Your food-delivery app is under attack by hackers so here's what to do

1. Abode
2. News
3. Security

Your food-delivery app is nether attack past hackers and so here's what to do

(Epitome credit: buryakphoto/Shutterstock)

Watch out: Your food-delivery app may be delivering your pizza, tacos and credit cards to cybercriminals.

So warns the FBI in a private alert sent out to the food industry last calendar week and seen past The Tape. In it, the Bureau says that criminals are using credential-stuffing attacks to pause into grocery and eating house delivery apps, such equally Seamless, DoorDash or Instacart, to identify fraudulent orders and steal credit cards.

• Why you should never reuse a password
• The best nutrient delivery services
• Plus: T-Mobile information breach puts 48 million people at astringent risk of identity theft

"In July 2020, the personal information of customers of a grocery delivery company was being sold on the dark web," says the FBI most 1 case history detailed in the report.

"The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the action was the consequence of credential stuffing."

You'll desire to cheque your food-delivery accounts for any strange orders that you didn't place, and your credit-card accounts for unusual activity. Study anything that you tin can't business relationship for to your credit-carte du jour issuer.

Most food-delivery apps have weak protections

One of the nearly effective defenses against credential stuffing is ii-factor authentication (2FA), a basic class of account protection that requires a user logging from a new device or location to provide an boosted one-time code.

Tom's Guide signed upwards for 7 well-known food- and grocery-delivery services and found that merely two — UberEats and Postmates, both endemic by Uber — offered 2FA as an option.

DoorDash, Grubhub, Instacart, Seamless and Stop & Store GO Pass did not give us any 2FA option. If in that location'south none available, so all it would take to hijack an account on those services is a stolen username and password, and that's exactly what credential stuffing is designed to do.

Credential stuffing is unproblematic. In that location are hundreds of millions of stolen username-countersign pairs, or credentials, floating around online, obtained from data breaches or successful phishing attacks. Considering many people reuse their passwords, a lot of those stolen credentials will unlock more than one online account.

So cybercriminals have created computer programs that burn stolen credentials at website login pages similar bullets from a automobile gun. A fair number of those credentials will successfully log in and requite the criminals admission to online accounts.

If those accounts incorporate credit-card data, or permit i-click ordering or free delivery, then information technology's political party time for the crooks. They can change the commitment address on the account to take burritos, beer or groceries sent to their buddies. If the credit-card data isn't properly protected, the card numbers tin be stolen likewise.

How to protect yourself against these attacks

You can protect yourself against credential stuffing by never reusing a password, especially on accounts that permits fiscal transactions of whatever kind. Instead, use one of the best password managers — some of them are free — to create and remember the passwords for yous, or just write your passwords downwards in a notebook that you keep locked in a desk-bound drawer.

Y'all too should enable 2FA on any online account that supports it. Even passwords used for only account can get stolen in data breaches, and 2FA will make it much harder for crooks to hijack accounts even if they have the passwords.

If your food-delivery app doesn't support 2FA, switch to i that does, like UberEats or Postmates. Use the online 2FA Directory to publicly call out those companies that don't offer 2FA.

Paul Wagenseil is a senior editor at Tom'due south Guide focused on security and privacy. He has as well been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security infinite for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television news spots and even moderated a panel give-and-take at the CEDIA dwelling house-technology briefing. You can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/food-delivery-credential-stuffing-attacks

Posted by: penahadidecount.blogspot.com

Share this post