Fraudsters eat for free as Deliveroo accounts hit by mystery breach

Food delivery network Deliveroo has suffered a mysterious security breach that has left dozens of UK users picking up large bills for food they never ordered.

News of the problem were revealed by the BBC’s Watchdog TV show, which said it had received “scores of complaints” of rogue transactions appearing on viewers’ accounts during the last month.

In one example in London, £240 ($300) was debited from a customer in Reading for food delivered 30 miles away in London. In another, Southampton University students were billed a total of £440 for food and alcohol delivered in Leicester (120 miles away) and London (60 miles away).

These were organised fraudsters with big appetites, in the latter incident taking delivery of four curries, six naan breads, a kebab, three grilled chickens, four pizzas, five cheesecakes, garlic bread and a liver-killing eight bottles of vodka.

The first these customers knew of the orders was when they received notification by email and through the Deliveroo smartphone app, by which time it was already too late to stop them.

To its credit, once informed of the fraudulent transactions, Deliveroo refunded the money promptly, although that could still have taken up to 10 days.

The unsettling question is how Deliveroo’s customers were breached in the first place.

Deliveroo has blamed the breach on cybercriminals getting hold of login details “stolen from another service unrelated to our company in a major data breach”.

This is called “credential stuffing” and involves attackers trying logins stolen from one website on lots of others to see if account holders have reused passwords across services.

So far, the company has offered no evidence to back up this claim. On the assumption that it is true, Deliveroo users in the habit of re-using passwords should change theirs immediately as a precaution.

Harder to explain is the ease with which fraudsters were able to run up unusually large bills for food delivered significant distances from registered addresses.

Deliveroo says it uses “anomaly detection” to spot this sort of deviation from normal behaviour but clearly something went wrong with this or it wasn’t applied widely enough.

The criminals were also able to get the food delivered to public buildings rather than home addresses, another red flag that should have raised suspicions.

This is despite the company not asking customers to enter a Card Verification Value 2 (CVV2) code when making orders, a card security system designed to ensure that someone ordering something online has physical possession of the card used to pay for it.

The company said it has started asking customers to verify their identity when changing addresses.

Ideally, Deliveroo should give a more detailed account of what went wrong and not fall back on the “security by obscurity” approach often used by UK companies after security incidents.

If lessons can be learned then customers should be able to learn them too.