That will probably get you a refund quicker (the transactions will likely be held until clarified) and will stop any further fraud.
As for Deliveroo's support team... Not very good in my experience, but that's common. Their competitors are no better.
Had an old phones screen repaired at a store inside a Walmart. They fixed it but half the screen had no touch capability. They were highly resistant to doing anything about it until I said I would just do a charge back. Tone instantly changed.
Disclaimer: I work for one of those companies, but not on that product.
Now I personally don't let third parties store my cards, but it's quite common in this day and age of saas everything
Which is US only. Is there anything like it for the UK?
"In most cases the bank must refund the payment without undue delay and by the end of the business day following the day on which it became aware of the problem, unless it has reasonable grounds for suspecting that you have acted fraudulently."
"When your bank refunds an unauthorised payment it must also refund any charges and interest you have paid because of the unauthorised transaction."
U.S. banks, as well. Twice Citi has refunded me within minutes. Chase within hours. It seems the policy is "give the customer the money, and we'll sort it out later."
The point is to not have to need to dispute a charge.
Some providers are interestingly stubborn when it comes to charge backs and can hold on to the (fraudulent) vendors side even if you're clearly right.
Monzo in the UK is a prime example for that. An internet vendor charged me more than he should and refused to void the transaction (basically text-book fraud) and I filled for a charge back with monzo. I was extremely confident that it wouldn't take much however monzo customer service resisted to help.
The monetary value wasn't much however in the end I perfectly understood that this "protection" does not exist on the credit card issuer/bank side of things.
Generally guidance is that you are entitled to a refund from the bank only if you did not authorise a particular transaction.
It's just that credit cards must offer chargebacks by law.
The Moral of the Story: Money institutes may not cover you like you think they will.
I've learned my lesson.
Again, be -very- careful.
Not if you didn't read your debit card agreement, no. Nothing you've stated wouldn't be clearly spelled out in the agreements I've seen for debit cards. I mean, I can see how this happens: looks like a credit card, must have the same protections as what people online say about credit cards, right? Nope.
If I remember correctly, debit card protections don't exist below £100, so they literally can't do it for a few quid, but they can for larger sums of money.
This isn't an example of Monzo being terrible, this is an example of debit cards being terrible.
Banks have a vested interest to work with you for purchases made on credit because it's their money. Debit purchases have no such leverage and thus have lower protections.
If it costs more than £100, use a credit card in the UK as the CC company is jointly liable for any issues, even faulty goods.
You would get your debit card within a week max. You can transfer limited amount from your original bank account to Monzo account and even on top of that you can set some restrictions on how much amount can be withdrawn and there are some special features like POTS which are very useful.
I am not saying this is the best, but even if someone steals your monzo card details, you can reqeust for a new one and your original bank card details are still safe.
Note: All this works, only if you don't use a credit card.
Edit: although I guess they'd just do it in the middle of the night so doesn't really help.
The very crude answer is to get a prepaid card and load it with enough to cover each purchase, then toss it as soon as it gets misused. Which works, but doesn't sound worth the hassle unless you seriously expect a bad outcome.
If a company is prepared to stiff me like that, the convenience of having it fixed right away is not worth the concession of letting them have my money when all is said and done. Is that just me?
But then is there literally any alternative payment method in the US that does not involve a creditcard? It seems like the US banking system has just not invented anything in the last 30 years. Its not rocket science: money from my bank account to Deliveroo's bank account in (near) real time.
Surprisingly the US is much harder to convince. Ask people under 30yo in Aus or the UK when they last wrote a cheque, and the answer "what's a cheque?" is likely the response. Signing for a payment, magstripe, even using a PIN is mostly a distant memory.
I can go weeks without my wallet now, Samsung Pay on my phone works just about everywhere in Australia, and it's great. Banking app even lets me generate a code to get cardless cash from ATMs, should I need notes.
For transactions bigger than ~AUD100 I do have to enter my pin but that's a minor inconvenience.
It's what train companies in the UK send you 3 weeks after you fill a compensation for delay claim...
> This is basically the sole "feature" of credit cards I value. Any time I'm buying something from
> somewhere that might act poorly, I use a credit card for the free leverage I have in a disagreement.
I don't understands your point. Are you saying the ideal scenario would be to fill the cards information each time? The fact that it's a credit card doesn't change that it was prefilled, a debit card or wire transfer is the same. Credit or not, if it's already there, the one that access your account can use it.
With a credit card though, you can do a chargeback, which not only give you your money back, also add a direct cost (and a steep one from what I understood) to the merchant that made the transaction. As far as I know you couldn't do the same with a debit card.
When I pay with my bank card with an internet payment through my bank, the authorisation is handled by me and my own bank, and nobody else. Nobody else can ever make that kind of payment without access to my password and my 2FA system. That's how it should work.
Between the payment and the delivery the company went bust.
I though I was out of the money, but after a brief search I found out that, although there is no legal requirement to do so, VISA in the UK offers (or at least used to) the same chargeback facility to debit cards as for CCs. I visited my bank branch which gave me a phone number to contact, sent in a bunch of paperwork and after about 2 weeks I got my money back. I was very pleased as you can expect.
In this scenario, the bank is jointly responsible for the transaction, and should refund you if the transaction isn't completed satisfactorily
Their story is about a situation where they gave explicit authorisation. They intentionally paid.
In the Deliveroo case, however, it's the inherent insecurity of credit cards that made that problem possible in the first place. In light of that, the ubiquity of credit cards for online payments where data is so easily copied and leaked, never ceases to puzzle me.
And I suppose that the effect you describe results from abusive requests from charge backs. I doubt you will be refused a mortgaged because you were a victim of theft in the past...
Don't be so certain about this. The credit reporting agencies are evil, nasty blackboxes and it is not transparent how your score is influenced, even by fraudulent stuff.
Additionally, you can and should file a police report for fraud when hit with such a scheme, it makes dealing with your card-issuing bank and the CRAs so much easier.
The bank went from "we won't help you" to "oh, we'll fix that" about as soon as I told them I had a crime reference number...
I guess this has something to do with the penalties for making a false police report being much higher (in criminal law terms) than lying to a bank.
Mostly chargebacks are for actual fraudulent use of the card, and the process also includes getting a new card number.
Lately, most chargebacks I’ve done have actually been issued by the card itself after they detected suspicious activity and sent me a text alert asking about specific charges.
In one case, it was a debit card which I had received in the mail, activated, and never used and had never left the house. That one was particularly bizarre and I let them know something was very wrong there.
Google this: "Account information disputed by consumer, meets FCRA requirements" and you will learn more.
Besides, I said that I'd only do this if I didn't get a refund through Deliveroo/bank/CC chargeback. I certainly wouldn't start with small claims court.
It is mentioned in passing in the article itself.
> Of the roughly 40 people I spoke to, not a single one had been refunded by the delivery service; those who did get their money back had got it from their bank.
I have almost always had a full refund (otherwise just partial for what was wrong/damaged) but what I really LOVED was how transparent they are throughout the process.
They message you when your concerns resulted in a ticket opening, when someone picks up your support ticket, when they are working on a resolution, and then when they found a resolution for your issue.
It's very seamless as well - I was experiencing issues on their web platform, DM'd support on Twitter, received info by email and on the UberEat app and at not time was there inconsistencies.
If it wasn't for the quality of their support team - I would have stopped using UberEats a long time ago.
Getting a refund on what you ordered but did not receive is not compensation, it's what they must do.
So, they have good customer support, but suck at the basic function of the business? And you keep using them?
Plus the following dialogue: what was your name?...I am reporting you to xyz state attorney general's consumer fraud division is incredibly effective.
I worked in call centers for years and we laughed at people like you for a whole multitude of reasons.
The main reason being once you say this I'm no longer obligated to help you. Since you've decided to make this a legal situation instead of a customer service one you'll now need to talk to our team of lawyers that are on retainer. Anytime you call or email you'll get auto routed to our legal department forever who will go out of their way to not help you.
The reality is that people make legal threats dont actually follow through because they aren't people that understand the law or how it works, if they did they'd be taking actual legal action against us, not making idle threats to people making $19 dollars an hour.
Again I'm not threatening to bring legal action. I'm just letting the 800 lb gorilla know about the situation and they perhaps might want to do something.
Who is "most vendors" exactly?
Thanks for the downvotes.
Also heard it with lots of other vendors, but won't name without having something more substantial to back it up with.
I would never touch a company again that did that to me anyway.
If I have a shitty customer service interaction with an Amazon rep, I might have to weigh the chargeback versus the value of my Kindle library, my AWS instances suddenly going dark, etc.
In the case of Uber, I might find myself severely restricted in transit options in an unfamiliar city.
If you're lucky. Otherwise they'll offer you "credit".
Money-as-a-service (banks) give you the power to do this. But dependence on anything-else-as-a-service gives the provider power to make you think twice.
I discovered recently that drivers are allowed - without penalty - to reject an order when they reach the pickup location if they see the receipt and decide it is too far to travel .
As a customer you just see your food go: `Assigning Driver -> Driver En Route to Pickup -> Driver Arrived at Pickup Location -> Assigning Driver`, for two hours on repeat. Eventually your cold food arrives 2 hours later, and you are offered £5 credit for your ruined meal.
I live in Central London (Old Street), and have had this happen repeatedly with restaurants that are not far from me.
 = https://www.reddit.com/r/deliveroos/comments/82w97o/riders_o...
I must be missing something about theses services given their popularity. Do you mind explaining why you use them?
Food temperature is a personal preference, some people are really picky about food being hot/fresh, some aren't. I prefer the taste of room temperature food over hot food so "sitting around for 20 minutes" would be a feature for me.
... and then jumping into his new C300 to deliver it.
I'm not sure I can process that. New Mercedes, let's put miles on it delivering fast food...
And some people like really like McDonalds and don't care for the fancy stuff.
It's not for me, but it basically it boils down to "people like different things than me."
I know someone else who can't understand why anyone would ever play video games "its time and effort for zero reward."
Some people enjoy doing work on their car, while others would rather pay someone to do the work for them.
Humans aren't the same.
Justeat delivers from fast food.
Deliveroo costs more because it's providing a delivery service for restaurants that don't normally deliver.
So I'm getting good food. When in a restaurant, things sit in a kitchen for 10 minutes waiting for the rest of your order anyway. 10 minutes in a thermal bag is the same.
"To me this ruins the meal"
shrug, I'm not sure what you're expecting anybody to say. I can't really change your mind on what is hypothetical situation for you. I've ordered plenty, it's generally no worse than the quality I would get in the restaurant (other than the presentation in a bespoke takeaway box not a plate).
Also, what kind of presentation are you expecting for a burger anyway? It's a burger, with some artfully surrounding chips? Ordered to go, it's a burger, with the chips in smaller box instead of surrounding the burger.
But at that point you're basically just objecting to all delivery food ever. Which is fine but, like, you are aware that it is a huge industry and has been for decades and people do like it? Convenience trumps artistry (and optimum temperature) for many people a lot of the time.
I want food, I can't be bothered to cook or go out?
Are you seriously struggling to understand food delivery? Or if you mean what's the benefit over e.g. ordering direct from a restaurant, is you have a lot more choice and it's much higher quality than traditional take aways (you get proper restaurant food)
You're not going to get a gourmet steak hot from the grill with precisely placed edible flowers laid delicately in it. But a bag of fries and a carton of fried chicken does not require eggs-in-space-shuttle level cushioning
"Old-fashioned"? Nice try, Grandpa. I'm approaching retirement, and delivery of restaurant food has been a thing since before I was born. Hell, Domino's was founded in 1960.
Hey, I quoted you accurately. :-) But fair enough. My counter would be that if your bar has fallen to fast food territory, perhaps warmth and presentation isn't an issue at that point for some folks. But I haven't been part of the fast food demographic for decades, so what do I know?
I would even prefer KFC bucket with 25 chicken wings delivered to me, not pizza (which is mostly bread)
I live 20 minutes outside of a small town in Norway and the restaurants/kebab shops don't generate enough take-away business to provide this service themselves.
There is another company that does that for them and services all making take-away possible at all.
Now this company actually operates with a time guarantee, that is if the food is not delivered within an hour or if the order is "refused" due to reasons the OP touches on you get your money back.
I've yet to have any that happen to me, possibly because it would actually be bad for those delivering.
I could drive and pick it up myself, but sometimes you just want to be a couch-potato and be lazy!
When you are severely hungover and your fridge is empty, food delivery is godsend, even if it is fastfood (and proper food is just priceless).
Recent McD commercial in NZ even focused on this particular case -- zombie-like people who celebrated NY 2019 all night long are getting some food delivered to their door. Dont have link right now but you can google.
People love to talk about these services as if they're only for young, single, hipsters but a significant portion of their use come from people with some kind of life limitation (same as the Whole Foods peeled oranges in a plastic box that people love to make fun of. These are a godsend for people with poor motor skills).
I live in Taiwan, where Deliveroo gives you about $3.50 off your first order, and delivery is factored into the price. A friend of mine ordered a $6 pizza that she ate half of and brought the rest of to work the next day. All told, she paid $2.50 for two lunches, and didn't even have to leave the office.
That doesn't sound better than the alternative to you?
Or they have different priorities than you and value convenience over taste, price, and quality. There's even an entire industry built on this premise, "convenience stores."
I do use Instacart for grocery delivery (Chicago), but I really dislike grocery stores and willing to pay the premium (avg +30% in my exp) to avoid that trip. Honestly, If I was in the suburbs, with a vehicle, I might be better incentivized to personally make the trip.
All my own opinion though.
Although those things are going out of fashion quite fast.
What does having a conscience have to do with whether or not you use a food delivery service?
I'm surprised that this hasn't occurred to you already at least as an issue for someone (not necessarily you, or, for that matter, me). Still, this given that this is a thread where things like "food delivery" need to be explained from first principles, I shouldn't be too surprised.
So they should do something else. Those drivers determined that delivering the food was the best use of their time. I don't think it's right to voluntarily choose this specific job and then make people feel immoral for using the service they signed up to provide.
But even then you would 'understand the appeal' but be opting out of using them.
It's a weird turn of phrase IMHO, as if the person has never heard of food delivery before.
That's pretty bad!
You would need to speak Portuguese, and prove an effective tie to portugal, for example participating in Portuguese cultural activities, groups or organizations
Do humans really have such low morality and ethics? I just can't picture a person who does this to another human being...
Because it's a ridiculously naive statement at best. More likely just some sanctimonious BS you decided to post to signal how much of a good person you are.
Like seriously, what world do you live in where you can't picture a person doing something to take advantage of another person? Have you read literally anything in history?
Because it's a ridiculously smug statement at best. More likely just some sanctimonious BS you decided to post to signal how much of an intelligent person you are.
Like seriously, what world do you live in where you can't picture a person thinking that it's sad that a person takes advantage of another person? Have you read literally anything in history?
Going as far as circumvent legal regulations and even pay to be able to do such a job is a good indicator that the person doing it is desperate for income.
Many people believe wealth should be shared, that everyone deserve happiness, and that no one should spend their lives slaving away just to survive, those same people would not try to profit off of someone desperate for income and willing to work hard and would consider what OP is talking about immoral.
It proposes a false dichotomy where the worker has to either be in well paying and fulfilling employment (which obviously is not an option given their circumstances) or alternatively, they must be saved from the tyranny of their employer (usually through enactment of regulations which will leave them jobless).
Either way all it achieves is to deprive the worker of income, experience and the agency that comes with being able to make their own employment decisions. Your comment, despite seeming conscientious, gives little consideration to utility of the worker and the pragmatic decisions they face.
A sense of moral outrage towards a company (or individual) for perceived exploitation of their employees might be justified, but is not sufficient grounds for limiting the freedom of exchange.
A former PM (Gordon Brown) was fined when it was found that his cleaner had used good forged papers.
Various modern slavery and gangmaster laws also come to mind.
There have been well documented cases of modern slavery where disadvantaged people like this have been abused and effectively turned into slaves.
I fail to see how the citizen in this case is harming the non-citizen.
To me, as someone who worked in this industry before, this simply seems like a ploy by Deliveroo to escape absorbing the chargeback cost. Because, that is exactly what would happen if you called your credit card's bank/company and ask them to initiate a charge back for the fraudulent transactions instead of begging Deliveroo - the money will first be refunded to you almost immediately (varies from bank to bank) and then an investigation will be opened against the merchant in question (in this case, Deliveroo) and when you prove your credit card company valid proof that you're innocent by sharing logs, screenshots, etc. the dispute would be settled and the bank will side with you, the customer and thus this will lead to a loss on the merchant to bear the fraudulent transacted amount.
It seems, Deliveroo may be doing EXACTLY this to avoid letting the customer becoming eligible for a refund later through their banks by pushing them past the chargeback window. This is actually criminal in some countries, and grounds for a class action suit, which I hope someone sues them for if they are found guilty of this.
The other reason for the elongated resolution timelines is because Deliveroo actually benefits from these transactions - think about it, they earn for each transaction and in some markets, if I'm not wrong, the larger the transaction, the more they earn. So, why would they do something fast that affects their revenues negatively.
Anyway, my personal experience with Deliveroo also has never been positive and don't recommend them at all.
So yeah, I think it's shady and dishonest.
Sure, if a restaurant allows their brand to be used for such shenanigans they deserve all the bad press they may get.
Disclaimer: I use the Fat Duck as an example. I'm pretty sure they don't do home deliveries, let alone - Deliveroo.
That's the thing. It isn't. Every franchise, big or small, has wildly different quality of ingredients and preparation (and even send the correct damn drink and remember the dip) among outlets, and if I order from that one, I want that one to prepare my food.
> You aren't led to believe the food is coming from somewhere it isn't.
I think we have different definitions of what being 'led to believe' is.
That's not to say that their current response (or lack thereof) isn't bad, it's more that I'm not sure what would be a good response in this situation.
I'm also not sure how Deliveroo could be considered liable if the breach is on the user's side (phished password) rather than a server-side vulnerability. If I offer an online service and one user gets their password stolen, would I be liable for that? If so, what should I do if somebody claims that their account was stolen? What if they're actually lying to get access to a legit account?
The real story is that Deliveroo does not handle fraud properly. This is a much lesser crime than what they are being accused of.
The author wants to make it seem like Deliveroo has had a data leak and are trying to hide the fact. There is no evidence of this, but if it did turn out to be true then the author would be able to claim that they broke the story.
Deliveroo are responsible for the data you give them. If they fuck up and allow unauthorized people access to that data, they're in breech of the GDPR.
If they haven't informed ICO (and equivalent in any country within GDPR rules) within 72 hours of each breech, they're in even deeper shit. First, they have to be clear about the scale of the breech and what exactly has gone wrong. They've got to be able to demonstrate the steps they've taken to mitigate the issue and prevent it happening in future. If people are complaining on a regular basis for months, they've not done that.
However, I do agree that Deliveroo needs to do more to protect users against this. 2-factor authentication, email confirmation from a new IP, re-entry of card details when ordering to a new address are all simple ways to handle this. Deliveroo has not prioritised this because their main priority is growth.
"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."
The key part being "unauthorised disclosure of, or access to, personal data."
So does credential stuffing qualify - In my opinion yes, as it is unauthorised access to personal data.
They then go on to say
"When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"
And again, the ability to place orders and deliver them to a new address charging the existing credit card I think qualifies as a severe and likely risk.
Edited to add: In the absence of any legal precedent I’d challenge you to find any lawyer who’d confidently say that credential stuffing definitely doesn’t meet the criteria.
- is it illegal to not have 2FA; I’m not against that, but it feels… excessive;
- every website, including small irrelevant ones, with a password (like HN) needs to crawl the darker internet to check for leaked lists of email/passwords; that would make those unsavoury forums crawl with solution vendors; it would also make it illegal to not find the most obscure ones; in other words, a non-option;
- ban the use of any password listed on https://haveibeenpwned.com/Passwords which feels more manageable, but… does the service offer an API?
Which one feels the most likely to happen in the short term?
"establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO;"
So if it's a small irrelevant website, there isn't likely to be a high or severe risk to that "breach", so they should be ok.
In terms of options, I think there are more, mostly around sites getting more sophisticated at defending against credential stuffing attacks - treat logins as more suspicious if they are from a new device, new ip, use a password that you know is in a breach list (have i been pwned), etc. and put in place a 2nd factor like email confirmation of the login even if they haven't turned on 2FA. Or at least restrict access to sensitive parts of your site if the login was suspicious until you can verify it was an authentic login.
To be clear, no website, depending on passwords alone, can know if an access was authorized by the person who is the subject of the account. Therefore, it would seem that the only sites that can use password-only authentication without risk are those that hold no personal information about their customers. According to your own interpretation of the law, some of your proposed mitigations would not be sufficient to eliminate the risk, if any personal information is held.
Look, I am not a laywer, and I am happy for someone to correct me here, but this is the wording of the law:
Is there anything in that sentence that means a successful credential stuffing attack would not fit the criteria?
Remember GDPR is specifically concerned with "A personal data breach"
The original breach that led to the password being leaked was likely also a personal data breach (unless the only thing the hackers managed to access was the username/password database - and even then email address can constitute personal data in some cases), but there is definitely a personal data breach as a result of the credential stuffing attack (in the Deliveroo case, more than likely full home address, possibly other addresses too like work, possibly name, some level of credit card data, order history, etc.).
>> b) the credential stuffing attack itself is authorized access (because from the site's perspective, the user provided the correct username and password), not unauthorized access.
It's certainly authenticated access, but I think you'll struggle to convince a lawyer that it was authorised.
It will ultimately come down to a test case, but as I said before, you will be hard pressed to find a lawyer who would tell a company that they definitely won’t be liable.
But even so I struggle to think of a definition where accessing someone else’s account without their permission or authority wouldn’t be classed as unauthorised.
I would never but one of my two housemates was very confused why they couldn’t have my password so that they could look at the menu and each add their option to the order. (The third housemate was also a developer so he was surprised that I could remember it and I got sermoned about 1Pass over pizza.)
I also have heard of cases of close (female) friends who know each other’s password; when one had a health incident (miscarriage), the other took upon herself to order for the first one, to comfort her. She tried from her own account but failed (couldn’t remember the name of the restaurant), so connected to her grieving friend’s account, changed it to use her debit card. It was fully appreciated, but a surprise.
“Authorised” in that sense falls somewhere between:
- I know who those people are;
- we are part of the same household;
- I know that they can have access to my account;
- they made sure that I know they are on my account;
- I actively allowed them to be on my account right now;
- the device is shared.
Permission or authority from who though?
If someone steals a key and unlocks a lock, is that considered "unauthorized access?" From the perspective of the person whose key was stolen, absolutely. From the perspective of the lock, no, the access was authorized.
We define terms in statutes and contracts for a damn good reason.
Well, the distionction can be as easy as someone hacking the company vs. guessing your password. What is the company to do to protect against the latter?! After all, the password is the authorisation, so I would even claim it's not unauthorised access...
> This is despite the company not asking customers to enter a Card Verification Value 2 (CVV2) code when making orders, a card security system designed to ensure that someone ordering something online has physical possession of the card used to pay for it.
More info on an article from November 2016: https://nakedsecurity.sophos.com/2016/11/25/fraudsters-eat-f...
BBC's Watchdog documentary: https://www.bbc.co.uk/programmes/articles/3ZMjkWFfDZQ8zFYQJL... (with response from Deliveroo)
So this Tech Journalist uses the same password on every site?
It seems to me like the corruption or fraud is within Deliveroo.
All of these services can give you a push notification every time a transaction is made on your account so that you are immediately made aware and are able to cancel them. You can block the card from within the app immediately.
1. http://join.monzo.com/r/vrlkxvo (Using this link gives us both £5)
3. https://www.imaginecurve.com/ (Sign up with WAI91 and we both get £5)
I've been using Revolut for the past year. Just 2 weeks ago, they detected a potential fraudulent transaction with - you guess it - Deliveroo, for an amount of £25 (I don't live in the UK). The transaction, as well as my card, was immediately blocked. I then received a push message asking me to confirm whether the transaction was fraudulent - pushing "Confirm" triggered the expedition of a new card to my address. In contrast to legacy banks for which it is still recommended you call on the phone to notify you're going abroad, this is excellent service.
I don't use their app. If they suspect a fraudulent transaction, they block it and call me.
Do any UK credit card companies offer consumer and fraud protection above the norm? Amex would immediately side with me if I showed them the Deliveroo communication. Another Citi VISA I had offered 18 months warranties on laptops and other electronics if I used the card.
Edit: apparently they stopped doing this for average cardholders 15 years ago and it's a corporate-card-only thing now called 'Amex Go'
I should note I have a "Starwood Preferred Guest" Amex card, but that is not a corporate card. It may be that the SPG card has additional features that a regular card would not.
I saw my mangers amex get declined when they tried to pay for a team meal (15 people) a few years ago
Those rules mostly don't apply to Amex (they were not considered part of the Visa-MC duopoly).
There's some interesting background here: https://www.headforpoints.com/2018/02/08/american-express-eu...
Thanks for letting me know about Amex doing this. Might provide better customer service and many places do accept it.
Yeah! Blame it on your customers! Way to go!
Sigh! Another gig economy service I'm damn sure never to use.
The catch is, you'd have to store the pairs together which then makes you a target, so in practice the best you can really do is what's on offer already -- check that the password hasn't been leaked (and maybe if the email address has a high HIBP leak count).
That solution would seem to force people into password managers and random high-entropy passwords or passphrases...
It's conceivable that the fraud is on the merchant side, with a restaurant faking a large order to an existing address, but in that case Deliveroo still has responsibility for allowing bad merchants into the system.
I must be missing something here.
We'd only deliver to an actual numbered street address or apartment.
I've heard of people getting deliveries to the middle of the park in summer, or even to a boat waiting beside a road bridge...
1) People pay the fraudster for "discounted" food.
2) The fraudster places the order using the stolen account.
3) The fraudster tells the people who paid them: "Go to the pub car park at 9pm and wait for the Deliveroo driver. If he asks, your name is John Smith."
it's also pretty hard to imagine it's worth the effort, you still need to advertise so people know about your service! the service would have suspiciously similar dishes advertised in menus corresponding to original restaurants etc... the unsuspecting customer gets to open the door for a Deliveroo person! there's just so many ways this would go wrong in the real world that it doesnt make sense to invest time and effort in MitM'ing Deliveroo from a limited set of compromised accounts...
This all indicates the fraud is happening from within Deliveroo
Why would they ever sell it at a loss? Everyone needs food, so they get the value by consuming it themselves.
Not even that hard to investigate because there’s a complete paper trail after a fraud is reported of what was ordered, who delivered it, and where it was delivered.
To me all this suggests the fraud is happening within Deliveroo, at a level above the delivery people.
The only credential fraud outside of Deliveroo I can envision is if the black hat hackers contact the restaurants to conspire, the food is then never made but the profit is shared...
That's how the cop would describe it of course. Anyone with half a brain knows they always throw the book but the whole book never sticks.
What sticks will probably wind up being some sort of fraud and the punishment will probably be something like fine and probation.
When I was in college if the pizza guy was in the lobby (invariably trying to call someone who wasn't picking up their phone) very long it was customary to ask him what he was delivering and buy it if you wanted it.
What they may do is:
Order items that aren't as perishable such alcohol & ice cream (e.g. Ben & Jerries) and then resell those via partner off-license shops.
This is how the market for stolen gas works anyway, I'd imagine stolen cola and beer would be similar.
If that's not the case you can't resell takeaway food, so no easy way to turn it into cash.
"Address given is not registered as a restaurant or food outlet" (aka: they're not registered with the local council).
I've gotten into the habit of checking 'Scores, just because of the sheer number of poor quality food places on Deliveroo, Just Eat and so on.