Perhaps worth mentioning, since it's nowhere in the article, that the first thing to do is not to spend hours on the phone with Deliveroo (or whoever else) but to call your bank to report the transactions as fraudulent and to block your card.
That will probably get you a refund quicker (the transactions will likely be held until clarified) and will stop any further fraud.
As for Deliveroo's support team... Not very good in my experience, but that's common. Their competitors are no better.
This is basically the sole "feature" of credit cards I value. Any time I'm buying something from somewhere that might act poorly, I use a credit card for the free leverage I have in a disagreement.
Had an old phones screen repaired at a store inside a Walmart. They fixed it but half the screen had no touch capability. They were highly resistant to doing anything about it until I said I would just do a charge back. Tone instantly changed.
I've started using privacy.com after I saw a post here on HN about it. It's pretty nice. Basically you link up your bank account and they create debit cards for any online vendors you use, and you can set limits, destroy cards etc. I usually put monthly / transactional limits. Like with Uber Eats I know I only spend x amount, if anybody tried to use my Uber Eats card for 100 USD it would decline it. But also it locks itself to the vendor you choose, so it can't be used elsewhere.
Never tried that instead, might just try it, but I got have other banks that might not support this at all (Credit Union). That's where privacy.com works best for me.
I loved this feature when I had Amex. The unique number-vendor pairing makes it easier to track down the vendor that spilled the beans to the charge defrauder. I was thrilled when capone started offering a similar service but its offering requires a browser addon with a backend anal about matching domain names to merchant names and sometimes rejecting valid purchases (I'm looking at you Dell factory refurb outlet).
That's an interesting idea. But I find a far easier solution is to turn on notifications. I get an email on my phone within a minute of every transaction. It's really nice having that feedback loop.
It doesn't save the PITA that is getting your card stolen, though. With a virtual CC you don't have to do anything except close that card out (which you can on Citi's website, which is the version of this I use).
Oh, that's true. I guess I just don't have that many 3rd party services regularly billing my credit card without prompting for a specific one to bill. I've only had to replace two credit cards over about 10 years, though.
I have those on too! I saw the suggestion here, so I get: app notifications and emails. I also get notified if my balance gets too low. I used to want all that off, but email is a reasonable "paper trail" to know I'm not going crazy if I see an odd notification.
"In most cases the bank must refund the payment without undue delay and by the end of the business day following the day on which it became aware of the problem, unless it has reasonable grounds for suspecting that you have acted fraudulently."
"When your bank refunds an unauthorised payment it must also refund any charges and interest you have paid because of the unauthorised transaction."
UK banks are already very good about refunding fraudulent transactions and associated fees
U.S. banks, as well. Twice Citi has refunded me within minutes. Chase within hours. It seems the policy is "give the customer the money, and we'll sort it out later."
The point is to not have to need to dispute a charge.
Some providers are interestingly stubborn when it comes to charge backs and can hold on to the (fraudulent) vendors side even if you're clearly right.
Monzo in the UK is a prime example for that. An internet vendor charged me more than he should and refused to void the transaction (basically text-book fraud) and I filled for a charge back with monzo. I was extremely confident that it wouldn't take much however monzo customer service resisted to help.
The monetary value wasn't much however in the end I perfectly understood that this "protection" does not exist on the credit card issuer/bank side of things.
The laws around credit cards are much stricter, in the UK it is much safer to use your credit card online and for day to day purchases (with pay in full every month so no interest charges).
Does it matter? The simple reason they are there is to protect my interests. If they can't do it for a few quid, how can they do it for larger sums of money?
The Moral of the Story: Money institutes may not cover you like you think they will.
Money institutes may not cover you like you think they will.
Not if you didn't read your debit card agreement, no. Nothing you've stated wouldn't be clearly spelled out in the agreements I've seen for debit cards. I mean, I can see how this happens: looks like a credit card, must have the same protections as what people online say about credit cards, right? Nope.
> If they can't do it for a few quid, how can they do it for larger sums of money?
If I remember correctly, debit card protections don't exist below £100, so they literally can't do it for a few quid, but they can for larger sums of money.
This isn't an example of Monzo being terrible, this is an example of debit cards being terrible.
Monzo doesn't provide credit cards, only debit cards.
Banks have a vested interest to work with you for purchases made on credit because it's their money. Debit purchases have no such leverage and thus have lower protections.
If it costs more than £100, use a credit card in the UK as the CC company is jointly liable for any issues, even faulty goods.
One could open a MONZO account(Which is completely online and can be opened in a day).(https://monzo.com/)
You would get your debit card within a week max. You can transfer limited amount from your original bank account to Monzo account and even on top of that you can set some restrictions on how much amount can be withdrawn and there are some special features like POTS which are very useful.
I am not saying this is the best, but even if someone steals your monzo card details, you can reqeust for a new one and your original bank card details are still safe.
Note: All this works, only if you don't use a credit card.
The instant transaction alerts let you put a freeze on the account in a matter of seconds, so that's nice. I actually use my monzo account so putting low usage limits isn't practical.
Edit: although I guess they'd just do it in the middle of the night so doesn't really help.
Many banks offer this service without any third party. I don't generally see it advertised a lot, I assume because it's confusing to people who have no interest in it, but you can look up something like "virtual credit card" or "temporary credit card number" and probably find a bank offering it.
The very crude answer is to get a prepaid card and load it with enough to cover each purchase, then toss it as soon as it gets misused. Which works, but doesn't sound worth the hassle unless you seriously expect a bad outcome.
Yes I think so. I save with a credit union (just because, it is local and they do turn around with the money and give small loans to people which banks would not). They offer a prepaid debit card which I do not have but it is provided by 'The Change Account'
A related tip, given to me by a Capital One rep when my card was compromised: get a second card (which has a different number) that you use just for automatic payments. Then when your “regular” card is compromised by a restaurant, skimmer, or shady online vendor, you don’t have to notify your autopay accounts, since your autopay card is unaffected.
As a matter of principle, I would rather just do the chargeback (and get it really fixed somewhere else) than use it as leverage to negotiate for what I want on the spot.
If a company is prepared to stiff me like that, the convenience of having it fixed right away is not worth the concession of letting them have my money when all is said and done. Is that just me?
This is also the reason why creditcards are so ridiculously expensive.
But then is there literally any alternative payment method in the US that does not involve a creditcard? It seems like the US banking system has just not invented anything in the last 30 years. Its not rocket science: money from my bank account to Deliveroo's bank account in (near) real time.
This is a peculiarly US phenomenon. Much of the UK, EU, Aus etc are much more willing to adopt new payment technology. (Can't speak for the non English speaking world but obviously China is way ahead)
Surprisingly the US is much harder to convince. Ask people under 30yo in Aus or the UK when they last wrote a cheque, and the answer "what's a cheque?" is likely the response. Signing for a payment, magstripe, even using a PIN is mostly a distant memory.
I can go weeks without my wallet now, Samsung Pay on my phone works just about everywhere in Australia, and it's great. Banking app even lets me generate a code to get cardless cash from ATMs, should I need notes.
For transactions bigger than ~AUD100 I do have to enter my pin but that's a minor inconvenience.
> This is basically the sole "feature" of credit cards I value. Any time I'm buying something from
> somewhere that might act poorly, I use a credit card for the free leverage I have in a disagreement.
But without a credit card, they wouldn't even have been able to get your money without authorisation. I don't see how something like this would have been possible with a system that requires explicit authorisation per payment.
> But without a credit card, they wouldn't even have been able to get your money without authorisation. I don't see how something like this would have been possible with a system that requires explicit authorisation per payment.
I don't understands your point. Are you saying the ideal scenario would be to fill the cards information each time? The fact that it's a credit card doesn't change that it was prefilled, a debit card or wire transfer is the same. Credit or not, if it's already there, the one that access your account can use it.
With a credit card though, you can do a chargeback, which not only give you your money back, also add a direct cost (and a steep one from what I understood) to the merchant that made the transaction. As far as I know you couldn't do the same with a debit card.
What I mean is: with a credit card, you submit the information necessary to make the payment, to the merchant you're buying from. They could store that information and use it to make payments I never authorised, which is bad. On the Web, some sites have fortunately delegated that responsibility to a payment provider, but the payment provider is still not my own bank.
When I pay with my bank card with an internet payment through my bank, the authorisation is handled by me and my own bank, and nobody else. Nobody else can ever make that kind of payment without access to my password and my 2FA system. That's how it should work.
A few years ago, I made the mistake of buying some furniture using my debit card instead of credit card (about £1k).
Between the payment and the delivery the company went bust.
I though I was out of the money, but after a brief search I found out that, although there is no legal requirement to do so, VISA in the UK offers (or at least used to) the same chargeback facility to debit cards as for CCs. I visited my bank branch which gave me a phone number to contact, sent in a bunch of paperwork and after about 2 weeks I got my money back. I was very pleased as you can expect.
They could require the CVV when delivering to a new address - it's only three digits. But we're talking about a company that doesn't even refund obviously fraudulent transactions, so never mind.
That's true. Being able to undo an authorised payment if the other party doesn't fulfil their end of the bargain is absolutely an advantage over other forms of payment.
In the Deliveroo case, however, it's the inherent insecurity of credit cards that made that problem possible in the first place. In light of that, the ubiquity of credit cards for online payments where data is so easily copied and leaked, never ceases to puzzle me.
This doesn't work in Germany, for example. If you charge back, they'll just put you into a central register (called Schufa) that will basically make it impossible for you to get a credit or even to rent an apartment.
No, disputed charges must not be reported to any credit register, Schufa or other. Only undisputed charges or court-certified decisions can be entered into a credit register. Even the repeated threat of reporting the charge to the credit register is illegal in many cases [1].
It's not a charge back in that sense when you report fraud or card theft.
And I suppose that the effect you describe results from abusive requests from charge backs. I doubt you will be refused a mortgaged because you were a victim of theft in the past...
> I doubt you will be refused a mortgaged because you were a victim of theft in the past...
Don't be so certain about this. The credit reporting agencies are evil, nasty blackboxes and it is not transparent how your score is influenced, even by fraudulent stuff.
While I hate the Schufa with a passion, it is not as clear-cut and automated as you make it seem. Before anyone can do shit with your Schufa score (or the other smaller credit reporting agencies arvato infoscore and Creditreform), they have to formally remind you of the debt that you have due to the charge-back before, and you can always contest fraudulent entries at the credit reporting agencies.
Additionally, you can and should file a police report for fraud when hit with such a scheme, it makes dealing with your card-issuing bank and the CRAs so much easier.
Contesting a charge is a primary feature of credit cards — at least in the US. There’s a prominent link when I login to my credit card account allowing me to contest any charge, and a litany of reasons which you can then select from, ranging from “I don’t recognize / didn’t make this charge” to “Item was not delivered”, “Item was returned”, etc.
Just so you know - charbegacks are reported to credit burreaus. Sometime they will show on your report for few months sometimes they don’t. Just letting you know if you ever be wondering why you have good credit score but bank doesnt approve your loan or doesnt want to extend your credit.
I’ve never had a credit card of mine report a chargeback, and if they ever did I would cancel the card immediately.
Mostly chargebacks are for actual fraudulent use of the card, and the process also includes getting a new card number.
Lately, most chargebacks I’ve done have actually been issued by the card itself after they detected suspicious activity and sent me a text alert asking about specific charges.
In one case, it was a debit card which I had received in the mail, activated, and never used and had never left the house. That one was particularly bizarre and I let them know something was very wrong there.
Credit cards do not report, merchants banks do directly With credit bureaus. from there they decide if certain card holder triggered too many they put it on.
That was my first thought too. Yes, I'd contact Deliveroo, but also my bank. If I didn't get a refund (some people waited months?), I'd sue them in a small claims court if the amount is low enough for small claims and if its not, I'd at least talk to a legal adviser. Waiting on Deliveroo for months after being defrauded thousands of pounds is crazy.
Apparently you have waaay more time than I do to sue people in small claims court. Charge back via calling up my CC company is much easier and quicker.
At least where I am, a small claims claim is a matter of filling out a form and paying the fee. I may be contacted for more information, but don't need to otherwise do anything unless I'm unsatisfied with the outcome, in which case the appeals process goes through a proper court.
Besides, I said that I'd only do this if I didn't get a refund through Deliveroo/bank/CC chargeback. I certainly wouldn't start with small claims court.
A demand letter is often enough and is a good step before small claims. “Fix my problem in ten days or get sued in small claims court", sent via certified mail to their designated agent for legal service in your jurisdiction, can often solve your problem.
Small claims court often does not require a lawyer. But yeah, the general process of "document things and escalate using said documentation to people whose job it is to make sure expensive lawsuits and regulatory actions don't happen" is an excellent choice.
Oh, I know, I said that in my other comment: where I am, it requires little more than filling out the claim form and paying the fee (and giving them more info if requested). Its only if you want to appeal that you may need a lawyer, or if you want to sue in a normal court. I just meant that there’s a bunch of steps you can do, including small claims, before needing a lawyer.
> Of the roughly 40 people I spoke to, not a single one had been refunded by the delivery service; those who did get their money back had got it from their bank.
I agree this is evidence. We know at least Deliveroo don't deal with fraud promptly or take it particularly seriously and thats bad enough even if they do eventually get around to it.
In my own experience, UberEats support team is stellar - I have had many many many issues due to couriers or the restaurant (wrong order, order got delivered completely ruined, order was cold, order was missing something, ...) and never once was I left in a bad situation.
I have almost always had a full refund (otherwise just partial for what was wrong/damaged) but what I really LOVED was how transparent they are throughout the process.
They message you when your concerns resulted in a ticket opening, when someone picks up your support ticket, when they are working on a resolution, and then when they found a resolution for your issue.
It's very seamless as well - I was experiencing issues on their web platform, DM'd support on Twitter, received info by email and on the UberEat app and at not time was there inconsistencies.
If it wasn't for the quality of their support team - I would have stopped using UberEats a long time ago.
>In my own experience, UberEats support team is stellar - I have had many many many issues due to couriers or the restaurant (wrong order, order got delivered completely ruined, order was cold, order was missing something, ...)
So, they have good customer support, but suck at the basic function of the business? And you keep using them?
Problem is most vendors will then block you from ever using their service again. Might not be such a big bummer, after all they're helping people steal your money. But here it was through Apple Pay, so it may have bigger ramifications to block the card.
I've got to ask, when have you _EVER_ said this and had it actually result in what you wanted?
I worked in call centers for years and we laughed at people like you for a whole multitude of reasons.
The main reason being once you say this I'm no longer obligated to help you. Since you've decided to make this a legal situation instead of a customer service one you'll now need to talk to our team of lawyers that are on retainer. Anytime you call or email you'll get auto routed to our legal department forever who will go out of their way to not help you.
The reality is that people make legal threats dont actually follow through because they aren't people that understand the law or how it works, if they did they'd be taking actual legal action against us, not making idle threats to people making $19 dollars an hour.
Legal threats work for me about half the time, but I threaten small claims court only after getting escalated to a manager while collecting as much info as possible (it also helps if you're in a one party consent state and can play back parts of the phone call to the manager). It works for big companies better than small ones but it does take a little longer for the escalation to go through the legal department and I haven't really bothered trying it for small disputes (anything under a few hundred dollars). The few times I have followed through on the threat resulted in a settlement with one local business and default judgement against two big companies now.
I have used it 3 times or so and it was effective. The thing is I am not threatening to sue personally. I am threatening to refer the issue to the government. I personally had no intention or interest in pursuing legal options, but maybe the AG would. In one egregious case where the situation was resolved I still informed that office if the attempted fraud.
Again I'm not threatening to bring legal action. I'm just letting the 800 lb gorilla know about the situation and they perhaps might want to do something.
They may have been embellishing that claim; however, I think what they were getting at is that in some situations using the chargeback mechanism can have wider repercussions. For example: if you are "ripped off" through Steam on a particular purchase and use a chargeback, they may shut down your account. In that case, you would lose access to all of your games purchased through Steam. Similarly, if you use a chargeback with a Google Play Store purchase you may lose access to your entire Google Account.
An example: Uber drivers requesting fake cleaning fee was recently discussed here on HN. Uber refuse to handle it properly, so people solve it by doing chargebacks only to find themselves blocked from the service.
Also heard it with lots of other vendors, but won't name without having something more substantial to back it up with.
If I have a shitty customer service interaction with an Amazon rep, I might have to weigh the chargeback versus the value of my Kindle library, my AWS instances suddenly going dark, etc.
In the case of Uber, I might find myself severely restricted in transit options in an unfamiliar city.
It seems to be part of the "Distrupt!" business model. The "customer" "service" team is basically disaster mitigation, probably taught to screw with the customers. Like AirBnB, $2000 worth of damage to your apartment? They'll delay for a few days and offer you $200 if you agree to an NDA. Or that guy whose dog died after being walked by someone who used someone's account an dog-walking-service...
I’ve seen Uber respond to a chargeback by leaving the account active but disallowing all payment methods. With most companies I’d expect it was a customer support mistake rather than vindictiveness, but with Uber it’s hard to be sure.
As someone else mentioned.. if you do this with Steam, you could get blocked from accessing all your past purchases. If you did this with your ISP, you may not have other high-speed ISPs to choose from.
Money-as-a-service (banks) give you the power to do this. But dependence on anything-else-as-a-service gives the provider power to make you think twice.
To add my anecdata, I had an excellent experience with Deliveroo's support team just before Christmas. Some pizzas arrived damaged. They offered to send exactly the same order again.
Definitely worthwhile, I think a huge amount of people in the UK use Debit cards with Deliveroo and other services so no money will come back off these.
I'm not surprised by this response from Deliveroo. Their focus lately has definitely moved away from customer satisfaction.
I discovered recently that drivers are allowed - without penalty - to reject an order when they reach the pickup location if they see the receipt and decide it is too far to travel [1].
As a customer you just see your food go: `Assigning Driver -> Driver En Route to Pickup -> Driver Arrived at Pickup Location -> Assigning Driver`, for two hours on repeat. Eventually your cold food arrives 2 hours later, and you are offered £5 credit for your ruined meal.
I live in Central London (Old Street), and have had this happen repeatedly with restaurants that are not far from me.
Actually, the driver already knows where the destination is before going to pickup. If he rejects offer after getting to restaurant, it's probably because he asks the staff how long it will take, they reply 10 minutes, which usually means 20, and the driver decides to go looking for another offer. This is largely because some restaurants start making the order only after a driver arrives.
I think I’m old fashioned but I just don’t understand the appeal of these food delivery services. My friend’s son uses Postmates to order fast food and it seems absurd to me.
I must be missing something about theses services given their popularity. Do you mind explaining why you use them?
I think you are just trying to be that guy. I go to this website, pick what I want, pay and some time later what I ordered gets delivered to my door. What's there to get?
Fast food is pretty bad when it's fresh. It's awful after it's been in transit for 20-30 minutes or more. The idea of spending $10 or more to get a lukewarm burger and mushy limp french fries has no appeal to me.
I think people are ordering from more upscale restaurants, not McDonalds.
Food temperature is a personal preference, some people are really picky about food being hot/fresh, some aren't. I prefer the taste of room temperature food over hot food so "sitting around for 20 minutes" would be a feature for me.
He owns a Mercedes so he probably loves driving. Maybe if he wasn't delivering for UberEats he'd be out joyriding in his new Mercedes without a destination. In doing UberEats he's got a destination and he'll decrease his expenses by like $5/hour and take another car off the road. I know a guy who spends like half his free time driving around in a $70,000 pickup truck because he enjoys it, doesn't have a destination, just goes for a drive for fun.
And some people like really like McDonalds and don't care for the fancy stuff.
It's not for me, but it basically it boils down to "people like different things than me."
I know someone else who can't understand why anyone would ever play video games "its time and effort for zero reward."
Some people enjoy doing work on their car, while others would rather pay someone to do the work for them.
Fast food is usually only palatable hot. By the time it gets delivered it’s cold, no? Also fast food is cheap and the delivery cost is a large percentage of the overall bill. I mean a $10 meal ends up being $20.
Deliveroo costs more because it's providing a delivery service for restaurants that don't normally deliver.
So I'm getting good food. When in a restaurant, things sit in a kitchen for 10 minutes waiting for the rest of your order anyway. 10 minutes in a thermal bag is the same.
Wouldn't that be 10 additional minutes in the thermal bag? If it sits waiting for 10 minutes for the rest of my order wouldn't the time in the thermal bag be in addition to this. Also, in the U.S. delivery in my experience with others doing this is that is takes more than 10 minutes for the driver to pick up the order. Then another 10 - 20 minutes to deliver. To me this ruins the meal. You don't get a nice presentation and the food is way colder than the chef intends.
But at that point you're basically just objecting to all delivery food ever. Which is fine but, like, you are aware that it is a huge industry and has been for decades and people do like it? Convenience trumps artistry (and optimum temperature) for many people a lot of the time.
Deliveroo orders generally get rushed out from my experience sitting in restaurants waiting for my sit-down meal to be served.
"To me this ruins the meal"
shrug, I'm not sure what you're expecting anybody to say. I can't really change your mind on what is hypothetical situation for you. I've ordered plenty, it's generally no worse than the quality I would get in the restaurant (other than the presentation in a bespoke takeaway box not a plate).
Also, what kind of presentation are you expecting for a burger anyway? It's a burger, with some artfully surrounding chips? Ordered to go, it's a burger, with the chips in smaller box instead of surrounding the burger.
In Italy at least, Deliveroo will order from middle and low-end restaurants (pizza places, some sitdowns, any fast food). The drivers are also on bikes generally, which I thought was common for deliveroo but after reading this thread maybe not.
I want food, I can't be bothered to cook or go out?
Are you seriously struggling to understand food delivery? Or if you mean what's the benefit over e.g. ordering direct from a restaurant, is you have a lot more choice and it's much higher quality than traditional take aways (you get proper restaurant food)
It arrives cold, no? Delivered restaurant food makes no sense to me. Won’t things get all mashed together? The plating will not be nice. And to pay for such a service? I don’t get it.
Thermal bags, transport-aware packing, and the service costs a couple of quid, not the ten dollars you suggest.
You're not going to get a gourmet steak hot from the grill with precisely placed edible flowers laid delicately in it. But a bag of fries and a carton of fried chicken does not require eggs-in-space-shuttle level cushioning
In the U.S. we typically feel compelled to tip. This might not be the case for you if you aren’t in the U.S. I looked into using Postmates to try it out and it came to around $10 to use if I didn’t tip generously.
I think I’m old fashioned but I just don’t understand the appeal of these food delivery services.
"Old-fashioned"? Nice try, Grandpa. I'm approaching retirement, and delivery of restaurant food has been a thing since before I was born. Hell, Domino's was founded in 1960.
But not fast food delivery. This is a recent thing. And most restaurants didn’t do delivery. I don’t see the point of ordering a meal that is best eaten hot to be delivered when it comes to the house warm.
Hey, I quoted you accurately. :-) But fair enough. My counter would be that if your bar has fallen to fast food territory, perhaps warmth and presentation isn't an issue at that point for some folks. But I haven't been part of the fast food demographic for decades, so what do I know?
I do not use Deliveroo but what sounds like something similar in my area.
I live 20 minutes outside of a small town in Norway and the restaurants/kebab shops don't generate enough take-away business to provide this service themselves.
There is another company that does that for them and services all making take-away possible at all.
Now this company actually operates with a time guarantee, that is if the food is not delivered within an hour or if the order is "refused" due to reasons the OP touches on you get your money back.
I've yet to have any that happen to me, possibly because it would actually be bad for those delivering.
I could drive and pick it up myself, but sometimes you just want to be a couch-potato and be lazy!
When you are severely hungover and your fridge is empty, food delivery is godsend, even if it is fastfood (and proper food is just priceless).
Recent McD commercial in NZ even focused on this particular case -- zombie-like people who celebrated NY 2019 all night long are getting some food delivered to their door. Dont have link right now but you can google.
If you have a small child, then just leaving the house to run an errand is an entire ordeal (esp if baby is sleeping right now). It's worth paying some non-trivial amount of money to avoid running errands. If you're also lower socio-economic class, then that leaves the only food you can afford being fast food.
People love to talk about these services as if they're only for young, single, hipsters but a significant portion of their use come from people with some kind of life limitation (same as the Whole Foods peeled oranges in a plastic box that people love to make fun of. These are a godsend for people with poor motor skills).
Their first-customer discounts and incentives are pretty enticing.
I live in Taiwan, where Deliveroo gives you about $3.50 off your first order, and delivery is factored into the price. A friend of mine ordered a $6 pizza that she ate half of and brought the rest of to work the next day. All told, she paid $2.50 for two lunches, and didn't even have to leave the office.
That doesn't sound better than the alternative to you?
I’ve paid people to cook things for me. I’ve paid someone to cook shitty fast food for me. I’ve never paid someone to deliver that shitty fast food to me. When it arrives it is at best warm and even more disgusting. I don’t see the appeal of these services. It’s much better to get the food when it is hot. At least in my opinion. My friend’s son spends several hundred dollars a month is delivery charges. I certainly don’t understand doing that.
Presumably the people who find value in this service have different taste buds than you and don't find the food they pay a premium for "disgusting."
Or they have different priorities than you and value convenience over taste, price, and quality. There's even an entire industry built on this premise, "convenience stores."
There are certain things that really don't make sense for delivery, like McDonald's. I could drive there, go through the drive-thru, and be home by the time someone else is picking it up. Most other restaurants do make sense for online ordering and delivery. Most of the time I just go and get the food myself as I'm usually just too cheap to pay the delivery fee and tip and longer wait. I'll order pickup and can go get it myself for a couple bucks of gas at most and at least I'll know it's as hot and fresh as it can be.
Right, in cities it makes the most sense for delivery of almost anything. Even if you have a car, trying to find parking at certain times just so you can run in and grab your pizza is probably not worth it. A guy on a scooter can park almost anywhere so it quickly becomes worth the fees to have it delivered. These services have started creeping out to the suburbs where I live and it doesn't always make a lot of sense for some of them. I'd imagine delivery services are even harder to do in rural areas where you would be waiting for quite a long time to get your pizza although I could see things like grocery delivery making sense.
I agree to an extent (about the services moving to the suburbs), but if the market's there as well, I'm sure the services are fine to squeeze out every last profit.
I do use Instacart for grocery delivery (Chicago), but I really dislike grocery stores and willing to pay the premium (avg +30% in my exp) to avoid that trip. Honestly, If I was in the suburbs, with a vehicle, I might be better incentivized to personally make the trip.
Another thing I forgot to consider is people that can't leave their home for reasons other than they are tired from work or just hungover. You can get much healthier meals delivered now, much better than the pizza and chinese food that were pretty much the only option years ago. Grocery delivery is much more prevalent now too so for those that can at least cook for themselves, they don't have to rely on a family member coming by with groceries.
I think a lot of people object to the labour practices of most if not all of the food delivery services; this isn't particularly new news. In Australia the drivers/riders are not treated or paid very well and there is considerable controversy about whether they are really employees vs contractors.
I'm surprised that this hasn't occurred to you already at least as an issue for someone (not necessarily you, or, for that matter, me). Still, this given that this is a thread where things like "food delivery" need to be explained from first principles, I shouldn't be too surprised.
> In Australia the drivers/riders are not treated or paid very well
So they should do something else. Those drivers determined that delivering the food was the best use of their time. I don't think it's right to voluntarily choose this specific job and then make people feel immoral for using the service they signed up to provide.
Well, some of the ways they are not treated well seem to be sailing pretty close to the wind in terms of Australian labour law or are outright illegal. It's also pretty hard to imagine these services being remotely workable without a steady supply of "students" who are in Australia supposedly earning degrees but in practice are a giant pool of cheap labour. You can make various libertarian quibbles about both Australian labour and immigration rules, but not everyone wishes to subscribe to your libertarian newsletter....
We ordered a load of food for our office earlier this week (also central London, nr Tower Hill) and had only half of it arrive. A second rider was needed for such a large order (burgers for 15 people), and none showed up. So half the people got no meal, and half the food got binned by the restaurant.
Fun fact about Deliveroo. A lot of your drivers aren't the registered driver. It's really common practice for a citizen or someone with a work visa to register and then rent their phone to someone desperate with no work visa. So your driver is often making almost nothing while someone else sits on their ass and collects cash for doing nothing and then Deliveroo again sits on their ass providing poor service collecting even more cash.
So are you saying there are bands of Deliveroo riders in England who are here on 6-month tourist visas? Or are you saying they are in the country illegaly?
If you're working on a tourist visa, then you're in the country illegally - your visa becomes invalid the minute you start work and you're liable to be deported.
Students will do all kinds of "harmless" under the table stuff to get/save a little extra spending money. That's different to me than an person desperate for money to pay rent or buy food.
That's certainly true and they are illegally working. But maybe your image of a student might be a bit narrow? There's a large industry in Europe of language schools. You pay the school/country a few thousand euros/pounds and in return you get a student visa + basic language course. Not all, but many students are coming from pretty bad places in the hope of somehow landing a work visa(Italy and Portugal will grant citizenship if you can prove ancestry for example). The friends of my wife that told me about their lives/this practice, none of them where working for "spending money".
In portugal you need more than just "ancestry", unless it's relatively close relatives (grandparent).
You would need to speak Portuguese, and prove an effective tie to portugal, for example participating in Portuguese cultural activities, groups or organizations
I have a friend that works for a deliveroo clone in Paris, this is true, loads of people rent their phones to migrants that work for the company under a fake identity
Did saying this make you feel better about yourself or something?
Because it's a ridiculously naive statement at best. More likely just some sanctimonious BS you decided to post to signal how much of a good person you are.
Like seriously, what world do you live in where you can't picture a person doing something to take advantage of another person? Have you read literally anything in history?
Did saying this make you feel better about yourself or something?
Because it's a ridiculously smug statement at best. More likely just some sanctimonious BS you decided to post to signal how much of an intelligent person you are.
Like seriously, what world do you live in where you can't picture a person thinking that it's sad that a person takes advantage of another person? Have you read literally anything in history?
I have a really hard time trying to understand the mindset of somebody who is going to take advantage of a person for profit. I actively remind myself of this because I need to be aware of this fact when dealing with people who could potentially take advantage of me.
What’s immoral here? You know someone who can’t work so you let him rent your phone so he can work. I mean it’s not respecting the law, but it’s no more immoral than companies renting out cars, houses, or tools used by others to earn a living.
Deliveroo riders have some of the worst working conditions, it's a grind and people do it because they need the cash.
Going as far as circumvent legal regulations and even pay to be able to do such a job is a good indicator that the person doing it is desperate for income.
Many people believe wealth should be shared, that everyone deserve happiness, and that no one should spend their lives slaving away just to survive, those same people would not try to profit off of someone desperate for income and willing to work hard and would consider what OP is talking about immoral.
This is the same argument leveled against sweatshops and it is frankly a fallacious one.
It proposes a false dichotomy where the worker has to either be in well paying and fulfilling employment (which obviously is not an option given their circumstances) or alternatively, they must be saved from the tyranny of their employer (usually through enactment of regulations which will leave them jobless).
Either way all it achieves is to deprive the worker of income, experience and the agency that comes with being able to make their own employment decisions. Your comment, despite seeming conscientious, gives little consideration to utility of the worker and the pragmatic decisions they face.
A sense of moral outrage towards a company (or individual) for perceived exploitation of their employees might be justified, but is not sufficient grounds for limiting the freedom of exchange.
The author wrote that some people would make other people do the work, taking a cut. Given, that people who work themselves at Deliveroo already struggle to get a decent salary, then yes, it is immoral.
The person with the account is providing a benefit in return for that cut, though -- the account itself and the attached phone. It's not slavery, any more than Amazon taking a cut of sales through their website is.
I fail to see how the citizen in this case is harming the non-citizen.
People using their accrued wealth to sit around while other people make money for them (who will suffer if they can't do that) is generally considered moral- or at least ethical- under the current order.
I mean most of these delivery type services are basically the first company passing off the usual risk of having a lot of employees onto contractors.... not exactly the same, but not that many steps removed.
I use a number of services in Sweden and they all do the same thing, the picture of the person who gets you the food is never the same as in their website. Also errors in orders is so common.
There is one more aspect of fraud the journalist has missed - chargeback fraud. Chargeback fraud is where companies try to lengthen the timeline of resolution of a fraudulent incident such as this one so that it exceeds your bank's official timeline for being eligible for getting your money back. Usually it's about 45-60 days and varies from bank to bank.
To me, as someone who worked in this industry before, this simply seems like a ploy by Deliveroo to escape absorbing the chargeback cost. Because, that is exactly what would happen if you called your credit card's bank/company and ask them to initiate a charge back for the fraudulent transactions instead of begging Deliveroo - the money will first be refunded to you almost immediately (varies from bank to bank) and then an investigation will be opened against the merchant in question (in this case, Deliveroo) and when you prove your credit card company valid proof that you're innocent by sharing logs, screenshots, etc. the dispute would be settled and the bank will side with you, the customer and thus this will lead to a loss on the merchant to bear the fraudulent transacted amount.
It seems, Deliveroo may be doing EXACTLY this to avoid letting the customer becoming eligible for a refund later through their banks by pushing them past the chargeback window. This is actually criminal in some countries, and grounds for a class action suit, which I hope someone sues them for if they are found guilty of this.
The other reason for the elongated resolution timelines is because Deliveroo actually benefits from these transactions - think about it, they earn for each transaction and in some markets, if I'm not wrong, the larger the transaction, the more they earn. So, why would they do something fast that affects their revenues negatively.
Anyway, my personal experience with Deliveroo also has never been positive and don't recommend them at all.
I thought this was going to be about ordering food from one restaurant, only to have it prepared in another 'sublicensed' kitchen, sometimes a shipping container:
Is this actually shady? When doing takeaway you are not really paying for the ambiance of the restaurant anyway and IF the quality is the same I wouldn't necessarily have a problem with it.
Well, if I order food from the Fat Duck[1], to name just one example, I expect the restaurant to prepare my food and not some "cook" in a container throwing together some stuff coming from trucks owned by a convenience food purveyor.
So yeah, I think it's shady and dishonest.
Sure, if a restaurant allows their brand to be used for such shenanigans they deserve all the bad press they may get.
Disclaimer: I use the Fat Duck as an example. I'm pretty sure they don't do home deliveries, let alone - Deliveroo.
That's the thing. It isn't. Every franchise, big or small, has wildly different quality of ingredients and preparation (and even send the correct damn drink and remember the dip) among outlets, and if I order from that one, I want that one to prepare my food.
Even down to the cook (not even "chef"). I go to a specific restaurant on a weekly basis, where I know the names of the cooks. I order different dishes depending solely on who's working that day, since I know which get prepared best by who.
Deliveroo Editions sites are clearly marked on the app with a banner across the main photo of the restaurant. You aren't led to believe the food is coming from somewhere it isn't.
Maybe I'm missing the point but how did the fraud take place to begin with? Somebody fished the author's Deliveroo account and used it to buy a lot of food? If so what would be the right way for Deliveroo to solve the issue? I mean if they just swallow the cost and reimburse her with no questions asked it seems easy to abuse, I could just order a lot of food then later complain that my account has been breached. Then again that's pretty much what Amazon does in these situations in my experience but not everybody has Amazon's deep pockets...
That's not to say that their current response (or lack thereof) isn't bad, it's more that I'm not sure what would be a good response in this situation.
I'm also not sure how Deliveroo could be considered liable if the breach is on the user's side (phished password) rather than a server-side vulnerability. If I offer an online service and one user gets their password stolen, would I be liable for that? If so, what should I do if somebody claims that their account was stolen? What if they're actually lying to get access to a legit account?
Standard security practices: not allow delivery to a new address without reconfirming credit card details, sending email confirmation upon login from a new location/device, and in the more extreme cases, 2 factor auth.
It sounds very much like this journalist is trying to make a mountain out of a mole hill.
The real story is that Deliveroo does not handle fraud properly. This is a much lesser crime than what they are being accused of.
The author wants to make it seem like Deliveroo has had a data leak and are trying to hide the fact. There is no evidence of this, but if it did turn out to be true then the author would be able to claim that they broke the story.
Yeah - it boils down to ye olde case of people reusing passwords. Half of the article talking about GDPR and the ICO is irrelevant.
What's happened is she has an easy/reused password that's ended up in a breach, fraudster locks her out of the account and offers discounted deliveroo orders to their customers and she gets charged. That's it.
It sounds like Deliveroo could step up their security then, as they don't seem to be doing much to catch credential stuffing, suspicious/fraudulent orders, etc. They could be doing way more.
If I recall, there's no distinction between an en masse data leak and someone being able to access your personal info without authority under GDPR. Both are a data breech. It seems like many people have been affected by this too so clearly Deliveroo doesn't have the mechanisms in place to protect user information. The fact unauthorized people can spend your money through Deliveroo is even worse.
Deliveroo are responsible for the data you give them. If they fuck up and allow unauthorized people access to that data, they're in breech of the GDPR.
If they haven't informed ICO (and equivalent in any country within GDPR rules) within 72 hours of each breech, they're in even deeper shit. First, they have to be clear about the scale of the breech and what exactly has gone wrong. They've got to be able to demonstrate the steps they've taken to mitigate the issue and prevent it happening in future. If people are complaining on a regular basis for months, they've not done that.
Do you have a source for that? If that is the case then pretty much every major website is in breach. Credential stuffing is rampant and very easy to do these days. It's not the website's fault that the user gave out their password.
However, I do agree that Deliveroo needs to do more to protect users against this. 2-factor authentication, email confirmation from a new IP, re-entry of card details when ordering to a new address are all simple ways to handle this. Deliveroo has not prioritised this because their main priority is growth.
"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."
The key part being "unauthorised disclosure of, or access to, personal data."
So does credential stuffing qualify - In my opinion yes, as it is unauthorised access to personal data.
They then go on to say
"When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"
And again, the ability to place orders and deliver them to a new address charging the existing credit card I think qualifies as a severe and likely risk.
Edited to add: In the absence of any legal precedent I’d challenge you to find any lawyer who’d confidently say that credential stuffing definitely doesn’t meet the criteria.
That would be an interesting development. It means that either:
- is it illegal to not have 2FA; I’m not against that, but it feels… excessive;
- every website, including small irrelevant ones, with a password (like HN) needs to crawl the darker internet to check for leaked lists of email/passwords; that would make those unsavoury forums crawl with solution vendors; it would also make it illegal to not find the most obscure ones; in other words, a non-option;
"establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"
So if it's a small irrelevant website, there isn't likely to be a high or severe risk to that "breach", so they should be ok.
In terms of options, I think there are more, mostly around sites getting more sophisticated at defending against credential stuffing attacks - treat logins as more suspicious if they are from a new device, new ip, use a password that you know is in a breach list (have i been pwned), etc. and put in place a 2nd factor like email confirmation of the login even if they haven't turned on 2FA. Or at least restrict access to sensitive parts of your site if the login was suspicious until you can verify it was an authentic login.
'So if it's a small irrelevant website, there isn't likely to be a high or severe risk to that "breach", so they should be ok.'
To be clear, no website, depending on passwords alone, can know if an access was authorized by the person who is the subject of the account. Therefore, it would seem that the only sites that can use password-only authentication without risk are those that hold no personal information about their customers. According to your own interpretation of the law, some of your proposed mitigations would not be sufficient to eliminate the risk, if any personal information is held.
>> According to your own interpretation of the law
Look, I am not a laywer, and I am happy for someone to correct me here, but this is the wording of the law:
"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."
Is there anything in that sentence that means a successful credential stuffing attack would not fit the criteria?
a) the data wasn't breached through the credential stuffing attack, it was breached at an earlier time on another site.
b) the credential stuffing attack itself is authorized access (because from the site's perspective, the user provided the correct username and password), not unauthorized access.
>> a) the data wasn't breached through the credential stuffing attack, it was breached at an earlier time on another site.
Remember GDPR is specifically concerned with "A personal data breach"
The original breach that led to the password being leaked was likely also a personal data breach (unless the only thing the hackers managed to access was the username/password database - and even then email address can constitute personal data in some cases), but there is definitely a personal data breach as a result of the credential stuffing attack (in the Deliveroo case, more than likely full home address, possibly other addresses too like work, possibly name, some level of credit card data, order history, etc.).
>> b) the credential stuffing attack itself is authorized access (because from the site's perspective, the user provided the correct username and password), not unauthorized access.
It's certainly authenticated access, but I think you'll struggle to convince a lawyer that it was authorised.
I am not disagreeing with your position that such an access is not authorized by the person whose confidentially is compromised, but the phrases from the UK ICO that you quote in making your argument do not say that the mitigations you propose would provide an adequate defense for the website provider, either. Taken in isolation and at face value (which is what you do to make your case), those phrases lead inevitably to the conclusion that password-only authentication cannot possibly suffice as ICO-compliant authorization for access to any personal data whatsoever.
So if someone hacks your email because you didn't have sufficient protections in place, does that make the email provider liable? Seems like an argument that falls apart very quickly.
Yes, exactly that if the email provider hasn’t put in place sufficient defences. Why wouldn’t they be liable? They have a duty of care under GDPR to protect your personal data. If they are negligent in that duty then absolutely they should be liable.
I'm not saying Deliveroo isn't in the wrong here - they absolutely should have more defenses, but I still think this argument makes little sense. What if they have the defences in place but you choose to disable them? Who is liable then? I personally have 2FA on my GMail, but plenty of people choose not to - is it Google's fault for not forcing it on them?
You’re forgetting something. This isn’t my argument. This is what GDPR states. Unauthorised access to personal data constitutes a data breach. Does someone accessing your personal data who is not you using a stolen password count as unauthorised? Yes.
It will ultimately come down to a test case, but as I said before, you will be hard pressed to find a lawyer who would tell a company that they definitely won’t be liable.
I think unauthorised has a fairly clearly defined definition in the English language (without permission or authority). And I’m fairly sure that’s the definition already used in courts of law. So in the absence of any contradicting definition in GDPR (and there isn’t) I would be pretty confident that is the definition that would be used.
But even so I struggle to think of a definition where accessing someone else’s account without their permission or authority wouldn’t be classed as unauthorised.
For what it’s worth, it’s very common for close people to share their Deliveroo account, a bit like Netflix.
I would never but one of my two housemates was very confused why they couldn’t have my password so that they could look at the menu and each add their option to the order. (The third housemate was also a developer so he was surprised that I could remember it and I got sermoned about 1Pass over pizza.)
I also have heard of cases of close (female) friends who know each other’s password; when one had a health incident (miscarriage), the other took upon herself to order for the first one, to comfort her. She tried from her own account but failed (couldn’t remember the name of the restaurant), so connected to her grieving friend’s account, changed it to use her debit card. It was fully appreciated, but a surprise.
“Authorised” in that sense falls somewhere between:
- I know who those people are;
- we are part of the same household;
- I know that they can have access to my account;
- they made sure that I know they are on my account;
- I actively allowed them to be on my account right now;
If someone steals a key and unlocks a lock, is that considered "unauthorized access?" From the perspective of the person whose key was stolen, absolutely. From the perspective of the lock, no, the access was authorized.
We define terms in statutes and contracts for a damn good reason.
That's the problem with GDPR. It leaves much to be defined by ratifying member states. For example, it says you need a Data Protection Officer if you do "large scale" processing. There's no definition, no threshold defined for "large scale". You might not find the definition for unauthorized access in the GDPR and it may depend on jurisdiction.
I'm not sure why this is being downvoted. All I am doing is pointing out what the current law is under GDPR. You may not agree with the law, but that doesn't change what it says.
> there's no distinction between an en masse data leak and someone being able to access your personal info without authority under GDPR. Both are a data breech. It seems like many people have been affected by this too so clearly Deliveroo doesn't have the mechanisms in place to protect user information. The fact unauthorized people can spend your money through Deliveroo is even worse
Well, the distionction can be as easy as someone hacking the company vs. guessing your password. What is the company to do to protect against the latter?! After all, the password is the authorisation, so I would even claim it's not unauthorised access...
There are many things they could do. For starters they could verify (email, 2 factor, something) unusual sign ins - for example sign ins from a new IP, especially if that IP has a higher risk profile (data center, known vpn, tor exit nodes, different registered country, etc.), or sign ins from a new device.
That'd be a valid excuse if you're not safeguarding personal and sensitive data. But is that the most you can do to protect the addresses and some level of access to somebody's money?
> Deliveroo has blamed the breach on cybercriminals getting hold of login details “stolen from another service unrelated to our company in a major data breach”.
> This is despite the company not asking customers to enter a Card Verification Value 2 (CVV2) code when making orders, a card security system designed to ensure that someone ordering something online has physical possession of the card used to pay for it.
> (Later – a lot later – a Deliveroo spokesman would tell me it was likely I had been the victim of a “credential stuffing” attack, in which hackers obtain lists of usernames and passwords and try them out on other platforms.)
So this Tech Journalist uses the same password on every site?
the real issue IMHO is the "credential stuffing attack" makes no sense: hungry people getting their hands on leaked password dumps? a bunch of black hat hackers running a Delivery clone, getting clean money from customers, but really getting an innocent Delivery user get charged, and having the order be sent to the address of the customer? none of this makes sense!
It seems to me like the corruption or fraud is within Deliveroo.
Another good reason to use a fintech bank account such as Monzo [1] or a credit card such as Tandem [2] or a virtual card that can forward transactions onto any other card such as Curve [3].
All of these services can give you a push notification every time a transaction is made on your account so that you are immediately made aware and are able to cancel them. You can block the card from within the app immediately.
I agree. I'd also add that my experience with fintech services, in regards to fraud detection, has been excellent.
I've been using Revolut for the past year. Just 2 weeks ago, they detected a potential fraudulent transaction with - you guess it - Deliveroo, for an amount of £25 (I don't live in the UK). The transaction, as well as my card, was immediately blocked. I then received a push message asking me to confirm whether the transaction was fraudulent - pushing "Confirm" triggered the expedition of a new card to my address. In contrast to legacy banks for which it is still recommended you call on the phone to notify you're going abroad, this is excellent service.
Amex has the same thing and their customer protections are generally better than the Fintech companies. Although Amex is not so common in the U.K.
Do any UK credit card companies offer consumer and fraud protection above the norm? Amex would immediately side with me if I showed them the Deliveroo communication. Another Citi VISA I had offered 18 months warranties on laptops and other electronics if I used the card.
Amex recently detected a fraudulent charge on my card, and sent me an email with a "click here" button which, after I confirmed my identity, triggered the issuance of a new card in the mail in a couple of days.
I should note I have a "Starwood Preferred Guest" Amex card, but that is not a corporate card. It may be that the SPG card has additional features that a regular card would not.
Yes at least the U.K. isn’t as obsessed with cash as Germany is. I had trouble until on of my Europoeran colleagues told me about Amex Vicinity. You can see places around you and it can make it easier to use corporate Amex cards.[1]
The only one I've needed to claim against was Curve. I lost my wallet and my card was used in a McDonalds. I knew immediately and froze the card. Curve then refunded me a week later, when I contacted them.
Thanks for letting me know about Amex doing this. Might provide better customer service and many places do accept it.
“Deliveroo takes online security very seriously. Sadly fraudsters rely on the fact that people reuse the same passwords on multiple online services to try and gain entry to different accounts across the web.”
Yeah! Blame it on your customers! Way to go!
Sigh! Another gig economy service I'm damn sure never to use.
I'd love to see a more specific version of Troy Hunt's "have I been pwned" API which explicitly blocked user/password combinations which had been leaked.
The catch is, you'd have to store the pairs together which then makes you a target, so in practice the best you can really do is what's on offer already -- check that the password hasn't been leaked (and maybe if the email address has a high HIBP leak count).
That solution would seem to force people into password managers and random high-entropy passwords or passphrases...
Example solutions that wouldn't result in a massive customer drop-off though? The average person isn't going to set up 2FA or remember a randomly generated password just for a food delivery website.
"...takes online security very seriously..." That is a statement that means its exact opposite. If you get breached, don't let that phrase creep into your announcement. Just say "We were breached. We're sorry. We're cleaning up the mess." or whatever.
Credential stuffing attacks aren't a valid excuse IMO, and should not make this sort of fraud possible. Amazon for example instituted a very simple and effective policy years ago: if you want to deliver something to a new address using an existing payment method you need to reenter the payment details. This means even if someone guesses your username and password and you have a valid CC on file they still can't send a package to some arbitrary new address.
It's conceivable that the fraud is on the merchant side, with a restaurant faking a large order to an existing address, but in that case Deliveroo still has responsibility for allowing bad merchants into the system.
I actually found the other day, if I edit an existing address, it doesn’t make me re-enter payment details. But adding a new one does. Not sure if this was due to a trusted device or if it always does it though.
I can't understand this fraud - surely getting something delivered to your door is the silliest way to defraud something? Also what are they doing with the £100s of takeaway food they are ordering?
From my experience with Deliveroo, you can pretty much order at any address, wait for the delivery person at the doorstep and retrieve your order without actually living there.
A long time ago I used to deliver pizza. We'd never take an order like that, it was an easy way to get robbed (business was pretty much all cash in those days so the drivers always had cash on them).
We'd only deliver to an actual numbered street address or apartment.
This is relevant to my interests: I live a few minutes' walk outside the delivery radius for my town, and the nearest identifiable location within the radius is a pub car park.
I've heard of people getting deliveries to the middle of the park in summer, or even to a boat waiting beside a road bridge...
1) People pay the fraudster for "discounted" food.
2) The fraudster places the order using the stolen account.
3) The fraudster tells the people who paid them: "Go to the pub car park at 9pm and wait for the Deliveroo driver. If he asks, your name is John Smith."
but then THAT should be the real story, why did the journalist stop digging?
it's also pretty hard to imagine it's worth the effort, you still need to advertise so people know about your service! the service would have suspiciously similar dishes advertised in menus corresponding to original restaurants etc... the unsuspecting customer gets to open the door for a Deliveroo person! there's just so many ways this would go wrong in the real world that it doesnt make sense to invest time and effort in MitM'ing Deliveroo from a limited set of compromised accounts...
This all indicates the fraud is happening from within Deliveroo
what about time, effort and risk of finding leak dumps, thinking through how you can use the data, and then possibly get caught? none of this makes sense, should we blindly believe them there was any "credential stuffing" happening at all? was this explanatation not simply chosen to guilt-trip the customer?
You can find some places that would take fake order in exchange of easy money. Or create a shadow platform where people people can order on Deliveroo with crypto currencies.
Now you’ve gone from petty theft and wire fraud and tacked on criminal conspiracy and god knows what else. This could easily get someone 10 years in jail, right?
Not even that hard to investigate because there’s a complete paper trail after a fraud is reported of what was ordered, who delivered it, and where it was delivered.
I agree that none of this is making any sense. They would have to advertise the service, and every single customer might report the service when he ens up accepting his food from a DELIVEROO guy! It's simply not sustainable, the hassle is not worth the effort etc... I think there was no "credential stuffing" involved, it's just to make customer feel guilty. Note how the article ends with an agreement they reached to jointly publish a statement (portraying the event as caused reckless password reuse), perhaps Deliveroo hopes to construe this common agreement to the statement as admision on the side of the journalist "if only I had used a different password".
To me all this suggests the fraud is happening within Deliveroo, at a level above the delivery people.
The only credential fraud outside of Deliveroo I can envision is if the black hat hackers contact the restaurants to conspire, the food is then never made but the profit is shared...
>Now you’ve gone from petty theft and wire fraud and tacked on criminal conspiracy and god knows what else. This could easily get someone 10 years in jail, right?
That's how the cop would describe it of course. Anyone with half a brain knows they always throw the book but the whole book never sticks.
What sticks will probably wind up being some sort of fraud and the punishment will probably be something like fine and probation.
>but what you going to do with 3 £100+ takeaway orders back to back
Eat it.
When I was in college if the pizza guy was in the lobby (invariably trying to call someone who wasn't picking up their phone) very long it was customary to ask him what he was delivering and buy it if you wanted it.
You could open a service on a darknet forum - £100+ worth of food for £20. And people on these forums are well aware on how to receive the order without getting into trouble.
Fair enough. But the markup on those items is crazy; you could order £100 worth of beer + wine and I'd be surprised if you could resell it for more than £10-20. Seems like a really risky way to make (not much) money.
Look at the world around you there are people literally starving to death do you honestly think it would be hard to sell groceries on the side? Order 100$ in meat and cheese and offer it at a discount and you will have people lined up around me. I would have literally no problem selling this all day long around me. You comment made me wonder how you can not see the disparity in the world. As for the risk of stolen goods that really is a minor risk I think. The poor want their next break. In my town it would be so easy to offload stolen food just through word of mouth.
Standard practice at university. Everyone just had a generic <Name>, Selwyn College, Cambridge address, so you'd just meet them at the main gate. Rarely checked ID (non-Deliveroo).
I would be shocked if it's that simple and Deliveroo didn't bother looking better into it. If we laymen can figure this out on an online forum in a small amount of time why can't Deliveroo figure it out and report the Restaurants to the police. Worse yet, how is this happening to so many people! I swear we'll hear they got hacked in a few more headlines.
It's possible this has already been reported to the police, but we all know they don;t tend to move to fast on things like this, and it's likely Deliveroo doesn't want to risk hurting it's own reputation by shutting out restaurants it suspects are taking part in this scam without enough solid proof that they are definitely in on it
I mean if they keep using the same exact "restaurant" whose address ends up being an Apartment... It would be really suspect. Not saying this is the case, but it'd be more obvious if it were.
If they put the FSA "Scores on the Doors" (and local council) food standards ratings on, the act of looking up the address would tell them something was up.
"Address given is not registered as a restaurant or food outlet" (aka: they're not registered with the local council).
I've gotten into the habit of checking 'Scores, just because of the sheer number of poor quality food places on Deliveroo, Just Eat and so on.
What if the restaurants being ordered at are part of the scam? Steal from a Deliveroo customer, order at restaurant X, the restaurant puts it in their books, then splits the money with the party that broke into the account. As long as there's no proof the two are working together it's a great money laundering scheme.
A few years ago I was a 'victim' of identify theft and someone ordered Sky to be installed at my parents address. They thought it was a gift, so gladly let the installation guy go ahead without asking me. I assume they did this to get a bill to be used as proof of address for other things, as I later had bank accounts and phones opened in my name.
You can change delivery address in Deliveroo, maybe they don't make you re-enter payment details like Amazon does when you use a new address? So get into someone's account, use their saved payment to deliver to an arbitrary address and they won't know.
As with others, I suspect collusion - perhaps not at the restaurant management but definitely among the staff. Order something non-existant, never deliver it, but collect the delivery fee?
This is poor form from Deliveroo - their fraud detection seems particularly lacking, and fobbing customers off for months at a time is not good enough.
However the article is unnecessarily sensationalist in banding around GDPR data breaches. Much of the article intimates there has been a Deliveroo data breach, whereas in fact the most likely explanation is attackers reusing passwords leaked from other breaches. This is acknowledged towards the end of the article but quickly glossed over.
If consumers are reusing exposed passwords this makes life tricky for Deliveroo. Maybe they should be using Troy Hunt's "Pwned passwords" to protect new user signups:
"Therefore, from today, we will be informing our customers when we determine that the password which they use for Deliveroo is publicly known in some way. We will contact the impacted customers to request that they change their password, and advise that they also change that password at other sites where it is also used."
Thanks for posting this - I hadn't realised they were already doing it. I'm not sure how else they could be combatting password reuse attacks, short of forcing every user to reset their password.
It sounds like their engineering time might be better spent on fraud detection algorithms.
Also the hackers managed to change the user's email, which Deliveroo could have easily prevented by sending an email first to the original email address. It's hard to prevent people from using bad passwords, but there are a few easy things they can do to prevent hackers from completely taking over accounts.
I've seen a few services which do this as a matter of course. Sadly few allow the email address change to be rescinded without a customer-service call. By that point, the account may already be in fraudulent use.
This comment needs to be the top one on this story. It seems the writer is missing this point entirely. It's very poor practice from Deliveroo and their support team. But there is a big difference between breach through negligence of the data controller and accounts being compromised by user negligence.
Calling the police seems like an important thing the author didn't seem to do. This is not a nuisance, it's a crime. I am less interested in fining Deliveroo, rather I would like to see them forced to cooperate with law enforcement to prosecute thieves.
Of all the job interviews i've done, Deliveroo stands out as the only company that gave me a trick interview test - said specifically not to write a feature, and when I didn't, they rejected me on that ground.
I am a user of NoScript, AdBlockPlus (still using 2.9.1), with its "Element Hiding Helper for Adblock Plus".
My NoScript had already blocked 24 domains, which I guess I have added in the years before. I proceeded to block another 6-7. When the site reloaded, and was perfecly visible, the count was "Untrusted (13)". Which means the original 6-7 that I 'just' blocked were loading at least another 12.
And then companies are wondering why Noscript, uBlock, etc. are so popular and complain about when we care about our privacy!
I don't understand? hungry people are buying leaked credentials? black-hat hackers are selling meals through a competing service to customers who then open the door for a Deliveroo guy? None of this is making sense!
Either the fraud is within Deliveroo (dig deeper!), or locating the served customer will result in the discovery of some kind of weird low-usage "stolen credential delivery of Deliveroo foods" service (dig deeper!)
This is not properly fleshed out IMHO... but yeah lets market and compare credit and debit cards and point systems and pffff
Disrupt disrupt disrupt. Avoid any liability for any damages or frauds, employ gig workers, grow 10x, be a unicorn make the investors wealthier than before and outsource the negative externalities to society.
The big issue for me is that I have a joint bank account with my partner, so using my debit card for that automatically splits the bill. I suppose we could each get a second credit card that we use only for joint transactions and pay those off from the shared account, but that means that the joint balance is now effectively split over three accounts, and at any time each of us can only see the balance on two of them (not the other's credit card). So it's definitely not "less hassle" in that respect.
If shared access is the only impediment to you using a credit card, you should try add your partner as an authorized user to your card. You should both get access to the balance and other info.
I think every credit card I've had has given me the option of adding a second card for a spouse to use. Maybe something like that?
Then just make sure you both have access to the online account so you can both view the balance at any time. There's a small amount of extra friction in that you'll have to coordinate a bit to ensure the card is always paid off equitably, but it probably wouldn't be too big a hassle.
Who said the split has to be equal :-) But it sounds like you have what I already have: a joint current account with two debit cards (one for each person).
It sounds like the GDPR is more or less unrelated and those fines are not forthcoming.
If deliveroo's own analysis is correct (and that is admittedly an 'if', but if you come out and say 'we hash our passwords, and you can quote me', let's assume they aren't complete morons in thinking that nobody on their staff would ever leak it if they didn't), then the problem is not that there has been a security breach over at deliveroo. The problem is merely that
[1] Their handling of a breach of account info that they weren't the cause of is very bad, both not investigating / blocking the recipients of the food orders (clearly 'whitewashing' fronts), or even trying to take it seriously,
and
[2] doing a bad job at enabling (or even motivating) their users to have good account security. Anywhere from scanning such credentials lists out in the wild and autoblocking any user/pass combo that is also a valid deliveroo login, to offering TOTP.
Both are, to be clear, very bad. Deliveroo deserves all the scorn they are getting. But neither of these issues is something you can be fined for, at least, not via GDPR.
I found Deliveroo sending highly detailed location information to a marketing company(Braze) yesterday[0]. I can't remember every giving explicit consent for this and AFAIK under GDPR just covering this in a Privacy Policy is not enough.
On the topic of this story it seems like a case of credential stuffing so it's not a breach in Deliveroo's systems. Do the requirements as a "Data Controller" still apply in such as case? Regardless Deliveroo seems to be handling this poorly.
> I can't remember every giving explicit consent for this and AFAIK under GDPR just covering this in a Privacy Policy is not enough.
I don't believe Deliveroo is obligated to tell you who they send such information to. They are however obligated to tell you that they gather such information and, should they share it with a third party, ensure that said third party is GDPR compliant and sign a data processing agreement with them.
Deliveroo doesn't mention Braze directly by name in their privacy policy (https://deliveroo.co.uk/privacy), but they do let you know that they disclose "information they collect" to, among others, "Marketing and advertising partners".
They also mention in the same privacy policy that they "also collect technical information about your use of our services through a mobile device, for example, carrier, location data and performance data".
IANAL but I don't believe Deliveroo is in breach of GDPR. The best you can probably do is make a case that they do not have a reasonable justification to collect such highly-accurate location data for that particular use case, and should tone it down to, say, 5km instead of 1m accuracy. If you email dpo@deliveroo.com with such a request, there's a decent chance you could get the change done.
Specifically, section 1 (b) and all of section 4. Deliveroo clearly needs location data; that they happen to be sending it to Braze is fine if they signed a DPA. So the question is, is the data sent to Braze exclusively for marketing? More critically: If it is collected regardless of consent, does marketing-specific processing still follow consent? (Collecting data is a more specific type of data processing)
As I said there's probably a good case to be made that the data sent is too accurate.
I'll note that I'm a bit cynical here since these are fairly minor issues compared to the much more egregious shit GDPR sets out to fix. There's definitely a potential cleanup there, but like, every single company has nasties like these hiding under the carpet. The regulation itself doesn't help these cases much unless people act on them and demand the cleanup.
Sorry if I wasn't clear; I'm saying that the data sent to Braze is not necessarily used for marketing, or only for marketing. It's possible (and in my experience not unlikely) that they collect it for multiple purposes including critical ones, and restrict more specific processing based on an optin/optout somewhere else in the app. This is still compliant.
Doesn't GDPR require explicit cosent[0] for collection of sensitive private information? This is what many website has implemented as popups with "I accept" or "Manage Settings" options. I don't remember going through such a flow with Deliveroo and if I did I would have disabled the "marketing" category for sure.
Hm, I tried to create an account to check the signup flow but it looks like you need to place an order to create an account (and I'm not that hungry) (also, that's a really fun and interesting way of massaging growth numbers…).
To add to what detaro was saying; even if explicit consent were required for sharing your location data, Deliveroo most likely got it; they after all need it to know where your order is going to go. When such functionality is core to the app, an opt-out is not necessary.
What they might not have gotten, or at least not clearly, is your consent to send that data to a third party, explicitly and exclusively for marketing purposes. I don't know how this would play out.
Realistically, GDPR and its enforcers err on the side of caution (you need good justification to gather the data and share it, including consent and a reason to gather it in the first place). So if you care about this and wish to see it corrected, as I said an email to their dpo@ will likely go a long way. In case it doesn't, your national enforcement agency may be interested. Extremely-accurate location data is pretty creepy, especially if they get it very often and doubly so if they store it for a long time.
The #1 thing I would look at here is what they actually need it for. They may need it for security reasons (eg. anti-fraud measures) and happen to be storing it in Braze which is probably okay if Braze respects GDPR and Deliveroo signed a DPA with them (you'd be surprised the amount of companies storing security data in GA).
But you wouldn't have a very hard time making a case that they're using this for marketing purposes and are gathering an unreasonable amount of accuracy. So now the question is, do you care about this enough to follow up on it? :)
> To add to what detaro was saying; even if explicit consent were required for sharing your location data, Deliveroo most likely got it; they after all need it to know where your order is going to go. When such functionality is core to the app, an opt-out is not necessary.
Per GDPR[0] consent must be specific. i.e. aquiring constent for a legitimate feature of an app and then also using the data for marketing purposes, what seems to be happening here, is not legal. Of course it could be the case that Deliveroo uses Braze for all their push notifications and thus consider it an essential part of their product. IANAL, but as I read the GDPR giving an app location access required for legitimate functionallity is not a carte blanche for the app to use location data for any purpose without obtaining consent for each specific usage.
In any case, like you say it's extremely creepy and the level of accuracy is worrying.
I just replied elsewhere in the thread regarding this. Consent to collect was acquired, but nothing actually says they're processing this data for marketing purposes if you haven't opted in to it.
I've seen this pattern quite often: The opt in/out flag is stored somewhere and companies invalidate the data they have based on that in the marketing tooling itself; collection still happens regardless. I've not used it but it's even possible Braze has information on the optin/optout and the ability to immediately reject data about optouts.
The reality is that, while the clean and intuitive privacy practices we're talking about are compliant, they're not required for compliance. Companies go the least-effort route. Deliveroo has clearly done a GDPR pass on their practices so I highly doubt they're using the data in question for marketing (even if they're collecting it).
But I'm still encouraging you to go and talk to them about it. I promise you if you're polite and clear about what and where the issue is, you can likely get some changes done. It's pretty fulfilling, too :)
> As we wrote before consent is one of the six conditions for the lawfulness of processing personal data as stipulated in Article 6 of the GDPR text.
> Again, there are other conditions for the lawfulness of processing personal data.
If you're referring to the bit about "special categories of data" per Article 9, location is not such a category.
That said, location data is sensitive, so there certainly are questions that can be asked about how and why they use this data. You can ask them for details.
I am wonder if good fraud detection is one of things routinely ignored by unicorns trying to get explosive growth. First, we had ridersharing companies where drivers could start rides without their customers. Then were digital wallets getting hacked left, right and center (in India).
> Although what Spotify has done, or failed to do, by handing over data to whoever is logged in on an account, could be considered irresponsible, it is in no way illegal – and, in all likelihood, is generally the norm.
Midway through writing this story, I got my money back, by the way – and from Deliveroo itself. Other victims have not been so lucky.
The author's experience is not uncommon and seems sensationalised to create a Twitter storm and garnering sympathy, which is uncharacteristic for a journo, who writes about 'tech and digital culture'. It would have been more apt to go into triage mode i.e. stop the bleed of finances and dispute transactions immediately, before entering into communications with the delivery firm. After a resolution, choose to go turbo and further explore the implications of GDPR, then write about your experience in detail.
The article does not leave the reader any more informed or equipped to deal with such a fraud. It does not even pretend to offer any piecemeal advice e.g. don't use/re-use easily guessed passwords, use 2FA, use credit cards or virtual/disposable cards, contact your bank/issuer first, don't bother contacting low-level support via social media, explore data protection laws after a resolution etc.
Presuming the UK actually exits. They can still withdraw A50 -- or possibly extend it but the EU has cast doubt on this.
Even if it does exit -- EU will have incredible influence over the UK and can effectively enforce GDPR on most companies over a certain size as those companies will have to create entities and corporate structers in the EU for varying reasons -- mostly tax minimisation for exporting.
Little sole traders with no amibition of expanding outside the UK will probably have the benefit of not having it enforceable on them.
Again this presumes the UK chooses not to implement it's own data protection laws.
I believe the current plan is to keep laws as they are until parliament gets around to replacing them, so I'd expect the equivalent of GDPR (without the EU-coordination bits) to apply for at least a while.
Zero proof seems to be given in the article that it is Deliveroo's fault. While they probably should be more helpful, spreading the accusations based on guesswork seems to be yet another example of shoddy modern journalism.
this website makes it a point to make it as annoying as possible to disable all tracking. No option to disable all.
full article for whose whom want to read it but not be tracked:
Deliveroo users are getting defrauded – and it could be fined millions for it
Scammers are using the delivery service to clear out bank accounts, and the company’s response may be in breach of GDPR regulations.
By
Sarah Manavis
Follow @@sarahmanavis
Getty Images
On Friday morning, I woke up late, rushed to the tube, tapped in with Apple Pay, only to discover a few minutes later that my payment had been declined because I had insufficient funds. Figuring, “Well, it’s January”, I went to check my bank balance.
But rather than seeing an overspend or a direct debit I’d forgotten about, I saw three enormous charges from the food delivery service Deliveroo from the night before. They weren’t mine.
I immediately called Deliveroo to say that it wasn’t, in fact, me who ordered £100 worth of food in the space of ten minutes in three separate orders; and told them that the fraudsters had changed my email address, so I couldn’t even get into my account to look at where it was sent. I was told that they would investigate, and I would be sent an email asking for more information immediately.
I was not. After an hour, I rang again, to find that actually the email had been sent to the new email address – the one the fraudsters plugged in – so that they had presumably been alerted to the investigation. I complained, got the email re-sent to me, and was then met by radio silence for the rest of the day. When I eventually rang again, the company said it couldn’t actually tell me whether or not I would get my money back, adding that I might not hear from them for nearly a week before they let me know either way.
By 5pm, I was getting fed up, so I did what any journalist with a modest Twitter following would do, and tweeted. What I thought would happen was that my case would be bumped on the list, and maybe I’d get my money back sooner (or, indeed, at all). What actually happened was that my replies, DMs and email were all immediately flooded with people who had been a victim of the same fraud, saying, yes, this had happened to them too and no, Deliveroo had never refunded them. Of the roughly 40 people I spoke to, not a single one had been refunded by the delivery service; those who did get their money back had got it from their bank. The people tweeting the account claimed to have experienced fraud ranging from the low hundreds of pounds, like my case, to, in some cases, thousands. One person tweeted me to say that a friend of his was fraudulently charged £3,500 on his account. “Deliveroo offered him a £40 credit as a gesture.”
More shockingly, nearly half of these people told me that their cases were still technically “under investigation” by Deliveroo, some for over two months. Most of those who had been waiting for more than a week to hear about their case told me Deliveroo had simply stopped responding to their calls.
This problem is not actually new. In 2016, the Telegraph ran an expose of rampant fraud on the food-delivery service, and reported on customers’ shock at Deliveroo’s poor handling of the situation. The same day, a BBC Watchdog programme did a feature on Deliveroo fraud, in which Deliveroo claimed that “instances of fraud on our system are rare”.
But dating back several years, Deliveroo’s customer service Twitter account, @DeliverooHelp, has responded to claims of fraud nearly every day – often, in recent months, multiple times a day. They may represent only a small percentage of Deliveroo’s wider customer base, but it’s not at all obvious this is “rare”.
However, help for customers – and fines for the delivery service – could be coming from Brussels. Laura Irvine, a regulatory lawyer and Partner at Davidson Chalmers, tells me that Deliveroo may have breached the GDPR regulations introduced last year on multiple counts.
The General Data Protection Regulation (GDPR), which became European law on 25 May 2018, made sweeping changes to data protection rules across the EU: now, companies are more liable for protecting the data they hold on customers than ever before.
Irvine tells me that Deliveroo appears to have breached these regulations three times over. The sixth principle of Article 5, for example, requires companies to have “appropriate security in place to keep your financial and other personal data secure”, she notes. The firm also appears to have breached Article 32, “which provides more detail about what is expected in terms of data security – namely encryption, which appears not to have been in place”.
Lastly, there’s Article 34, which requires the “data controller” – that’s Deliveroo – to tell “anyone who may be affected by a data breach about it without undue delay. This applies when the breach is likely to result in a high risk of an impact on the individual. Getting your bank account emptied would, I suggest, meet that threshold.”
So what fines could Deliveroo face, if it were to be found guilty of these data breaches? “It could be millions of pounds,” Irvine says.
She emphasised that this is a big “could” – the millions of pounds they could be fined would be the upper end of the spectrum. But it is entirely possible, especially given the criticism the Information Commissioner’s Office (ICO) has faced for the small size of its fines in the past. “They were criticised for the small fine imposed on Facebook – £500,000 which was the maximum under the old law,” she tells me. “So I think they will want to use their powers. And they need to keep up with the other regulators,” she adds, noting that Google recently faced a €50m fine in France for breaching GDPR.
That said, there are some things that could spare Deliveroo from this fate: if, say, Deliveroo had told the ICO about the data breach within 72 hours, the threshold for fines would be lowered. But, Irvine says, the high volume of incidents and the reported response from Deliveroo suggest they aren’t informing the ICO of their data protection problems.
“They may blame other parties, but at the end of the day if you give them your data then they remain responsible – in most cases,” she says. “I am not sure how the bank would stop this.”
I put all this to Deliveroo. A spokesperson told me: “Deliveroo takes online security very seriously. Sadly fraudsters rely on the fact that people reuse the same passwords on multiple online services to try and gain entry to different accounts across the web.”
Ultimately, though, fines are not the only problems that data leaks of this sort pose to firms like Deliveroo. “Soon people will stop using companies based on how responsible they are with data,” she says. “Particularly financial data – but even your address being out there can be uncomfortable or dangerous for some people.” If she’s right, then this, for Deliveroo, could be just the beginning.
Midway through writing this story, I got my money back, by the way – and from Deliveroo itself. Other victims have not been so lucky.
By the sounds of it this is a simple credential reuse attack (it's even states as such in the article) so I really don't see where these accusations of a "data breach", and "encryption, which appears not to have been in place” come from. If these fraudulent transactions are the result of credential reuse I really don't see the GDPR violation here.
Yeah, not to defend Deliveroo (that's still abhorrent customer service), but I fail to see how they can back up the allegations of the various breaches. How do they know encryption was not in place?
Don't see it either. Nobody said there was an actual breach. Of course a change of delivery address/email/phone or when combined with unusual orders (large amounts) should be flagged and cause 2FA or some other mechanism to request confirmation to the account holder of record.
All of this discussion about the company here (which isn’t responding in a correct and honest way) and not much discussion on the root cause of this problem.
The journalist and the 40+ People were victims of a credential stuffing attack which means they used the same password on multiple sites.
Had they used a password manager to roll a new password per site and had deliveroo had proper rate limiting, this attack would have been mostly mitigated.
This kind of articles and journalism makes me a bit uneasy.
This article only exists because the Journalist was affected. If anyone would contact the this paper saying company X has fraudsters leveraging their service (which is not uncommon), this article would never have been written.
That aside, I've been on the other side, resolving cases like this. Sometimes cases are complex, take months to figure out while involving multiple stakeholders (police, banks, payment processors, etc), and you have no idea who to trust on the other side of a phone line (it can be a victim, it can be the fraudster).
This kind of reflex journalism hate makes me uneasy.
> If anyone would contact the this paper saying company X has fraudsters leveraging their service (which is not uncommon), this article would never have been written.
You don't know that. The New Statesman is an excellent magazine and has run plenty of investigations in its time.
It's not journalist hate, and I'm not attacking The New Statesman, I'm criticising this article.
If the article would be about the growing problem of online fraud (which is growing quite steadily), and not only about Delivaroo, I would be happy.
Yes, I do know that, because as I said I've been on the other side and the number of articles covering individual companies being targeted by fraudsters is low compared with the number of cases.
Regardless of the motives that sparked the article, it still brings attention to the topic, which is positive.
That will probably get you a refund quicker (the transactions will likely be held until clarified) and will stop any further fraud.
As for Deliveroo's support team... Not very good in my experience, but that's common. Their competitors are no better.