thing all companies should do. From PCI's perspective, it wouldn't stop card breaches (that's all they care about).. from Deliveroo's perspective, it would reduce fraud - great!

  3. Geoff Campbell Silver badge

    "checking the address on orders is close to or the same as pre-registered addresses."

    I do hope not. I only ever use this sort of service when staying away from home.

    GJC

    1. Halcin

      Re: "checking the address on orders is close to or the same as pre-registered addresses."

      @Geoff Campbell

      Deliveroo's systems failed to raise fraud warnings about multiple orders to addresses miles apart from each other all on the same night.

      1. You aint sin me, roit

        Re: "checking the address on orders is close to or the same as pre-registered addresses."

        Send a conformation email if you change your account details or want something delivered to a different address....

        Send an SMS if "unusual" activity is seen on your account...

        Actually perform some analysis so that they pick up on "unusual" activity.

        Not to mention requiring the CVV.

        Tons of things they could do while retaining the convenience of retaining your credit card numbers...

    2. Pen-y-gors

      Re: "checking the address on orders is close to or the same as pre-registered addresses."

      Here's a really off-the-wall idea...how about the plods get in their cars and try knocking on the doors to which the grub was delivered? May not be the perps, but perhaps friends of the perps? Or maybe the hackers get a kick from having free food delivered to random addresses?

      1. Anonymous Coward
        Holmes

        Re: "checking the address on orders is close to or the same as pre-registered addresses."

        > how about the plods get in their cars and try knocking on the doors to which the grub was delivered

        Random college dorms and apartment buildings, I imagine. Follow someone in, answer the door, save the deliverer a trip to your putative 10th-floor apartment, wait a minute, walk out. Plods could trawl security camera footage, but for petty theft discovered days later, that's doubtful.

        > A really basic security option is to require seeing the card the food is billed to when delivering

        Trust restaurant employees and "gig economy" delivery drivers with customers' cards? I think not. Anyone can sign up as a driver/rider for these delivery apps. They're not gonna enforce the rules for their friends if they can avoid it, and they may purposely seek out apps with weak fraud prevention.

        "We're gonna eat great again, and we're gonna make the hipsters pay for ALL of it!!!"

  4. Toltec

    So the police have a list of addresses the food was delivered to...

    I know some of these companies will not deliver large orders to public sites, we got caught out by that a couple of years ago when the food for the crew at a car show failed to turn up.

    A really basic security option is to require seeing the card the food is billed to when delivering, the same way that Screwfix need you to present the card you used for pick up in store, online order.

  5. MJI Silver badge

    Only just saw proof they are bunch of cowboys

    When I nearly flattened a delivery cyclist in the middle of the night with no lights on.

    He was lucky I saw him at last moment.

    They can't even afford to run mopeds

    1. Anonymous Coward
      Anonymous Coward

      Re: Only just saw proof they are bunch of cowboys

      He probably can't, being "self-employed" (nod nod, wink wink) (#) at Deliveroo's stingy rates.

      If their security staff are "self-employed" (##) using similar on-the-cheap practices, that *would* explain a lot.

      (#) In much the same way that all those people employed^w hired by "gig economy" companies like Uber are "self-employed" despite being required to be available on the companies' terms or face sanctions, much like an, er... employee. Oh yeah, and f*** Deliveroo.

      (##) Sorry, my neck and eye muscles are still tired from the last round of nods and winks

      1. MJI Silver badge

        Re: Only just saw proof they are bunch of cowboys

        If I wanted something similar we have a local company who does similar, but then most companies deliver anyway

        I expect bike food users got a cold meal.

        1. John Brown (no body) Silver badge

          Re: Only just saw proof they are bunch of cowboys

          "If I wanted something similar we have a local company who does similar, but then most companies deliver anyway"

          A couple of the local takeaways I use now and then are both part of these delivery franchise things like Deliveroo. They don't like it and and would rather not use them but they have no choice because even some of the regulars go via them instead just phoning up as normal. But people like Deliveroo expect certain prices, ie no more than the normal shop price, except Deliveroo take a commission out that price paid by the customer.

    2. Allan George Dyer
      Paris Hilton

      Re: Only just saw proof they are bunch of cowboys

      On a bicycle? What happened to his horse?

  6. chivo243 Silver badge
    Devil

    this is easier

    than breaking into the delivery dude's car and stealing all his deliveries... I used to deliver when in uni, this happened a few times

    1. Kernel

      Re: this is easier

      A serious issue, actually.

      Pizza drivers have been killed for the pizza and few dollars they carry before today - back in 2001 a New Zealand pizza delivery driver was killed when he made the delivery - those charged with the killing ranged from 12 to 17 years old (the 12yo got 7 years for manslaughter).

  7. FuzzyWuzzys
    Facepalm

    Is it me...

    ...but wouldn't it better to have the default for all orders to be a max of 10 miles from an account holder's address? If you need to override that and increase the distance then you need some sort of 2FA to verify?

  8. Anonymous Coward
    Anonymous Coward

    I'll wager they use a continuous payent authority https://www.help.barclays.co.uk/faq/payments/payment-information/whats-cpa.html

    So no need to store any PCI in scope details

  9. Anonymous Coward
    Anonymous Coward

    Convenience?

    Screw Deliveroo and their so called convenient process.

    Im building a service that orders when a users stomach grumbles.

    The alpha has some teething problems though as the software cant differentiate between different stomach growls.

    One tester has reported having the shits for 3 months due to ordering a kebab every time his bowels groan under the pressure.

    Apparently he took the matter to his GP who analysed his diet. His daily list was as follows:

    8 bacon sandwiches

    12 egg and sausage baguettes

    9 cups of tea

    12 cups of coffee

    5 large muffins

    23 cheese and onion sandwiches

    4 Nandos

    18 pizzas

    37 kebabs

    19 burgers

    9kg of chips and salad

    and an After Eight.

    After several scans, consultations and tests the doctor concluded that the problem he had was having only one arsehole.

    The limitations of the human condition eh?

  10. Anonymous Coward
    Anonymous Coward

    Never reuse an email address

    If you use a different email for each service, life is so much more private

  11. Frank Bitterlich
    Facepalm

    The "industry" must be in a sad state...

    "We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning"

    Sure. All the red flags were there (recent account change, different far-distanced addresses used on a single day, ...) and still the orders went through.

    So what exactly was the machine learning from that? Which anomalies will it actually detect? And which industry are their anti-fraud mechanisms leading?

    My take:

    a) How to solve a rubik's cube in under 50 moves,

    b) Orders from India (or Betelgeuse?)

    c) The road construction industry?

    How much is in the pot?

  12. Andy The Hat Silver badge

    Please!

    In a story on fast food fraud, who would knowingly use the phrase "domino effect" ... then again, I get your point.

    1. John H Woods Silver badge

      Re: Please!

      who would knowingly use the phrase "domino effect" ... Andy The Hat

      I'm disappointed they didn't refer to anyone losing 'wedge'

  13. lglethal Silver badge
    Facepalm

    So I take it the breach was reported to the Police, along with the delivery addresses where the Food was delivered. And this was followed by the Police obtaining search warrants and then visiting the potential miscreants? To be followed by media reports of either "World's dumbest criminals caught!" or "Confused family gets free feed followed by visit from the fuzz" style Headlines...

    Why do I hear crickets chirping?

  14. Anonymous Coward
    Anonymous Coward

    "Victims have being reimbursed for their losses..."

    Surely this should be...

    "Victims have been reimbursed for their losses..."

    or

    "Victims are being reimbursed for their losses..."

    Honestly... whats the world coming to...

    1. Alistair
      Coat

      @AC

      "Honestly... whats the world coming to..."

      The author's TTS software uses the same machine learning that Deliveroo's fraud analysis programs do.

  15. Zot

    What's wrong with "You have been given a random password, please write this down...." ?

  16. Sgt_Oddball

    wait...what?

    "Industry leading anti fraud measures"

    If theirs is industry leading then who's got measures that aren't and how bad does the industry have to be for this sort of thing to be missed? Is the bar that low?

  17. Anonymous Coward
    Anonymous Coward

    The attitude's in the logo peoples…

    To me it looks like a gloved right hand giving a two-finger salute. See that mob around Milton/Rosalie a lot, and that's exactly what I think of when I see the logo.

  18. David Pollard

    Take the cash - use the card

    A couple of years ago a chum who was visiting had paid for our meal at a local pub/restaurant with his credit card. A few days later the details were used to pay for a rather large takeaway order order from at a nearby pizza parlour. I puzzled for a while as to why anyone might do this and then realised that it's a means of getting cash.

    The way I imagine this scam is done is that a couple of people work together in the catering trade, where there is a fairly fast turnover of casual staff. One collects card details, which aren't used for a few days. The other, at a different establishment, waits until a customer pays cash for a large order, trousers the money and pays using the stolen credit card details.

    Unless one or other is caught/observed in the act of collecting or using the credit card details it would be rather difficult to bring a prosecution, even if it was possible to find out who the perpetrators were.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like