Hackers using credential-stuffing attacks to hijack Deliveroo accounts
25 January 2019
Cyber criminals are routinely carrying out credential-stuffing attacks to gain access to accounts of Deliveroo users and placing orders on their behalf, thereby inflicting losses of hundreds, sometimes thousands, of pounds to Deliveroo’s customers.
In 2016, an investigation by the BBC’s Watchdog programme revealed that hackers were frequently ordering hundreds of pounds’ worth of food and drinks from Deliveroo’s customer accounts after taking over such accounts fraudulently.
Deliveroo responded to the report by stating that “these issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach. The stolen password is then used to fraudulently access someone’s account.”
James Romer, chief security architect EMEA at SecureAuth, told TEISS that the hijacking of Deliveroo accounts was a perfect example of why people need to be using different password/username credentials for different sites.
“Using the same combination is the equivalent of a skeleton key to your online life. It makes it too easy for bad actors to gain entry to more and more information. This is of monumental importance, particularly on sites like Deliveroo where customers save their card details for convenience, leaving them left with holes in their bank accounts too.
“This laid-back consumer attitude is no longer acceptable and companies also need to be doing more to add extra layers of authentication to login processes, which don’t have to impact the user. Multi-factor, adaptive authentication renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts,” he added.
Hackers exploited poor password hygiene to compromise Deliveroo accounts
Even though security researchers and data security watchdogs have repeatedly called for businesses to implement multi-factor authentication and educated people to shun the use of the same password for multiple accounts, neither has Deliveroo implemented MFA nor have consumers changed their password hygiene standards.
Recently, Sarah Manavis, the New Statesman’s tech and digital culture writer, went on Twitter to express how her Deliveroo account had been hijacked and scammers had ordered £100 worth of food in the space of ten minutes in three separate orders from her account. To her surprise, dozens of other Deliveroo customers told her that they had suffered similar takeovers of their Deliveroo accounts and lost hundreds, sometimes thousands to fraudsters, indicating that the compromise of her Deliveroo account was not an isolated incident.
The affected people also told her that none of them had been reimbursed for their losses by Deliveroo and that Deliveroo had failed to provide a resolution to their complaints, even after two months in some cases.
In response, a Deliveroo spokesperson told The New Statesman that the company does protect customers’ personal and financial data using encryption and hashing and that the hijacking of customer accounts was not because of any flaws in its security but because customers used the same password for different accounts and fell victim to credential-stuffing attacks.
“Deliveroo adopts appropriate measures, including encryption and password hashing, to keep user data secure. We have a number of security measures in place to prevent fraudulent orders. Unfortunately, where a customer uses the same email and password on multiple internet platforms and suffers a breach elsewhere – as is the case of the author – fraudsters will seek to take advantage of this. We abide by our reporting commitments to regulators and inform and advise customers when we become aware of fraudulent activity on their account,” the spokesperson said.
Implementation of MFA a must to stop credential-stuffing attacks
In November last year, Dunkin’, the owner of the Dunkin’ Donuts franchise, announced that an unspecified number of accounts belonging to its customers was reportedly compromised on October 31st after cyber criminals carried out credential-studding attacks on the company’s website using credentials stolen from other organisations.
The attack was detected by a third party security vendor who was successful in stopping most of such credential-stuffing attempts. It is believed that full names, email addresses, 16-digit DD Perks account numbers and DD Perks QR codes associated with certain member accounts may have been compromised as a result of the attack.
Adam Brown, manager of security solutions at Synopsys, told TEISS that the credential-stuffing attack on the Dunkin’ website was a good example of why password re-use is a really bad thing, and the affected users should take some of the blame for that.
“Dunkin’ has done nothing wrong, but someone else has leaked some very sensitive information – usernames, email addresses and passwords. That means any victims in that list that re-use the same password can be considered breached. In addition, the organisation that owned the leaked data could expect some privacy fines or actions.”
He added that while the affected customers should now wisen up and use unique passwords for different accounts or use password managers, Dunkin’ could have stopped the compromise of several member accounts had it implemented two-factor authentication.