Ian Payne 4am - 7am
How a takeaway delivery order can lead to your personal data being sold on the dark web
29 January 2021, 16:05
Scams are a hot topic on the LBC Consumer Hour, and I am always warning how you need to closely guard and protect your personal data. An investigation by consumer champion Which? has highlighted that fraudsters are not only stealing personal information direct from consumers but also from big brands.
The Which? investigation discovered that consumers personal data held by lots of big brands has been stolen and is for sale on the dark web, for as little as 42p per account. Amongst the brands affected, are Tesco, Deliveroo and McDonalds.
Which? found one seller advertising ‘Tesco accounts with usernames, passwords and loyalty card balances’. The seller was offering the Clubcard data in blocks of 2,000 accounts It says the seller claimed to have data on hundreds of thousands of Clubcard accounts for sale in total, although this has not been verified.
Tesco confirmed that a database of usernames and passwords stolen from other websites had been used to try to access Clubcard accounts and customer vouchers.
Tesco said at the time that no financial data was accessed, and its systems had not been hacked. It claimed to have blocked affected accounts as a security measure. But Which? says that when Red Maple researchers searched through dark web marketplaces for compromised accounts, they found examples that included data claiming to be from Tesco.
It makes the valid point that while the Clubcard accounts being advertised for sale might not work if they have been blocked, there is still value to the cybercriminals in stolen email addresses, passwords, and other data. This is because they can potentially use the data to attack other services where consumers have reused the same credentials.
Deliveroo and McDonalds
Takeaway delivery has been extremely popular during the lockdowns, but when you place your order you are logging personal details into the delivery app. In this respect, the Which? investigation found Deliveroo accounts being advertised for sale on dark web markets for just £4.30 each.
It says this happens due to a process called ‘credential stuffing’ and there is even an ‘account-checker’ tool, enabling hackers to take a large number of usernames and passwords scraped from other breaches and check if they work on Deliveroo. Working accounts can then be offered for sale.
Which? says it also found My McDonald’s accounts marketed for sale on the dark web, along with instructions on how to use them with the mobile app.
The instructions advised someone to go to a McDonald’s restaurant, make their order through the compromised account, and then pick it up. The stolen account can cost just a few pounds but could result in an order of well over £30.
Tesco declined to comment after Which? approached the supermarket. Deliveroo said: “Deliveroo takes online security extremely seriously and is constantly working to help protect customers against unauthorised logins by cyber criminals.
"We have strict and robust anti-fraud measures in place to combat fraudsters and to track patterns of criminal activity and to block fraudsters. We also partner with anti-fraud companies to address misuse of card information and we regularly remind customers to use new, strong, unique passwords to protect their Deliveroo accounts”.
Urgent steps you should take
1. If you have an online account with any delivery app (or anything similar) change your password now.
2. Do not use the same password across different accounts.
3. Sign up to one of the services that alerts you if your passwords have been compromised. Additionally, you can check if their email has been included in a data breach using https://haveibeenpwned.com/ .
4. Where available, opt for two-factor authentication on all online accounts.
5. Do not agree for your credit card details to saved on your account– it is always tempting to do this to make your checkout quicker, but its dangerous as it means your financial details are stored in a database that could be compromised.
6. Where possible, use guest checkout – this means your data us not stored.