web analytics

Posts tagged Consumer Champion

Deliveroo Logo

Deliveroo Scams on The One Show

When I first spoke about Deliveroo scams for BBC Watchdog in 2016, I had hoped the fast food delivery service would have taken away some tips on how to keep its customers’ accounts safe from fraudsters.

Yet here we are in 2019 and once again I’m investigating – this time for The One Show – why Deliveroo can’t seem to be able to keep its customers’ accounts secure.

Delivering Distress

Investigating Deliveroo Scams

Three years on and it seems little has changed at Deliveroo HQ.

Desperate Deliveroo customers are still finding orders being placed without their consent and delivered to addresses they know nothing about. Victims are still discovering that their email address is being changed, passwords updated, payment details changed, refunds issued – and even their name changed – without any apparent verification or controls.

Deliveroo vehemently denies that its own systems have been hacked. Instead it deflects responsibility back to its customers, admonishing them for reusing passwords across multiple online services.

Deliveroo: You Get Stuffed

Deliveroo claims that criminals are using “credential stuffing” attacks to take over customer accounts. It says usernames and passwords leaked from other online services are used to try and log in to Deliveroo accounts. Because many of us use the same passwords for multiple services, this can be a fruitful method of attack for criminals looking to hijack others’ accounts.

In my opinion, this victim-blaming doesn’t let Deliveroo off the hook. Other online services also acknowledge that these kind of attacks take place – and take further sensible precautions to protect their users.

One method used by many online services to add an extra layer of security is two-factor authentication. With “2FA”, a text message containing a one-off security passcode is sent to the account owner’s smartphone. It works because even if a hacker has identified a potential victim’s username and password, it’s unlikely they will have access to their smartphone too.

Fixing Deliveroo’s Fraud Problem

At the time of writing, Deliveroo does not ask customers to validate updates made to their account. A change of email, new delivery address, payment details, even name – I mean, how often do you change your name? – go unchallenged by Deliveroo’s security systems. Yes, an email advising of a change is sent after the event, but by then it’s often too late for victims.

Adding an additional security step like this for significant or out-of-character account activities would, it seems to me, stem much of the fraud Deliveroo customers have been facing.

Deliveroo does say that it employs advanced machine learning technology to catch fraud. However, with its algorithms failing to identify seemingly bizarre patterns of behaviour, it appears that Deliveroo’s computer all too rarely says no.

Food Fraud-as-a-Service

During the investigation I discovered tutorials shared by hackers on how to break in to Deliveroo accounts – and other services such as Netflix, Spotify or Amazon Prime Video – many hidden online in plain sight. I saw the encrypted chat rooms where hijacked user accounts are bought, sold and requested in bulk.

I also found evidence of fraudulent Deliveroo shop-fronts that offer hefty discounts for ordering through them instead of directly with Deliveroo. These middle-men place orders on behalf of their clients using hijacked Deliveroo accounts, funded with victims’ details, stolen credit cards or refunded credit. They are paid a cut of the order value – typically 30 percent – using tough-to-trace cryptocurrencies.

On the surface, takeaway food crime may appear low-key – but there’s clearly more here than meets the eye.

Takeaway Advice

My advice for Deliveroo customers is this:

  • Use password manager software to create and store long, strong, unique passwords for your online accounts – including Deliveroo – that will be almost impossible for a hacker to guess. There is no such thing as infallible security, but in my opinion a password manager is the best choice you can make right now.
  • For those accounts that support it – and there’s a long list of major online services do – enable two-factor authentication. Here’s hoping that, one day, Deliveroo joins that list.

Finally, and most important of all, if you don’t trust an online service to keep your account, your personal information or your payment details safe, then vote with your feet and use another service.

BBC One - Rip Off Britain Logo

Attack of the Facebook Clones: BBC Rip Off Britain

The new series of BBC Rip Off Britain kicks off this week and once again I’m helping to shine a light on the digital shams and scams that have been plaguing viewers across the country.

Such as this one, where Facebook fraudsters buy or cultivate pages with thousands of likes, then rename the page and clone their victim’s shopfront before defrauding their customers:

It can be difficult for shoppers to know which pages are real and which are fakes.

For this film I created an almost identical clone of the BBC Rip Off Britain Facebook page within a matter of minutes. It’s also a challenge for owners of Facebook pages who feel can powerless to stop scammers ripping off both their business and their customers

My advice for Facebook page owners – and for visitors to those pages – is to look out for Facebook verification badges. These grey or blue ticks alongside the profile name indicate that the page has been vetted by Facebook, with official documentation provided in some cases, and can reasonably be expected to be the real deal. Page owners can request a grey tick by following Facebook’s verification process.

To find out more about this – and other digital rip offs – tune in to BBC1, weekdays 9.15 to 10.00am or watch on-demand on BBC iPlayer.

Smashing Security Podcast

Smashing Security: UK Porn Passports

I am a regular guest on the award-winning Smashing Security podcast hosted by the inimitable Graham Cluley and Carole Theriault.

The weekly podcast takes a lighter look at the serious business of cyber security, and I appear to have been pigeon-holed as the show’s resident cyber-sex reporter. Oh well.

In last week’s episode I reported on AgeID, the latest attempt by a leading adult-content outlet to adhere to the UK’s upcoming age verification legislation which seeks to protect under-18s from accessing explicit online material.

Clearly, there are a lot of challenges with this piece of law – practically, technically and morally – which is why the UK government has struggled with guidance and deadlines. At the time of writing, we’re still no clearer when the go-live date will be or how effective any block may prove.

Also in the episode we ask when it makes sense to pay off that ransomware fee, and uncover the ‘$150 million mansion hijack’.

Tap here to catch the full episode, or find it in your favourite podcast player.

Bitcoin Logo

Fake News: Bitcoin Scams and Cryptocurrency Get-Rich-Quick Schemes

Earlier this year on BBC Rip Off Britain I reported on how Martin ‘Money Saving Expert’ Lewis had found himself the unwitting face of adverts for bitcoin and cryptocurrency get-rich-quick schemes.

Understandably angry, Martin embarked upon a public campaign – and legal proceedings against Facebook – to make it clear that he in no way endorses any of these schemes.

Then, last week, I began receiving messages asking about a bitcoin scheme that I was apparently supporting. A quick web search and scan of social media revealed that it was my turn to be the face of dodgy cryptocurrency money-making schemes:

This advert is fake - I do not endorse any cryptocurrency trading platforms

This advert is fake – I do not endorse any cryptocurrency trading platforms

To be absolutely clear: these adverts are fake. In no way do I endorse any bitcoin or cryptocurrency money-making schemes. And as for me making ‘millions of pounds every month’? I’m still working on it.

The photos are genuine, though not the captions. The irony is that the scammers now using my face in those fake ads had the cheek to come to my website to steal the images.

There’s also an entire website now dedicated to my endorsement of the so-called trading platform. It goes so far as to provide a fabricated transcript of a conversation between me and Susanna in which I explain how the scheme works.

When I perform a web search on some phrases on the site, I find it’s identical to another site on the web in which Martin Lewis is the proponent.

It’s desperately frustrating that my face may now be helping to rip people off, and that there’s little I can do to stop it from happening.

However, what I can do is to help spread the word that these adverts should not be taken at face value. Also, steer well clear of any get-rich-quick schemes like these – whoever appears to be endorsing it. And be very cautious of any screenshot of a new story – they’re very easy to fake.

Recently, I shared some tips on how to spot fake adverts.

BBC Rip Off Britain: Live

Fakebook: How to Spot Fake Facebook Adverts – BBC Rip Off Britain: Live

Whether it’s fake news, fake likes or fake adverts, Facebook hasn’t been far from the top of the news agenda over the last few months.

Rip Off Britain - Fake Facebook Adverts

Don’t trust an advert just because it features a trusted face (Image: BBC)

On Monday’s Rip Off Britain: Live (BBC1, 9.15am) I addressed the fake Facebook adverts issue which has recently seen money-saving expert Martin Lewis sue the social network for damages after his face appeared in fake adverts for scam financial products.

The fake Facebook adverts I see generally fall into three main categories:

Fake Celebrity Endorsements

Advertisers have long worked with trusted names to grow reach and sales – and there’s nothing wrong with that.

However, as Martin Lewis and others have found, it’s a doddle for rogue advertisers to mock up fake celebrity endorsements, fake news reports – even entire fake websites – in an attempt to ensnare unwitting readers into their sales funnel.

MY ADVICE: Don’t trust an advert just because it features a trusted face, or appears to be a news story from a reputable news site, do your own research first.

Click to read on

Channel 4 Supershoppers

Wi-Fi Router Workout with Channel 4 Supershoppers

I’ve been filming some items for Channel 4 prime-time consumer programme, Supershoppers. In tonight’s show, I’m investigating broadband and Wi-Fi speeds.

Is the internet speed you pay for the speed you actually get throughout your home? There are lots of reasons why that may not be the case, one of which is how well your broadband router performs.

The majority of us make do with the router provided by our internet service provider when we sign up. While that’s often the easiest way to get up and running, that bundled hardware may not always provide the best internet experience around the house.

Supershoppers Wi-Fi Router Testing

(Images: Channel 4/Firecrest Films)

So, we’re testing the kit shipped by the some of UK’s top internet service providers – as well as some after-market options – to see which router works the hardest to send Wi-Fi around your home.

In the show we test:

  • BT Smart Hub
  • Sky Q Hub
  • Virgin Media Hub 3.o
  • TP-Link TL-W940N
  • Linksys WRT1900ACS

Watch Supershoppers on Thursday 14 June 2018 at 8pm or catch up on All 4.

BBC One - Rip Off Britain Logo

BBC Rip Off Britain Season 10

Rip Off Britain is back with a new series on BBC1 this week.

In one of this season’s films, I talk about how internet-connected doorbells are now being used help to catch crooks.

Filming in Manchester for series 10 of BBC Rip Off Britain Think of a connected doorbell as a video intercom – similar to those already popular in flats and offices – that connects your front door to your phone. Not only do they provide peace of mind when your doorbell – or perhaps that of an elderly relative – rings, these smart devices can also record video of who is at the door. Needless to say, they have already been used to help identify criminals.

In another item for the show this series, I take Julia Somerville to a Bitcoin cashpoint to explain what cryptocurrency is and how it works – and how some viewers may have lost substantial sums of more traditional cash to so-called Bitcoin scammers.

This year for the show we’ve also been making some quick advice films for Facebook – here’s me talking about why some viewers’ second-hand smartphone have suddenly stopped working days or weeks after they’ve bought them:

Rip Off Britain airs on BBC1 at 9.15am from Monday 13th June 2018, available on catch-up on BBC iPlayer.

BBC Watchdog Nectar Card Fraud

BBC Watchdog: Nectar Card Fraud

I was back in the BBC Watchdog studio last night for an item on how Nectar card fraud has been leaving some viewers with a decidedly sour taste in their mouths.

BBC Watchdog Nectar Card Fraud

(Image: BBC)

Reports of fraudsters targeting the Nectar loyalty scheme aren’t new, but a recent spate of activity has brought it back to the top of the Watchdog mailbag.

Nectar began rewarding shoppers in 2002, and now around 20 million members collect and spend points at a variety of high-street and online retailers. In February this year, Nectar was bought by supermarket chain Sainsbury’s, which now also owns catalogue chain Argos.

In the fraud, Nectar points are redeemed – often in high street stores – to buy goods. The first victims know is when they try to spend their Nectar balance and find instead that their account is empty. So prolific are the fraudsters that, in some cases, victims have even found they‘be been left with a negative balance.

There are some patterns to the fraud:

  • Victims are adamant that their physical Nectar card – which is required to redeem points for goods in store – hasn’t been stolen, mislaid or even in the same town as where the points were redeemed
  • Argos appears to be a hot-spot for fraudsters redeeming Nectar points

How does Nectar card fraud work?

That is the million Nectar point question. On the surface, this is very straightforward:
Click to read on

Go to Top