Hacker News new | comments | ask | show | jobs | submit login
Deliveroo users are getting defrauded (newstatesman.com)
280 points by danso 23 days ago | hide | past | web | favorite | 339 comments

Perhaps worth mentioning, since it's nowhere in the article, that the first thing to do is not to spend hours on the phone with Deliveroo (or whoever else) but to call your bank to report the transactions as fraudulent and to block your card.

That will probably get you a refund quicker (the transactions will likely be held until clarified) and will stop any further fraud.

As for Deliveroo's support team... Not very good in my experience, but that's common. Their competitors are no better.

This is basically the sole "feature" of credit cards I value. Any time I'm buying something from somewhere that might act poorly, I use a credit card for the free leverage I have in a disagreement.

Had an old phones screen repaired at a store inside a Walmart. They fixed it but half the screen had no touch capability. They were highly resistant to doing anything about it until I said I would just do a charge back. Tone instantly changed.

I've started using privacy.com after I saw a post here on HN about it. It's pretty nice. Basically you link up your bank account and they create debit cards for any online vendors you use, and you can set limits, destroy cards etc. I usually put monthly / transactional limits. Like with Uber Eats I know I only spend x amount, if anybody tried to use my Uber Eats card for 100 USD it would decline it. But also it locks itself to the vendor you choose, so it can't be used elsewhere.

I've been using this feature with my Citi CC for 10+ years. And with Citi, I don't need to give my CC to a 3rd party.

Same with BoA MC's ShopSafe feature.

ShopSafe works with BoA Visa cards too.

Never tried that instead, might just try it, but I got have other banks that might not support this at all (Credit Union). That's where privacy.com works best for me.

Some credit card companies offer virtual credit cards as a service as well!

Disclaimer: I work for one of those companies, but not on that product.

I loved this feature when I had Amex. The unique number-vendor pairing makes it easier to track down the vendor that spilled the beans to the charge defrauder. I was thrilled when capone started offering a similar service but its offering requires a browser addon with a backend anal about matching domain names to merchant names and sometimes rejecting valid purchases (I'm looking at you Dell factory refurb outlet).

That's an interesting idea. But I find a far easier solution is to turn on notifications. I get an email on my phone within a minute of every transaction. It's really nice having that feedback loop.

It doesn't save the PITA that is getting your card stolen, though. With a virtual CC you don't have to do anything except close that card out (which you can on Citi's website, which is the version of this I use).

I haven't found the occasional card replacement to be a pain, but I have two or more credit cards at any time.

It's not just being without, is updating all other services that are tied to your card.

Now I personally don't let third parties store my cards, but it's quite common in this day and age of saas everything

Oh, that's true. I guess I just don't have that many 3rd party services regularly billing my credit card without prompting for a specific one to bill. I've only had to replace two credit cards over about 10 years, though.

I have those on too! I saw the suggestion here, so I get: app notifications and emails. I also get notified if my balance gets too low. I used to want all that off, but email is a reasonable "paper trail" to know I'm not going crazy if I see an odd notification.

> I've started using privacy.com

Which is US only. Is there anything like it for the UK?

UK banks are already very good about refunding fraudulent transactions and associated fees:


"In most cases the bank must refund the payment without undue delay and by the end of the business day following the day on which it became aware of the problem, unless it has reasonable grounds for suspecting that you have acted fraudulently."

"When your bank refunds an unauthorised payment it must also refund any charges and interest you have paid because of the unauthorised transaction."

UK banks are already very good about refunding fraudulent transactions and associated fees

U.S. banks, as well. Twice Citi has refunded me within minutes. Chase within hours. It seems the policy is "give the customer the money, and we'll sort it out later."

The point is to not have to need to dispute a charge.

I would be very careful on this one.

Some providers are interestingly stubborn when it comes to charge backs and can hold on to the (fraudulent) vendors side even if you're clearly right.

Monzo in the UK is a prime example for that. An internet vendor charged me more than he should and refused to void the transaction (basically text-book fraud) and I filled for a charge back with monzo. I was extremely confident that it wouldn't take much however monzo customer service resisted to help.

The monetary value wasn't much however in the end I perfectly understood that this "protection" does not exist on the credit card issuer/bank side of things.

Be careful.

You didn’t file for a chargeback with Monzo, because they don’t offer credit cards. There’s less protection generally with debit cards.

Generally guidance is that you are entitled to a refund from the bank only if you did not authorise a particular transaction.

Chargeback also apply to debit cards.

It's just that credit cards must offer chargebacks by law.

The laws around credit cards are much stricter, in the UK it is much safer to use your credit card online and for day to day purchases (with pay in full every month so no interest charges).

Does it matter? The simple reason they are there is to protect my interests. If they can't do it for a few quid, how can they do it for larger sums of money?

The Moral of the Story: Money institutes may not cover you like you think they will.

I've learned my lesson.

Again, be -very- careful.

Money institutes may not cover you like you think they will.

Not if you didn't read your debit card agreement, no. Nothing you've stated wouldn't be clearly spelled out in the agreements I've seen for debit cards. I mean, I can see how this happens: looks like a credit card, must have the same protections as what people online say about credit cards, right? Nope.

> If they can't do it for a few quid, how can they do it for larger sums of money?

If I remember correctly, debit card protections don't exist below £100, so they literally can't do it for a few quid, but they can for larger sums of money.

This isn't an example of Monzo being terrible, this is an example of debit cards being terrible.

Debit cards in almost all cases have less protections that are clearly stated.

Monzo doesn't provide credit cards, only debit cards.

Banks have a vested interest to work with you for purchases made on credit because it's their money. Debit purchases have no such leverage and thus have lower protections.

If it costs more than £100, use a credit card in the UK as the CC company is jointly liable for any issues, even faulty goods.

One could open a MONZO account(Which is completely online and can be opened in a day).(https://monzo.com/)

You would get your debit card within a week max. You can transfer limited amount from your original bank account to Monzo account and even on top of that you can set some restrictions on how much amount can be withdrawn and there are some special features like POTS which are very useful.

I am not saying this is the best, but even if someone steals your monzo card details, you can reqeust for a new one and your original bank card details are still safe.

Note: All this works, only if you don't use a credit card.

The instant transaction alerts let you put a freeze on the account in a matter of seconds, so that's nice. I actually use my monzo account so putting low usage limits isn't practical.

Edit: although I guess they'd just do it in the middle of the night so doesn't really help.

Not sure about multiple cards, but Revolut give you a virtual debit card you can turn off and on, put restriction on, etc.

Revolut also have disposable cards that are valid for only one transaction.

Many banks offer this service without any third party. I don't generally see it advertised a lot, I assume because it's confusing to people who have no interest in it, but you can look up something like "virtual credit card" or "temporary credit card number" and probably find a bank offering it.

The very crude answer is to get a prepaid card and load it with enough to cover each purchase, then toss it as soon as it gets misused. Which works, but doesn't sound worth the hassle unless you seriously expect a bad outcome.

Yes I think so. I save with a credit union (just because, it is local and they do turn around with the money and give small loans to people which banks would not). They offer a prepaid debit card which I do not have but it is provided by 'The Change Account'


You can use Curve https://www.curve.app/

While Curve is indeed an excellent service, transactions made through it are not covered under section 75. See here: https://support.imaginecurve.com/hc/en-gb/articles/213620489...

A related tip, given to me by a Capital One rep when my card was compromised: get a second card (which has a different number) that you use just for automatic payments. Then when your “regular” card is compromised by a restaurant, skimmer, or shady online vendor, you don’t have to notify your autopay accounts, since your autopay card is unaffected.

SEPA offers chargebacks on debit charges as well, same effect if you use it (and I prefer it over a CC).

As a matter of principle, I would rather just do the chargeback (and get it really fixed somewhere else) than use it as leverage to negotiate for what I want on the spot.

If a company is prepared to stiff me like that, the convenience of having it fixed right away is not worth the concession of letting them have my money when all is said and done. Is that just me?

This is also the reason why creditcards are so ridiculously expensive.

But then is there literally any alternative payment method in the US that does not involve a creditcard? It seems like the US banking system has just not invented anything in the last 30 years. Its not rocket science: money from my bank account to Deliveroo's bank account in (near) real time.

This is a peculiarly US phenomenon. Much of the UK, EU, Aus etc are much more willing to adopt new payment technology. (Can't speak for the non English speaking world but obviously China is way ahead)

Surprisingly the US is much harder to convince. Ask people under 30yo in Aus or the UK when they last wrote a cheque, and the answer "what's a cheque?" is likely the response. Signing for a payment, magstripe, even using a PIN is mostly a distant memory.

Yeah what is a cheque? ;)

I can go weeks without my wallet now, Samsung Pay on my phone works just about everywhere in Australia, and it's great. Banking app even lets me generate a code to get cardless cash from ATMs, should I need notes.

For transactions bigger than ~AUD100 I do have to enter my pin but that's a minor inconvenience.

> Ask people under 30yo in Aus or the UK when they last wrote a cheque, and the answer "what's a cheque?"

It's what train companies in the UK send you 3 weeks after you fill a compensation for delay claim...

  > This is basically the sole "feature" of credit cards I value. Any time I'm buying something from 
  > somewhere that might act poorly, I use a credit card for the free leverage I have in a disagreement.
But without a credit card, they wouldn't even have been able to get your money without authorisation. I don't see how something like this would have been possible with a system that requires explicit authorisation per payment.

> But without a credit card, they wouldn't even have been able to get your money without authorisation. I don't see how something like this would have been possible with a system that requires explicit authorisation per payment.

I don't understands your point. Are you saying the ideal scenario would be to fill the cards information each time? The fact that it's a credit card doesn't change that it was prefilled, a debit card or wire transfer is the same. Credit or not, if it's already there, the one that access your account can use it.

With a credit card though, you can do a chargeback, which not only give you your money back, also add a direct cost (and a steep one from what I understood) to the merchant that made the transaction. As far as I know you couldn't do the same with a debit card.

What I mean is: with a credit card, you submit the information necessary to make the payment, to the merchant you're buying from. They could store that information and use it to make payments I never authorised, which is bad. On the Web, some sites have fortunately delegated that responsibility to a payment provider, but the payment provider is still not my own bank.

When I pay with my bank card with an internet payment through my bank, the authorisation is handled by me and my own bank, and nobody else. Nobody else can ever make that kind of payment without access to my password and my 2FA system. That's how it should work.

A few years ago, I made the mistake of buying some furniture using my debit card instead of credit card (about £1k).

Between the payment and the delivery the company went bust.

I though I was out of the money, but after a brief search I found out that, although there is no legal requirement to do so, VISA in the UK offers (or at least used to) the same chargeback facility to debit cards as for CCs. I visited my bank branch which gave me a phone number to contact, sent in a bunch of paperwork and after about 2 weeks I got my money back. I was very pleased as you can expect.

They could require the CVV when delivering to a new address - it's only three digits. But we're talking about a company that doesn't even refund obviously fraudulent transactions, so never mind.

With a credit card, (at least in the UK) you can cancel a transaction post final authorization.

In this scenario, the bank is jointly responsible for the transaction, and should refund you if the transaction isn't completed satisfactorily

Little confused as to why you chose their comment as the place to mention this downside.

Their story is about a situation where they gave explicit authorisation. They intentionally paid.

That's true. Being able to undo an authorised payment if the other party doesn't fulfil their end of the bargain is absolutely an advantage over other forms of payment.

In the Deliveroo case, however, it's the inherent insecurity of credit cards that made that problem possible in the first place. In light of that, the ubiquity of credit cards for online payments where data is so easily copied and leaked, never ceases to puzzle me.

all repair shops inside Walmarts are either Cellairis or iFix&Repair franchises. A quick call to parent company would have resolved it too.

This doesn't work in Germany, for example. If you charge back, they'll just put you into a central register (called Schufa) that will basically make it impossible for you to get a credit or even to rent an apartment.

No, disputed charges must not be reported to any credit register, Schufa or other. Only undisputed charges or court-certified decisions can be entered into a credit register. Even the repeated threat of reporting the charge to the credit register is illegal in many cases [1].

[1] https://www.wbs-law.de/datenschutz/unternehmen-darf-nicht-mi...

It's not a charge back in that sense when you report fraud or card theft.

And I suppose that the effect you describe results from abusive requests from charge backs. I doubt you will be refused a mortgaged because you were a victim of theft in the past...

> I doubt you will be refused a mortgaged because you were a victim of theft in the past...

Don't be so certain about this. The credit reporting agencies are evil, nasty blackboxes and it is not transparent how your score is influenced, even by fraudulent stuff.

While I hate the Schufa with a passion, it is not as clear-cut and automated as you make it seem. Before anyone can do shit with your Schufa score (or the other smaller credit reporting agencies arvato infoscore and Creditreform), they have to formally remind you of the debt that you have due to the charge-back before, and you can always contest fraudulent entries at the credit reporting agencies.

Additionally, you can and should file a police report for fraud when hit with such a scheme, it makes dealing with your card-issuing bank and the CRAs so much easier.

Can confirm that the police fraud report helps grease the gears (in the UK, this is done through Action Fraud).

The bank went from "we won't help you" to "oh, we'll fix that" about as soon as I told them I had a crime reference number...

I guess this has something to do with the penalties for making a false police report being much higher (in criminal law terms) than lying to a bank.

Charge back for a credit card? That's the first time I hear of this. Do you have citations for this?

Contesting a charge is a primary feature of credit cards — at least in the US. There’s a prominent link when I login to my credit card account allowing me to contest any charge, and a litany of reasons which you can then select from, ranging from “I don’t recognize / didn’t make this charge” to “Item was not delivered”, “Item was returned”, etc.

I've been imprecise, sorry. What I meant: how lead chargebacks to a credit card to a negative Schufa entry? I've never heard of this.

It's the one saving grace for using something so insecure for payments. At least the credit card company and/or merchant share that risk.

The CC offloads all of the risk + a fine to the merchant, they assume none of it.

Just so you know - charbegacks are reported to credit burreaus. Sometime they will show on your report for few months sometimes they don’t. Just letting you know if you ever be wondering why you have good credit score but bank doesnt approve your loan or doesnt want to extend your credit.

I’ve never had a credit card of mine report a chargeback, and if they ever did I would cancel the card immediately.

Mostly chargebacks are for actual fraudulent use of the card, and the process also includes getting a new card number.

Lately, most chargebacks I’ve done have actually been issued by the card itself after they detected suspicious activity and sent me a text alert asking about specific charges.

In one case, it was a debit card which I had received in the mail, activated, and never used and had never left the house. That one was particularly bizarre and I let them know something was very wrong there.

Credit cards do not report, merchants banks do directly With credit bureaus. from there they decide if certain card holder triggered too many they put it on.

Oh boy don't you love being downvoted when you give people a genuine good-faith advice. I miss HackerNews from 5 years ago...

Google this: "Account information disputed by consumer, meets FCRA requirements" and you will learn more.

That was my first thought too. Yes, I'd contact Deliveroo, but also my bank. If I didn't get a refund (some people waited months?), I'd sue them in a small claims court if the amount is low enough for small claims and if its not, I'd at least talk to a legal adviser. Waiting on Deliveroo for months after being defrauded thousands of pounds is crazy.

Apparently you have waaay more time than I do to sue people in small claims court. Charge back via calling up my CC company is much easier and quicker.

At least where I am, a small claims claim is a matter of filling out a form and paying the fee. I may be contacted for more information, but don't need to otherwise do anything unless I'm unsatisfied with the outcome, in which case the appeals process goes through a proper court.

Besides, I said that I'd only do this if I didn't get a refund through Deliveroo/bank/CC chargeback. I certainly wouldn't start with small claims court.

A demand letter is often enough and is a good step before small claims. “Fix my problem in ten days or get sued in small claims court", sent via certified mail to their designated agent for legal service in your jurisdiction, can often solve your problem.

Good suggestion. There's definitely a series of steps to go through before any time consuming and expensive lawyering up is needed.

Small claims court often does not require a lawyer. But yeah, the general process of "document things and escalate using said documentation to people whose job it is to make sure expensive lawsuits and regulatory actions don't happen" is an excellent choice.

Oh, I know, I said that in my other comment: where I am, it requires little more than filling out the claim form and paying the fee (and giving them more info if requested). Its only if you want to appeal that you may need a lawyer, or if you want to sue in a normal court. I just meant that there’s a bunch of steps you can do, including small claims, before needing a lawyer.

Small claims hearings are held in county courts.

That is the best way, go to the bank.

It is mentioned in passing in the article itself.

> Of the roughly 40 people I spoke to, not a single one had been refunded by the delivery service; those who did get their money back had got it from their bank.

I agree this is evidence. We know at least Deliveroo don't deal with fraud promptly or take it particularly seriously and thats bad enough even if they do eventually get around to it.

In my own experience, UberEats support team is stellar - I have had many many many issues due to couriers or the restaurant (wrong order, order got delivered completely ruined, order was cold, order was missing something, ...) and never once was I left in a bad situation.

I have almost always had a full refund (otherwise just partial for what was wrong/damaged) but what I really LOVED was how transparent they are throughout the process.

They message you when your concerns resulted in a ticket opening, when someone picks up your support ticket, when they are working on a resolution, and then when they found a resolution for your issue.

It's very seamless as well - I was experiencing issues on their web platform, DM'd support on Twitter, received info by email and on the UberEat app and at not time was there inconsistencies.

If it wasn't for the quality of their support team - I would have stopped using UberEats a long time ago.

Deleted my UberEats account when they told me that they could not offer any compensation for not delivering what I had ordered.

Getting a refund on what you ordered but did not receive is not compensation, it's what they must do.

>In my own experience, UberEats support team is stellar - I have had many many many issues due to couriers or the restaurant (wrong order, order got delivered completely ruined, order was cold, order was missing something, ...)

So, they have good customer support, but suck at the basic function of the business? And you keep using them?

Problem is most vendors will then block you from ever using their service again. Might not be such a big bummer, after all they're helping people steal your money. But here it was through Apple Pay, so it may have bigger ramifications to block the card.

I don't see a problem by being blocked from a service I would never use again anyways.

Plus the following dialogue: what was your name?...I am reporting you to xyz state attorney general's consumer fraud division is incredibly effective.

I've got to ask, when have you _EVER_ said this and had it actually result in what you wanted?

I worked in call centers for years and we laughed at people like you for a whole multitude of reasons.

The main reason being once you say this I'm no longer obligated to help you. Since you've decided to make this a legal situation instead of a customer service one you'll now need to talk to our team of lawyers that are on retainer. Anytime you call or email you'll get auto routed to our legal department forever who will go out of their way to not help you.

The reality is that people make legal threats dont actually follow through because they aren't people that understand the law or how it works, if they did they'd be taking actual legal action against us, not making idle threats to people making $19 dollars an hour.

Legal threats work for me about half the time, but I threaten small claims court only after getting escalated to a manager while collecting as much info as possible (it also helps if you're in a one party consent state and can play back parts of the phone call to the manager). It works for big companies better than small ones but it does take a little longer for the escalation to go through the legal department and I haven't really bothered trying it for small disputes (anything under a few hundred dollars). The few times I have followed through on the threat resulted in a settlement with one local business and default judgement against two big companies now.

I have used it 3 times or so and it was effective. The thing is I am not threatening to sue personally. I am threatening to refer the issue to the government. I personally had no intention or interest in pursuing legal options, but maybe the AG would. In one egregious case where the situation was resolved I still informed that office if the attempted fraud.

Again I'm not threatening to bring legal action. I'm just letting the 800 lb gorilla know about the situation and they perhaps might want to do something.

> Problem is most vendors will then block you from ever using their service again.

Who is "most vendors" exactly?

They may have been embellishing that claim; however, I think what they were getting at is that in some situations using the chargeback mechanism can have wider repercussions. For example: if you are "ripped off" through Steam on a particular purchase and use a chargeback, they may shut down your account. In that case, you would lose access to all of your games purchased through Steam. Similarly, if you use a chargeback with a Google Play Store purchase you may lose access to your entire Google Account.

Ah so not "most vendors" would ban you for reporting fraud to your bank, then.

What are you trying to achieve here?

Calling out blanket claims...

Thanks for the downvotes.

An example: Uber drivers requesting fake cleaning fee was recently discussed here on HN. Uber refuse to handle it properly, so people solve it by doing chargebacks only to find themselves blocked from the service.

Also heard it with lots of other vendors, but won't name without having something more substantial to back it up with.

Again, being blocked from a service that is screwing with you don't seem that bad.

I would never touch a company again that did that to me anyway.

It kinda depends on the service, though.

If I have a shitty customer service interaction with an Amazon rep, I might have to weigh the chargeback versus the value of my Kindle library, my AWS instances suddenly going dark, etc.

In the case of Uber, I might find myself severely restricted in transit options in an unfamiliar city.

It seems to be part of the "Distrupt!" business model. The "customer" "service" team is basically disaster mitigation, probably taught to screw with the customers. Like AirBnB, $2000 worth of damage to your apartment? They'll delay for a few days and offer you $200 if you agree to an NDA. Or that guy whose dog died after being walked by someone who used someone's account an dog-walking-service...

> offer you $200

If you're lucky. Otherwise they'll offer you "credit".

I’ve seen Uber respond to a chargeback by leaving the account active but disallowing all payment methods. With most companies I’d expect it was a customer support mistake rather than vindictiveness, but with Uber it’s hard to be sure.

Please note that when you do this in a dispute, they are probably going to block you from using their service in the future.

I've never heard of this happening but why would you want to keep using them anyway?

As someone else mentioned.. if you do this with Steam, you could get blocked from accessing all your past purchases. If you did this with your ISP, you may not have other high-speed ISPs to choose from.

And here is the irony.

Money-as-a-service (banks) give you the power to do this. But dependence on anything-else-as-a-service gives the provider power to make you think twice.

To add my anecdata, I had an excellent experience with Deliveroo's support team just before Christmas. Some pizzas arrived damaged. They offered to send exactly the same order again.

Definitely worthwhile, I think a huge amount of people in the UK use Debit cards with Deliveroo and other services so no money will come back off these.

The word you should use to the merchant is chargeback. They should sit-up straight at that word, if not, just goto your credit card company.

use that too often and you might be blackballed by the service. I know, but life is long.

I'm not surprised by this response from Deliveroo. Their focus lately has definitely moved away from customer satisfaction.

I discovered recently that drivers are allowed - without penalty - to reject an order when they reach the pickup location if they see the receipt and decide it is too far to travel [1].

As a customer you just see your food go: `Assigning Driver -> Driver En Route to Pickup -> Driver Arrived at Pickup Location -> Assigning Driver`, for two hours on repeat. Eventually your cold food arrives 2 hours later, and you are offered £5 credit for your ruined meal.

I live in Central London (Old Street), and have had this happen repeatedly with restaurants that are not far from me.

[1] = https://www.reddit.com/r/deliveroos/comments/82w97o/riders_o...

Actually, the driver already knows where the destination is before going to pickup. If he rejects offer after getting to restaurant, it's probably because he asks the staff how long it will take, they reply 10 minutes, which usually means 20, and the driver decides to go looking for another offer. This is largely because some restaurants start making the order only after a driver arrives.

I think I’m old fashioned but I just don’t understand the appeal of these food delivery services. My friend’s son uses Postmates to order fast food and it seems absurd to me.

I must be missing something about theses services given their popularity. Do you mind explaining why you use them?

I think you are just trying to be that guy. I go to this website, pick what I want, pay and some time later what I ordered gets delivered to my door. What's there to get?

Fast food is pretty bad when it's fresh. It's awful after it's been in transit for 20-30 minutes or more. The idea of spending $10 or more to get a lukewarm burger and mushy limp french fries has no appeal to me.

I think people are ordering from more upscale restaurants, not McDonalds.

Food temperature is a personal preference, some people are really picky about food being hot/fresh, some aren't. I prefer the taste of room temperature food over hot food so "sitting around for 20 minutes" would be a feature for me.

You say that, but I saw someone picking up an UberEats at McDonalds...

... and then jumping into his new C300 to deliver it.

I'm not sure I can process that. New Mercedes, let's put miles on it delivering fast food...

He owns a Mercedes so he probably loves driving. Maybe if he wasn't delivering for UberEats he'd be out joyriding in his new Mercedes without a destination. In doing UberEats he's got a destination and he'll decrease his expenses by like $5/hour and take another car off the road. I know a guy who spends like half his free time driving around in a $70,000 pickup truck because he enjoys it, doesn't have a destination, just goes for a drive for fun.

And some people like really like McDonalds and don't care for the fancy stuff.

It's not for me, but it basically it boils down to "people like different things than me."

I know someone else who can't understand why anyone would ever play video games "its time and effort for zero reward."

Some people enjoy doing work on their car, while others would rather pay someone to do the work for them.

Humans aren't the same.

Fast food is usually only palatable hot. By the time it gets delivered it’s cold, no? Also fast food is cheap and the delivery cost is a large percentage of the overall bill. I mean a $10 meal ends up being $20.

Er, deliveroo delivers from restaurants.

Justeat delivers from fast food.

Deliveroo costs more because it's providing a delivery service for restaurants that don't normally deliver.

So I'm getting good food. When in a restaurant, things sit in a kitchen for 10 minutes waiting for the rest of your order anyway. 10 minutes in a thermal bag is the same.

Wouldn't that be 10 additional minutes in the thermal bag? If it sits waiting for 10 minutes for the rest of my order wouldn't the time in the thermal bag be in addition to this. Also, in the U.S. delivery in my experience with others doing this is that is takes more than 10 minutes for the driver to pick up the order. Then another 10 - 20 minutes to deliver. To me this ruins the meal. You don't get a nice presentation and the food is way colder than the chef intends.

Deliveroo orders generally get rushed out from my experience sitting in restaurants waiting for my sit-down meal to be served.

"To me this ruins the meal"

shrug, I'm not sure what you're expecting anybody to say. I can't really change your mind on what is hypothetical situation for you. I've ordered plenty, it's generally no worse than the quality I would get in the restaurant (other than the presentation in a bespoke takeaway box not a plate).

Also, what kind of presentation are you expecting for a burger anyway? It's a burger, with some artfully surrounding chips? Ordered to go, it's a burger, with the chips in smaller box instead of surrounding the burger.

> To me this ruins the meal.

But at that point you're basically just objecting to all delivery food ever. Which is fine but, like, you are aware that it is a huge industry and has been for decades and people do like it? Convenience trumps artistry (and optimum temperature) for many people a lot of the time.

In Italy at least, Deliveroo will order from middle and low-end restaurants (pizza places, some sitdowns, any fast food). The drivers are also on bikes generally, which I thought was common for deliveroo but after reading this thread maybe not.

> Do you mind explaining why you use them?

I want food, I can't be bothered to cook or go out?

Are you seriously struggling to understand food delivery? Or if you mean what's the benefit over e.g. ordering direct from a restaurant, is you have a lot more choice and it's much higher quality than traditional take aways (you get proper restaurant food)

It arrives cold, no? Delivered restaurant food makes no sense to me. Won’t things get all mashed together? The plating will not be nice. And to pay for such a service? I don’t get it.

Thermal bags, transport-aware packing, and the service costs a couple of quid, not the ten dollars you suggest.

You're not going to get a gourmet steak hot from the grill with precisely placed edible flowers laid delicately in it. But a bag of fries and a carton of fried chicken does not require eggs-in-space-shuttle level cushioning

In the U.S. we typically feel compelled to tip. This might not be the case for you if you aren’t in the U.S. I looked into using Postmates to try it out and it came to around $10 to use if I didn’t tip generously.

I think I’m old fashioned but I just don’t understand the appeal of these food delivery services.

"Old-fashioned"? Nice try, Grandpa. I'm approaching retirement, and delivery of restaurant food has been a thing since before I was born. Hell, Domino's was founded in 1960.

But not fast food delivery. This is a recent thing. And most restaurants didn’t do delivery. I don’t see the point of ordering a meal that is best eaten hot to be delivered when it comes to the house warm.

But not fast food delivery.

Hey, I quoted you accurately. :-) But fair enough. My counter would be that if your bar has fallen to fast food territory, perhaps warmth and presentation isn't an issue at that point for some folks. But I haven't been part of the fast food demographic for decades, so what do I know?

tbh, I see little difference between pizza and general fasfood.

I would even prefer KFC bucket with 25 chicken wings delivered to me, not pizza (which is mostly bread)

Domino's comes under the genre of fast food too. It's not all just burgers and fries.

I do not use Deliveroo but what sounds like something similar in my area.

I live 20 minutes outside of a small town in Norway and the restaurants/kebab shops don't generate enough take-away business to provide this service themselves.

There is another company that does that for them and services all making take-away possible at all.

Now this company actually operates with a time guarantee, that is if the food is not delivered within an hour or if the order is "refused" due to reasons the OP touches on you get your money back.

I've yet to have any that happen to me, possibly because it would actually be bad for those delivering.

I could drive and pick it up myself, but sometimes you just want to be a couch-potato and be lazy!

genuine question, how can food stay warm/fresh if you have to drive 20-30 minutes with it? how often do you get the food cold?

They have special thermal packaging. Usually when I get the food it's so hot I have to wait a bit before eating it :)

At least in my town, thermobags are the thing. You can even get a hot soup.

Pretty simple.

When you are severely hungover and your fridge is empty, food delivery is godsend, even if it is fastfood (and proper food is just priceless).

Recent McD commercial in NZ even focused on this particular case -- zombie-like people who celebrated NY 2019 all night long are getting some food delivered to their door. Dont have link right now but you can google.

If you have a small child, then just leaving the house to run an errand is an entire ordeal (esp if baby is sleeping right now). It's worth paying some non-trivial amount of money to avoid running errands. If you're also lower socio-economic class, then that leaves the only food you can afford being fast food.

People love to talk about these services as if they're only for young, single, hipsters but a significant portion of their use come from people with some kind of life limitation (same as the Whole Foods peeled oranges in a plastic box that people love to make fun of. These are a godsend for people with poor motor skills).

Their first-customer discounts and incentives are pretty enticing.

I live in Taiwan, where Deliveroo gives you about $3.50 off your first order, and delivery is factored into the price. A friend of mine ordered a $6 pizza that she ate half of and brought the rest of to work the next day. All told, she paid $2.50 for two lunches, and didn't even have to leave the office.

That doesn't sound better than the alternative to you?

I know, right‽‽‽ I don't even know why people pay other people to cook for them! Absolutely preposterous!

I’ve paid people to cook things for me. I’ve paid someone to cook shitty fast food for me. I’ve never paid someone to deliver that shitty fast food to me. When it arrives it is at best warm and even more disgusting. I don’t see the appeal of these services. It’s much better to get the food when it is hot. At least in my opinion. My friend’s son spends several hundred dollars a month is delivery charges. I certainly don’t understand doing that.

Presumably the people who find value in this service have different taste buds than you and don't find the food they pay a premium for "disgusting."

Or they have different priorities than you and value convenience over taste, price, and quality. There's even an entire industry built on this premise, "convenience stores."

There are certain things that really don't make sense for delivery, like McDonald's. I could drive there, go through the drive-thru, and be home by the time someone else is picking it up. Most other restaurants do make sense for online ordering and delivery. Most of the time I just go and get the food myself as I'm usually just too cheap to pay the delivery fee and tip and longer wait. I'll order pickup and can go get it myself for a couple bucks of gas at most and at least I'll know it's as hot and fresh as it can be.

A lot of people in cities don't own transportation and it's quicker getting delivery than getting on a train/bus.

Right, in cities it makes the most sense for delivery of almost anything. Even if you have a car, trying to find parking at certain times just so you can run in and grab your pizza is probably not worth it. A guy on a scooter can park almost anywhere so it quickly becomes worth the fees to have it delivered. These services have started creeping out to the suburbs where I live and it doesn't always make a lot of sense for some of them. I'd imagine delivery services are even harder to do in rural areas where you would be waiting for quite a long time to get your pizza although I could see things like grocery delivery making sense.

I agree to an extent (about the services moving to the suburbs), but if the market's there as well, I'm sure the services are fine to squeeze out every last profit.

I do use Instacart for grocery delivery (Chicago), but I really dislike grocery stores and willing to pay the premium (avg +30% in my exp) to avoid that trip. Honestly, If I was in the suburbs, with a vehicle, I might be better incentivized to personally make the trip.

All my own opinion though.

Another thing I forgot to consider is people that can't leave their home for reasons other than they are tired from work or just hungover. You can get much healthier meals delivered now, much better than the pizza and chinese food that were pretty much the only option years ago. Grocery delivery is much more prevalent now too so for those that can at least cook for themselves, they don't have to rely on a family member coming by with groceries.

I don't thinks it's old fashioned. Not being lazy and having a conscience is enough to avoid them.

Although those things are going out of fashion quite fast.

> having a conscience

What does having a conscience have to do with whether or not you use a food delivery service?

I think a lot of people object to the labour practices of most if not all of the food delivery services; this isn't particularly new news. In Australia the drivers/riders are not treated or paid very well and there is considerable controversy about whether they are really employees vs contractors.

I'm surprised that this hasn't occurred to you already at least as an issue for someone (not necessarily you, or, for that matter, me). Still, this given that this is a thread where things like "food delivery" need to be explained from first principles, I shouldn't be too surprised.

> In Australia the drivers/riders are not treated or paid very well

So they should do something else. Those drivers determined that delivering the food was the best use of their time. I don't think it's right to voluntarily choose this specific job and then make people feel immoral for using the service they signed up to provide.

Well, some of the ways they are not treated well seem to be sailing pretty close to the wind in terms of Australian labour law or are outright illegal. It's also pretty hard to imagine these services being remotely workable without a steady supply of "students" who are in Australia supposedly earning degrees but in practice are a giant pool of cheap labour. You can make various libertarian quibbles about both Australian labour and immigration rules, but not everyone wishes to subscribe to your libertarian newsletter....

> Not being lazy and having a conscience is enough to avoid them.

But even then you would 'understand the appeal' but be opting out of using them.

It's a weird turn of phrase IMHO, as if the person has never heard of food delivery before.

We ordered a load of food for our office earlier this week (also central London, nr Tower Hill) and had only half of it arrive. A second rider was needed for such a large order (burgers for 15 people), and none showed up. So half the people got no meal, and half the food got binned by the restaurant.

That's pretty bad!

Fun fact about Deliveroo. A lot of your drivers aren't the registered driver. It's really common practice for a citizen or someone with a work visa to register and then rent their phone to someone desperate with no work visa. So your driver is often making almost nothing while someone else sits on their ass and collects cash for doing nothing and then Deliveroo again sits on their ass providing poor service collecting even more cash.

So are you saying there are bands of Deliveroo riders in England who are here on 6-month tourist visas? Or are you saying they are in the country illegaly?

If you're working on a tourist visa, then you're in the country illegally - your visa becomes invalid the minute you start work and you're liable to be deported.


I've only seen this happen to people on student visas that permit little or no working hours.

Students will do all kinds of "harmless" under the table stuff to get/save a little extra spending money. That's different to me than an person desperate for money to pay rent or buy food.

That's certainly true and they are illegally working. But maybe your image of a student might be a bit narrow? There's a large industry in Europe of language schools. You pay the school/country a few thousand euros/pounds and in return you get a student visa + basic language course. Not all, but many students are coming from pretty bad places in the hope of somehow landing a work visa(Italy and Portugal will grant citizenship if you can prove ancestry for example). The friends of my wife that told me about their lives/this practice, none of them where working for "spending money".

In portugal you need more than just "ancestry", unless it's relatively close relatives (grandparent).

You would need to speak Portuguese, and prove an effective tie to portugal, for example participating in Portuguese cultural activities, groups or organizations

I certainly needed to pay rent and buy food when I was a student?


I have a friend that works for a deliveroo clone in Paris, this is true, loads of people rent their phones to migrants that work for the company under a fake identity

> It's really common practice for a citizen or someone with a work visa to register and then rent their phone to someone desperate with no work visa

Do humans really have such low morality and ethics? I just can't picture a person who does this to another human being...

Did saying this make you feel better about yourself or something?

Because it's a ridiculously naive statement at best. More likely just some sanctimonious BS you decided to post to signal how much of a good person you are.

Like seriously, what world do you live in where you can't picture a person doing something to take advantage of another person? Have you read literally anything in history?

Did saying this make you feel better about yourself or something?

Because it's a ridiculously smug statement at best. More likely just some sanctimonious BS you decided to post to signal how much of an intelligent person you are.

Like seriously, what world do you live in where you can't picture a person thinking that it's sad that a person takes advantage of another person? Have you read literally anything in history?

How meta. You must be a super clever person with original thoughts to add to every discussion.

I have a really hard time trying to understand the mindset of somebody who is going to take advantage of a person for profit. I actively remind myself of this because I need to be aware of this fact when dealing with people who could potentially take advantage of me.

Nobody is asking you to understand their mindset. Recognizing that such people exist does not require understanding their mindset..

What’s immoral here? You know someone who can’t work so you let him rent your phone so he can work. I mean it’s not respecting the law, but it’s no more immoral than companies renting out cars, houses, or tools used by others to earn a living.

Deliveroo riders have some of the worst working conditions, it's a grind and people do it because they need the cash.

Going as far as circumvent legal regulations and even pay to be able to do such a job is a good indicator that the person doing it is desperate for income.

Many people believe wealth should be shared, that everyone deserve happiness, and that no one should spend their lives slaving away just to survive, those same people would not try to profit off of someone desperate for income and willing to work hard and would consider what OP is talking about immoral.

This is the same argument leveled against sweatshops and it is frankly a fallacious one.

It proposes a false dichotomy where the worker has to either be in well paying and fulfilling employment (which obviously is not an option given their circumstances) or alternatively, they must be saved from the tyranny of their employer (usually through enactment of regulations which will leave them jobless).

Either way all it achieves is to deprive the worker of income, experience and the agency that comes with being able to make their own employment decisions. Your comment, despite seeming conscientious, gives little consideration to utility of the worker and the pragmatic decisions they face.

A sense of moral outrage towards a company (or individual) for perceived exploitation of their employees might be justified, but is not sufficient grounds for limiting the freedom of exchange.

Accessory to a large number of immigration crimes and in the Uk that's a strict liability offence.

A former PM (Gordon Brown) was fined when it was found that his cleaner had used good forged papers.

Various modern slavery and gangmaster laws also come to mind.

The question was what makes it immoral, not what makes it illegal.

Taking advantage and ripping off unfortunates is not immoral? As Seward said "there is a higher law".

No, the law preventing residents from working is immoral. Someone sharing their identity to allow them to work is actually doing a righteous thing.

And you don't think the sort of person that does that isn't ripping the hell out of poor sods?

There have been well documented cases of modern slavery where disadvantaged people like this have been abused and effectively turned into slaves.

The author wrote that some people would make other people do the work, taking a cut. Given, that people who work themselves at Deliveroo already struggle to get a decent salary, then yes, it is immoral.

The person with the account is providing a benefit in return for that cut, though -- the account itself and the attached phone. It's not slavery, any more than Amazon taking a cut of sales through their website is.

I fail to see how the citizen in this case is harming the non-citizen.

People using their accrued wealth to sit around while other people make money for them (who will suffer if they can't do that) is generally considered moral- or at least ethical- under the current order.

I mean most of these delivery type services are basically the first company passing off the usual risk of having a lot of employees onto contractors.... not exactly the same, but not that many steps removed.

It's no more immoral than the business model of Deliveroo, Uber, etc. themselves. In fact it's almost exactly the same.

There's people who will gladly do worse things to people, for free.

I use a number of services in Sweden and they all do the same thing, the picture of the person who gets you the food is never the same as in their website. Also errors in orders is so common.

What a strange thing to say. Surely you've heard of war, murder, rape...?

There is one more aspect of fraud the journalist has missed - chargeback fraud. Chargeback fraud is where companies try to lengthen the timeline of resolution of a fraudulent incident such as this one so that it exceeds your bank's official timeline for being eligible for getting your money back. Usually it's about 45-60 days and varies from bank to bank.

To me, as someone who worked in this industry before, this simply seems like a ploy by Deliveroo to escape absorbing the chargeback cost. Because, that is exactly what would happen if you called your credit card's bank/company and ask them to initiate a charge back for the fraudulent transactions instead of begging Deliveroo - the money will first be refunded to you almost immediately (varies from bank to bank) and then an investigation will be opened against the merchant in question (in this case, Deliveroo) and when you prove your credit card company valid proof that you're innocent by sharing logs, screenshots, etc. the dispute would be settled and the bank will side with you, the customer and thus this will lead to a loss on the merchant to bear the fraudulent transacted amount.

It seems, Deliveroo may be doing EXACTLY this to avoid letting the customer becoming eligible for a refund later through their banks by pushing them past the chargeback window. This is actually criminal in some countries, and grounds for a class action suit, which I hope someone sues them for if they are found guilty of this.

The other reason for the elongated resolution timelines is because Deliveroo actually benefits from these transactions - think about it, they earn for each transaction and in some markets, if I'm not wrong, the larger the transaction, the more they earn. So, why would they do something fast that affects their revenues negatively.

Anyway, my personal experience with Deliveroo also has never been positive and don't recommend them at all.

I thought this was going to be about ordering food from one restaurant, only to have it prepared in another 'sublicensed' kitchen, sometimes a shipping container:


Is this actually shady? When doing takeaway you are not really paying for the ambiance of the restaurant anyway and IF the quality is the same I wouldn't necessarily have a problem with it.

Well, if I order food from the Fat Duck[1], to name just one example, I expect the restaurant to prepare my food and not some "cook" in a container throwing together some stuff coming from trucks owned by a convenience food purveyor.

So yeah, I think it's shady and dishonest.

Sure, if a restaurant allows their brand to be used for such shenanigans they deserve all the bad press they may get.

Disclaimer: I use the Fat Duck as an example. I'm pretty sure they don't do home deliveries, let alone - Deliveroo.

[1] https://en.wikipedia.org/wiki/The_Fat_Duck

> IF the quality is the same

That's the thing. It isn't. Every franchise, big or small, has wildly different quality of ingredients and preparation (and even send the correct damn drink and remember the dip) among outlets, and if I order from that one, I want that one to prepare my food.

Even down to the cook (not even "chef"). I go to a specific restaurant on a weekly basis, where I know the names of the cooks. I order different dishes depending solely on who's working that day, since I know which get prepared best by who.

Deliveroo Editions sites are clearly marked on the app with a banner across the main photo of the restaurant. You aren't led to believe the food is coming from somewhere it isn't.

> banner across the main photo of the restaurant

> You aren't led to believe the food is coming from somewhere it isn't.

I think we have different definitions of what being 'led to believe' is.

That’s a pretty big claim. Got a source for it?

Maybe I'm missing the point but how did the fraud take place to begin with? Somebody fished the author's Deliveroo account and used it to buy a lot of food? If so what would be the right way for Deliveroo to solve the issue? I mean if they just swallow the cost and reimburse her with no questions asked it seems easy to abuse, I could just order a lot of food then later complain that my account has been breached. Then again that's pretty much what Amazon does in these situations in my experience but not everybody has Amazon's deep pockets...

That's not to say that their current response (or lack thereof) isn't bad, it's more that I'm not sure what would be a good response in this situation.

I'm also not sure how Deliveroo could be considered liable if the breach is on the user's side (phished password) rather than a server-side vulnerability. If I offer an online service and one user gets their password stolen, would I be liable for that? If so, what should I do if somebody claims that their account was stolen? What if they're actually lying to get access to a legit account?

Standard security practices: not allow delivery to a new address without reconfirming credit card details, sending email confirmation upon login from a new location/device, and in the more extreme cases, 2 factor auth.

That makes a lot of sense now that you point it out. Thank you.

It sounds very much like this journalist is trying to make a mountain out of a mole hill.

The real story is that Deliveroo does not handle fraud properly. This is a much lesser crime than what they are being accused of.

The author wants to make it seem like Deliveroo has had a data leak and are trying to hide the fact. There is no evidence of this, but if it did turn out to be true then the author would be able to claim that they broke the story.

Yeah - it boils down to ye olde case of people reusing passwords. Half of the article talking about GDPR and the ICO is irrelevant. What's happened is she has an easy/reused password that's ended up in a breach, fraudster locks her out of the account and offers discounted deliveroo orders to their customers and she gets charged. That's it.

It sounds like Deliveroo could step up their security then, as they don't seem to be doing much to catch credential stuffing, suspicious/fraudulent orders, etc. They could be doing way more.

If I recall, there's no distinction between an en masse data leak and someone being able to access your personal info without authority under GDPR. Both are a data breech. It seems like many people have been affected by this too so clearly Deliveroo doesn't have the mechanisms in place to protect user information. The fact unauthorized people can spend your money through Deliveroo is even worse.

Deliveroo are responsible for the data you give them. If they fuck up and allow unauthorized people access to that data, they're in breech of the GDPR.

If they haven't informed ICO (and equivalent in any country within GDPR rules) within 72 hours of each breech, they're in even deeper shit. First, they have to be clear about the scale of the breech and what exactly has gone wrong. They've got to be able to demonstrate the steps they've taken to mitigate the issue and prevent it happening in future. If people are complaining on a regular basis for months, they've not done that.

Do you have a source for that? If that is the case then pretty much every major website is in breach. Credential stuffing is rampant and very easy to do these days. It's not the website's fault that the user gave out their password.

However, I do agree that Deliveroo needs to do more to protect users against this. 2-factor authentication, email confirmation from a new IP, re-entry of card details when ordering to a new address are all simple ways to handle this. Deliveroo has not prioritised this because their main priority is growth.

In the UK, the ICO guidelines are

"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

The key part being "unauthorised disclosure of, or access to, personal data."

So does credential stuffing qualify - In my opinion yes, as it is unauthorised access to personal data.

They then go on to say "When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"

And again, the ability to place orders and deliver them to a new address charging the existing credit card I think qualifies as a severe and likely risk.


Edited to add: In the absence of any legal precedent I’d challenge you to find any lawyer who’d confidently say that credential stuffing definitely doesn’t meet the criteria.

That would be an interesting development. It means that either:

- is it illegal to not have 2FA; I’m not against that, but it feels… excessive;

- every website, including small irrelevant ones, with a password (like HN) needs to crawl the darker internet to check for leaked lists of email/passwords; that would make those unsavoury forums crawl with solution vendors; it would also make it illegal to not find the most obscure ones; in other words, a non-option;

- ban the use of any password listed on https://haveibeenpwned.com/Passwords which feels more manageable, but… does the service offer an API?

Which one feels the most likely to happen in the short term?

Remember part 2 of that section:

"establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"

So if it's a small irrelevant website, there isn't likely to be a high or severe risk to that "breach", so they should be ok.

In terms of options, I think there are more, mostly around sites getting more sophisticated at defending against credential stuffing attacks - treat logins as more suspicious if they are from a new device, new ip, use a password that you know is in a breach list (have i been pwned), etc. and put in place a 2nd factor like email confirmation of the login even if they haven't turned on 2FA. Or at least restrict access to sensitive parts of your site if the login was suspicious until you can verify it was an authentic login.

'So if it's a small irrelevant website, there isn't likely to be a high or severe risk to that "breach", so they should be ok.'

To be clear, no website, depending on passwords alone, can know if an access was authorized by the person who is the subject of the account. Therefore, it would seem that the only sites that can use password-only authentication without risk are those that hold no personal information about their customers. According to your own interpretation of the law, some of your proposed mitigations would not be sufficient to eliminate the risk, if any personal information is held.

>> According to your own interpretation of the law

Look, I am not a laywer, and I am happy for someone to correct me here, but this is the wording of the law:

"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

Is there anything in that sentence that means a successful credential stuffing attack would not fit the criteria?

a) the data wasn't breached through the credential stuffing attack, it was breached at an earlier time on another site. b) the credential stuffing attack itself is authorized access (because from the site's perspective, the user provided the correct username and password), not unauthorized access.

>> a) the data wasn't breached through the credential stuffing attack, it was breached at an earlier time on another site.

Remember GDPR is specifically concerned with "A personal data breach" The original breach that led to the password being leaked was likely also a personal data breach (unless the only thing the hackers managed to access was the username/password database - and even then email address can constitute personal data in some cases), but there is definitely a personal data breach as a result of the credential stuffing attack (in the Deliveroo case, more than likely full home address, possibly other addresses too like work, possibly name, some level of credit card data, order history, etc.).

>> b) the credential stuffing attack itself is authorized access (because from the site's perspective, the user provided the correct username and password), not unauthorized access.

It's certainly authenticated access, but I think you'll struggle to convince a lawyer that it was authorised.

I am not disagreeing with your position that such an access is not authorized by the person whose confidentially is compromised, but the phrases from the UK ICO that you quote in making your argument do not say that the mitigations you propose would provide an adequate defense for the website provider, either. Taken in isolation and at face value (which is what you do to make your case), those phrases lead inevitably to the conclusion that password-only authentication cannot possibly suffice as ICO-compliant authorization for access to any personal data whatsoever.

So if someone hacks your email because you didn't have sufficient protections in place, does that make the email provider liable? Seems like an argument that falls apart very quickly.

Yes, exactly that if the email provider hasn’t put in place sufficient defences. Why wouldn’t they be liable? They have a duty of care under GDPR to protect your personal data. If they are negligent in that duty then absolutely they should be liable.

I'm not saying Deliveroo isn't in the wrong here - they absolutely should have more defenses, but I still think this argument makes little sense. What if they have the defences in place but you choose to disable them? Who is liable then? I personally have 2FA on my GMail, but plenty of people choose not to - is it Google's fault for not forcing it on them?

You’re forgetting something. This isn’t my argument. This is what GDPR states. Unauthorised access to personal data constitutes a data breach. Does someone accessing your personal data who is not you using a stolen password count as unauthorised? Yes.

It will ultimately come down to a test case, but as I said before, you will be hard pressed to find a lawyer who would tell a company that they definitely won’t be liable.

It depends on how "unauthorized" is defined. Does it actually define "unauthorized" somewhere else in the statute?

I think unauthorised has a fairly clearly defined definition in the English language (without permission or authority). And I’m fairly sure that’s the definition already used in courts of law. So in the absence of any contradicting definition in GDPR (and there isn’t) I would be pretty confident that is the definition that would be used.

But even so I struggle to think of a definition where accessing someone else’s account without their permission or authority wouldn’t be classed as unauthorised.

For what it’s worth, it’s very common for close people to share their Deliveroo account, a bit like Netflix.

I would never but one of my two housemates was very confused why they couldn’t have my password so that they could look at the menu and each add their option to the order. (The third housemate was also a developer so he was surprised that I could remember it and I got sermoned about 1Pass over pizza.)

I also have heard of cases of close (female) friends who know each other’s password; when one had a health incident (miscarriage), the other took upon herself to order for the first one, to comfort her. She tried from her own account but failed (couldn’t remember the name of the restaurant), so connected to her grieving friend’s account, changed it to use her debit card. It was fully appreciated, but a surprise.

“Authorised” in that sense falls somewhere between:

- I know who those people are;

- we are part of the same household;

- I know that they can have access to my account;

- they made sure that I know they are on my account;

- I actively allowed them to be on my account right now;

- the device is shared.

>without permission or authority

Permission or authority from who though?

If someone steals a key and unlocks a lock, is that considered "unauthorized access?" From the perspective of the person whose key was stolen, absolutely. From the perspective of the lock, no, the access was authorized.

We define terms in statutes and contracts for a damn good reason.

Good look using that as your defence in a court of law :)

That's the problem with GDPR. It leaves much to be defined by ratifying member states. For example, it says you need a Data Protection Officer if you do "large scale" processing. There's no definition, no threshold defined for "large scale". You might not find the definition for unauthorized access in the GDPR and it may depend on jurisdiction.

I'm not sure why this is being downvoted. All I am doing is pointing out what the current law is under GDPR. You may not agree with the law, but that doesn't change what it says.

> there's no distinction between an en masse data leak and someone being able to access your personal info without authority under GDPR. Both are a data breech. It seems like many people have been affected by this too so clearly Deliveroo doesn't have the mechanisms in place to protect user information. The fact unauthorized people can spend your money through Deliveroo is even worse

Well, the distionction can be as easy as someone hacking the company vs. guessing your password. What is the company to do to protect against the latter?! After all, the password is the authorisation, so I would even claim it's not unauthorised access...

There are many things they could do. For starters they could verify (email, 2 factor, something) unusual sign ins - for example sign ins from a new IP, especially if that IP has a higher risk profile (data center, known vpn, tor exit nodes, different registered country, etc.), or sign ins from a new device.

That'd be a valid excuse if you're not safeguarding personal and sensitive data. But is that the most you can do to protect the addresses and some level of access to somebody's money?

> Deliveroo has blamed the breach on cybercriminals getting hold of login details “stolen from another service unrelated to our company in a major data breach”.

> This is despite the company not asking customers to enter a Card Verification Value 2 (CVV2) code when making orders, a card security system designed to ensure that someone ordering something online has physical possession of the card used to pay for it.

More info on an article from November 2016: https://nakedsecurity.sophos.com/2016/11/25/fraudsters-eat-f...

BBC's Watchdog documentary: https://www.bbc.co.uk/programmes/articles/3ZMjkWFfDZQ8zFYQJL... (with response from Deliveroo)

> (Later – a lot later – a Deliveroo spokesman would tell me it was likely I had been the victim of a “credential stuffing” attack, in which hackers obtain lists of usernames and passwords and try them out on other platforms.)

So this Tech Journalist uses the same password on every site?

the real issue IMHO is the "credential stuffing attack" makes no sense: hungry people getting their hands on leaked password dumps? a bunch of black hat hackers running a Delivery clone, getting clean money from customers, but really getting an innocent Delivery user get charged, and having the order be sent to the address of the customer? none of this makes sense!

It seems to me like the corruption or fraud is within Deliveroo.

Another good reason to use a fintech bank account such as Monzo [1] or a credit card such as Tandem [2] or a virtual card that can forward transactions onto any other card such as Curve [3].

All of these services can give you a push notification every time a transaction is made on your account so that you are immediately made aware and are able to cancel them. You can block the card from within the app immediately.

1. http://join.monzo.com/r/vrlkxvo (Using this link gives us both £5)

2. https://www.tandem.co.uk/credit-card/

3. https://www.imaginecurve.com/ (Sign up with WAI91 and we both get £5)

I agree. I'd also add that my experience with fintech services, in regards to fraud detection, has been excellent.

I've been using Revolut for the past year. Just 2 weeks ago, they detected a potential fraudulent transaction with - you guess it - Deliveroo, for an amount of £25 (I don't live in the UK). The transaction, as well as my card, was immediately blocked. I then received a push message asking me to confirm whether the transaction was fraudulent - pushing "Confirm" triggered the expedition of a new card to my address. In contrast to legacy banks for which it is still recommended you call on the phone to notify you're going abroad, this is excellent service.

They obviously vary, but my British legacy bank no longer wants to be told when I'm going abroad.

I don't use their app. If they suspect a fraudulent transaction, they block it and call me.

Amex has the same thing and their customer protections are generally better than the Fintech companies. Although Amex is not so common in the U.K.

Do any UK credit card companies offer consumer and fraud protection above the norm? Amex would immediately side with me if I showed them the Deliveroo communication. Another Citi VISA I had offered 18 months warranties on laptops and other electronics if I used the card.

Do all Amex cards have this? I've never seen this feature offered by them.

Edit: apparently they stopped doing this for average cardholders 15 years ago and it's a corporate-card-only thing now called 'Amex Go'

Amex recently detected a fraudulent charge on my card, and sent me an email with a "click here" button which, after I confirmed my identity, triggered the issuance of a new card in the mail in a couple of days.

I should note I have a "Starwood Preferred Guest" Amex card, but that is not a corporate card. It may be that the SPG card has additional features that a regular card would not.

A lot of places in the UK especially low cost places wont accept amex because of the charges.

I saw my mangers amex get declined when they tried to pay for a team meal (15 people) a few years ago

Yes at least the U.K. isn’t as obsessed with cash as Germany is. I had trouble until on of my Europoeran colleagues told me about Amex Vicinity. You can see places around you and it can make it easier to use corporate Amex cards.[1]


The troubles with Amex, and Germany's increased acceptance of Visa and Mastercard cards, is because of the EU's rules on restricting processing fees.

Those rules mostly don't apply to Amex (they were not considered part of the Visa-MC duopoly).

There's some interesting background here: https://www.headforpoints.com/2018/02/08/american-express-eu...

A cashless society does have some risks and of course penalises poor working class people and older ones.

The only one I've needed to claim against was Curve. I lost my wallet and my card was used in a McDonalds. I knew immediately and froze the card. Curve then refunded me a week later, when I contacted them.

Thanks for letting me know about Amex doing this. Might provide better customer service and many places do accept it.

“Deliveroo takes online security very seriously. Sadly fraudsters rely on the fact that people reuse the same passwords on multiple online services to try and gain entry to different accounts across the web.”

Yeah! Blame it on your customers! Way to go!

Sigh! Another gig economy service I'm damn sure never to use.

That's not even an excuse. There are solutions out there that mitigate the fact people reuse the same passwords.

I'd love to see a more specific version of Troy Hunt's "have I been pwned" API which explicitly blocked user/password combinations which had been leaked.

The catch is, you'd have to store the pairs together which then makes you a target, so in practice the best you can really do is what's on offer already -- check that the password hasn't been leaked (and maybe if the email address has a high HIBP leak count).

That solution would seem to force people into password managers and random high-entropy passwords or passphrases...

Example solutions that wouldn't result in a massive customer drop-off though? The average person isn't going to set up 2FA or remember a randomly generated password just for a food delivery website.

"...takes online security very seriously..." That is a statement that means its exact opposite. If you get breached, don't let that phrase creep into your announcement. Just say "We were breached. We're sorry. We're cleaning up the mess." or whatever.

Credential stuffing attacks aren't a valid excuse IMO, and should not make this sort of fraud possible. Amazon for example instituted a very simple and effective policy years ago: if you want to deliver something to a new address using an existing payment method you need to reenter the payment details. This means even if someone guesses your username and password and you have a valid CC on file they still can't send a package to some arbitrary new address.

It's conceivable that the fraud is on the merchant side, with a restaurant faking a large order to an existing address, but in that case Deliveroo still has responsibility for allowing bad merchants into the system.

I actually found the other day, if I edit an existing address, it doesn’t make me re-enter payment details. But adding a new one does. Not sure if this was due to a trusted device or if it always does it though.

I can't understand this fraud - surely getting something delivered to your door is the silliest way to defraud something? Also what are they doing with the £100s of takeaway food they are ordering?

I must be missing something here.

From my experience with Deliveroo, you can pretty much order at any address, wait for the delivery person at the doorstep and retrieve your order without actually living there.

I once asked for delivery to a pub's car park. No problem and the delivery guy did not ask for any ID or anything.

A long time ago I used to deliver pizza. We'd never take an order like that, it was an easy way to get robbed (business was pretty much all cash in those days so the drivers always had cash on them).

We'd only deliver to an actual numbered street address or apartment.

Pubs have numbered street addresses though?

This is relevant to my interests: I live a few minutes' walk outside the delivery radius for my town, and the nearest identifiable location within the radius is a pub car park.

I've heard of people getting deliveries to the middle of the park in summer, or even to a boat waiting beside a road bridge...

That's exactly what happened: I was too far so I set the delivery location to a place they accepted after a few trials and errors.

But what you going to do with 3 £100+ takeaway orders back to back? You can hardly resell it!

Probably something like this:

1) People pay the fraudster for "discounted" food.

2) The fraudster places the order using the stolen account.

3) The fraudster tells the people who paid them: "Go to the pub car park at 9pm and wait for the Deliveroo driver. If he asks, your name is John Smith."

4) Profit.

Indeed, maybe there's an app called "Delilaloo" on the App Store that serves as the frontend for these scams

but then THAT should be the real story, why did the journalist stop digging?

it's also pretty hard to imagine it's worth the effort, you still need to advertise so people know about your service! the service would have suspiciously similar dishes advertised in menus corresponding to original restaurants etc... the unsuspecting customer gets to open the door for a Deliveroo person! there's just so many ways this would go wrong in the real world that it doesnt make sense to invest time and effort in MitM'ing Deliveroo from a limited set of compromised accounts...

This all indicates the fraud is happening from within Deliveroo

Put it in the fridge or freezer?

Why would they ever sell it at a loss? Everyone needs food, so they get the value by consuming it themselves.

When you're not paying for it in the first place, there's no "loss." It's all profit.

what about time, effort and risk of finding leak dumps, thinking through how you can use the data, and then possibly get caught? none of this makes sense, should we blindly believe them there was any "credential stuffing" happening at all? was this explanatation not simply chosen to guilt-trip the customer?

You can find some places that would take fake order in exchange of easy money. Or create a shadow platform where people people can order on Deliveroo with crypto currencies.

Now you’ve gone from petty theft and wire fraud and tacked on criminal conspiracy and god knows what else. This could easily get someone 10 years in jail, right?

Not even that hard to investigate because there’s a complete paper trail after a fraud is reported of what was ordered, who delivered it, and where it was delivered.

I agree that none of this is making any sense. They would have to advertise the service, and every single customer might report the service when he ens up accepting his food from a DELIVEROO guy! It's simply not sustainable, the hassle is not worth the effort etc... I think there was no "credential stuffing" involved, it's just to make customer feel guilty. Note how the article ends with an agreement they reached to jointly publish a statement (portraying the event as caused reckless password reuse), perhaps Deliveroo hopes to construe this common agreement to the statement as admision on the side of the journalist "if only I had used a different password".

To me all this suggests the fraud is happening within Deliveroo, at a level above the delivery people.

The only credential fraud outside of Deliveroo I can envision is if the black hat hackers contact the restaurants to conspire, the food is then never made but the profit is shared...

>Now you’ve gone from petty theft and wire fraud and tacked on criminal conspiracy and god knows what else. This could easily get someone 10 years in jail, right?

That's how the cop would describe it of course. Anyone with half a brain knows they always throw the book but the whole book never sticks.

What sticks will probably wind up being some sort of fraud and the punishment will probably be something like fine and probation.

>but what you going to do with 3 £100+ takeaway orders back to back

Eat it.

When I was in college if the pizza guy was in the lobby (invariably trying to call someone who wasn't picking up their phone) very long it was customary to ask him what he was delivering and buy it if you wanted it.

Yeah this is the part I also don't quite understand.

What they may do is:

Order items that aren't as perishable such alcohol & ice cream (e.g. Ben & Jerries) and then resell those via partner off-license shops.

You could open a service on a darknet forum - £100+ worth of food for £20. And people on these forums are well aware on how to receive the order without getting into trouble.

Can you not buy things like bottled and canned drinks from places on Deliveroo? I suppose you could resell those.

Fair enough. But the markup on those items is crazy; you could order £100 worth of beer + wine and I'd be surprised if you could resell it for more than £10-20. Seems like a really risky way to make (not much) money.

You can sell in bulk to shady grocery stores and restuarants at slightly below wholesale costs and they sell to their customers.

This is how the market for stolen gas works anyway, I'd imagine stolen cola and beer would be similar.

Yes, bottles of wine as well.

Look at the world around you there are people literally starving to death do you honestly think it would be hard to sell groceries on the side? Order 100$ in meat and cheese and offer it at a discount and you will have people lined up around me. I would have literally no problem selling this all day long around me. You comment made me wonder how you can not see the disparity in the world. As for the risk of stolen goods that really is a minor risk I think. The poor want their next break. In my town it would be so easy to offload stolen food just through word of mouth.

Standard practice at university. Everyone just had a generic <Name>, Selwyn College, Cambridge address, so you'd just meet them at the main gate. Rarely checked ID (non-Deliveroo).

Maybe the restaurant is part of the scam, and the food is never prepared? Still it would remain extremely easy to trace the fraudsters.

Makes more sense. But still seems pretty odd and a complex scam (vs say running up fake orders directly with stolen credit cards).

If that's not the case you can't resell takeaway food, so no easy way to turn it into cash.

To run fake orders directly you need to steal credit cards info instead of hacking a Deliveroo account, it might be harder.

I would be shocked if it's that simple and Deliveroo didn't bother looking better into it. If we laymen can figure this out on an online forum in a small amount of time why can't Deliveroo figure it out and report the Restaurants to the police. Worse yet, how is this happening to so many people! I swear we'll hear they got hacked in a few more headlines.

It's possible this has already been reported to the police, but we all know they don;t tend to move to fast on things like this, and it's likely Deliveroo doesn't want to risk hurting it's own reputation by shutting out restaurants it suspects are taking part in this scam without enough solid proof that they are definitely in on it

I mean if they keep using the same exact "restaurant" whose address ends up being an Apartment... It would be really suspect. Not saying this is the case, but it'd be more obvious if it were.

If they put the FSA "Scores on the Doors" (and local council) food standards ratings on, the act of looking up the address would tell them something was up.

"Address given is not registered as a restaurant or food outlet" (aka: they're not registered with the local council).

I've gotten into the habit of checking 'Scores, just because of the sheer number of poor quality food places on Deliveroo, Just Eat and so on.

What if the restaurants being ordered at are part of the scam? Steal from a Deliveroo customer, order at restaurant X, the restaurant puts it in their books, then splits the money with the party that broke into the account. As long as there's no proof the two are working together it's a great money laundering scheme.

A few years ago I was a 'victim' of identify theft and someone ordered Sky to be installed at my parents address. They thought it was a gift, so gladly let the installation guy go ahead without asking me. I assume they did this to get a bill to be used as proof of address for other things, as I later had bank accounts and phones opened in my name.

You can change delivery address in Deliveroo, maybe they don't make you re-enter payment details like Amazon does when you use a new address? So get into someone's account, use their saved payment to deliver to an arbitrary address and they won't know.

As with others, I suspect collusion - perhaps not at the restaurant management but definitely among the staff. Order something non-existant, never deliver it, but collect the delivery fee?

> takeaway food Apparently deliveries can and do include bottled spirits.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact