When I first spoke about Deliveroo scams for BBC Watchdog in 2016, I had hoped the fast food delivery service would have taken away some tips on how to keep its customers’ accounts safe from fraudsters.

Yet here we are in 2019 and once again I’m investigating – this time for The One Show – why Deliveroo can’t seem to be able to keep its customers’ accounts secure.

Delivering Distress

Investigating Deliveroo Scams

Three years on and it seems little has changed at Deliveroo HQ.

Desperate Deliveroo customers are still finding orders being placed without their consent and delivered to addresses they know nothing about. Victims are still discovering that their email address is being changed, passwords updated, payment details changed, refunds issued – and even their name changed – without any apparent verification or controls.

Deliveroo vehemently denies that its own systems have been hacked. Instead it deflects responsibility back to its customers, admonishing them for reusing passwords across multiple online services.

Deliveroo: You Get Stuffed

Deliveroo claims that criminals are using “credential stuffing” attacks to take over customer accounts. It says usernames and passwords leaked from other online services are used to try and log in to Deliveroo accounts. Because many of us use the same passwords for multiple services, this can be a fruitful method of attack for criminals looking to hijack others’ accounts.

In my opinion, this victim-blaming doesn’t let Deliveroo off the hook. Other online services also acknowledge that these kind of attacks take place – and take further sensible precautions to protect their users.

One method used by many online services to add an extra layer of security is two-factor authentication. With “2FA”, a text message containing a one-off security passcode is sent to the account owner’s smartphone. It works because even if a hacker has identified a potential victim’s username and password, it’s unlikely they will have access to their smartphone too.

Fixing Deliveroo’s Fraud Problem

At the time of writing, Deliveroo does not ask customers to validate updates made to their account. A change of email, new delivery address, payment details, even name – I mean, how often do you change your name? – go unchallenged by Deliveroo’s security systems. Yes, an email advising of a change is sent after the event, but by then it’s often too late for victims.

Adding an additional security step like this for significant or out-of-character account activities would, it seems to me, stem much of the fraud Deliveroo customers have been facing.

Deliveroo does say that it employs advanced machine learning technology to catch fraud. However, with its algorithms failing to identify seemingly bizarre patterns of behaviour, it appears that Deliveroo’s computer all too rarely says no.

Food Fraud-as-a-Service

During the investigation I discovered tutorials shared by hackers on how to break in to Deliveroo accounts – and other services such as Netflix, Spotify or Amazon Prime Video – many hidden online in plain sight. I saw the encrypted chat rooms where hijacked user accounts are bought, sold and requested in bulk.

I also found evidence of fraudulent Deliveroo shop-fronts that offer hefty discounts for ordering through them instead of directly with Deliveroo. These middle-men place orders on behalf of their clients using hijacked Deliveroo accounts, funded with victims’ details, stolen credit cards or refunded credit. They are paid a cut of the order value – typically 30 percent – using tough-to-trace cryptocurrencies.

On the surface, takeaway food crime may appear low-key – but there’s clearly more here than meets the eye.

Takeaway Advice

My advice for Deliveroo customers is this:

  • Use password manager software to create and store long, strong, unique passwords for your online accounts – including Deliveroo – that will be almost impossible for a hacker to guess. There is no such thing as infallible security, but in my opinion a password manager is the best choice you can make right now.
  • For those accounts that support it – and there’s a long list of major online services do – enable two-factor authentication. Here’s hoping that, one day, Deliveroo joins that list.

Finally, and most important of all, if you don’t trust an online service to keep your account, your personal information or your payment details safe, then vote with your feet and use another service.