About 20% of restaurant food ordering and delivery accounts have been the subject of an account takeover attempt by a hacker, according to Sift, a company that detects online fraud. This is much higher than the 2.5% average across all sectors tracked by Sift, from cryptocurrency to transportation.
One reason: Food delivery apps use two-factor authentication — like those codes texted to you before you can sign in — less often than other types, Sift found. Only 3.5% of logins on food delivery apps requested this type of verification, making it easier for hackers to gain access. Across all apps tracked by Sift, that figure was 10%.
“I know I have a few apps on my phone for food delivery, and none of them required me to do any strong authentication,” said Brittany Allen, trust and security architect at Sift , to Business Insider.
“For your bank, you’re happy to have to show your fingerprint, get a text, enter a code and follow a few steps,” she said. Food delivery companies don’t always ask the same thing when their customers log in, Allen added, even though accounts often contain things valuable to hackers, such as account balances and loyalty points.
Hackers also target food delivery accounts because many customers only use them periodically, meaning they are less likely to notice if someone takes control of them. “If you’re not a power user, this is something even more attractive” to hackers, Allen said.
Once they have control, hackers can use the accounts to place orders or exploit them for loyalty points. They can also sell them. Allen showed BI several channels on the messaging app Telegram that claimed to sell accounts for DoorDash, Instacart and other delivery services.
The accounts are also advertised for sale on social media platforms like Meta’s Facebook and Instagram, although some posts use a different type of scam: taking buyers’ money and then sending nothing in return, BI reported previously.
Increasingly, fraudsters don’t need deep technology knowledge or sophisticated equipment to steal accounts, Allen said. Many use a regular computer or smartphone. “You don’t need a specialized tool or any kind of high-powered setup,” she said.
Hackers are nothing new to most delivery apps. For example, some hackers were able to access the accounts of certain Instacart customers and then use them to obtain gift card codes without paying for them.
Gig worker accounts are also a target. Some drivers for Walmart’s Spark delivery service have had their accounts hacked. The accounts were then used by others to purchase and deliver orders through the service, the drivers told BI.
The apps have taken some steps to improve security. Last fall, for example, Walmart began requiring Spark drivers to periodically verify their identity with a selfie — although the feature worked poorly for some legitimate drivers, locking them out of the app.
Do you work for DoorDash, Instacart, Uber Eats, or another gig delivery service and have a story idea to share? Contact this reporter at abitter@businessinsider.com
businessinsider
A new variant of COVID-19 is raising questions and capturing the attention of researchers as we approach fall and winter.…
OAKLAND, Calif. (KGO) -- A Stanford student is doing his part to build a better San Francisco Bay Area.He builds…
The Secret Service "acted so quickly and so decisively" to thwart an assassination attempt on former President Donald Trump at…
Crime Authorities say the man was involved in several accidents. A football game between UCLA and the University of Colorado…
Washington state lawyers will have past grocery chain mergers — and their negative consequences — in mind when they go…
Ben Affleck "couldn't keep his hands off" Jennifer Lopez during their brunch on Saturday, a source exclusively tells Page Six.…