The BBC consumer advice show, “Watchdog” found hundreds of examples of customers being billed for food that they didn’t order via the restaurant delivery app Deliveroo, forcing the foodies-favourite business to deny that is has been targeted by hackers. The company claimed that the fraudulent orders were made using credentials stolen in other attacks, and only worked on customers that used the same email/password combination for their Deliveroo account.
The customers contacted by the programme, which aired on the 23rd November (you can watch it on iPlayer here until the 23rd December if you are in the UK) all had their money refunded, which is good news, but we don’t know how much has had to be forked out in refunds to affected customers. Deliveroo have since denied that any payment information had been taken, and the transactions were made using a one-click style payment process that doesn’t require customers to input their payment information again for every order.
The advice remains that any online accounts should be protected by a unique password. Although this can rapidly become unmanageable, several password managers are available to stop you forgetting unique passwords for that one website you only use once a year and you’re never going to remember. Apple users can use iCloud keychain, although cross-application support is often lacking, and several Perception staff members use and can vouch for 1Password.
The use of stolen credentials raises an interesting issue for businesses online. Deliveroo obviously benefits from a massively streamlined ordering process, however, is this done to the detriment of security? Deliveroo have stated they will ask for verification when orders are made to new addresses, which should help to stop the fraud entirely (although it still leaves doors open to send as much food as possible to a hacked customer's genuine address in the weirdest hacking prank ever). If Deliveroo is able to prove where the passwords were stolen from, should they be able to make a claim against that organisation since it was technically their fault? Should every breached company be forced to immediately contact all customers and let them know a single password is no longer usable on any other sites?
The European Banking Authority plans to regulate two-factor authentication on all orders over €10 in the near future, but already that has many businesses favouring one-click ordering up in arms stating more business will be lost than the savings made on fraud refunds. Perhaps the responsibility of security lies solely with the consumers themselves, those that reuse passwords only having themselves to blame; we can hardly expect businesses to check all new accounts against haveibeenpwned.com and refusing service to those that have been hacked in the past, can we?