It Might Not Be Your Breach, But it is Your Problem

Fraud issues on UK takeaway services like JustEat and Deliveroo illustrate the necessity for site owners to defend themselves against fallout from other system breaches.

In our recent blog, we discussed the Deliveroo and Just Eat credential stuffing attacks and subsequent exploitation of each business’s core functionality to fraudulently access refunds from customer accounts.

But how were these credential stuffing attacks carried out in the first place? In this blog, we’re exploring another major challenge facing businesses; legacy data breaches that become your problem.

How did Deliveroo and Just Eat become targets?

Let us first set the scene. Earlier this month, it was reported that Deliveroo and Just Eat had been affected by compromised credentials when customer accounts were breached, and their credit used to purchase takeaways. In both cases there was no suggestion of any security breaches involving data from either company, in fact, both Deliveroo and Just Eat hold high standards of data protection.

Each business is suffering due to:

• The inefficient data security of other organizations
• Their user’s poor password hygiene

This killer combination is becoming an increasingly common occurrence. And the biggest challenge: each issue is completely out of your control. Take poor password protection for instance, you can’t force customers to use strong passwords and update them regularly. However, your users expect you to protect them from themselves.

Why are compromised customer credentials your problem?

Despite the fault lying at someone else’s door, compromised usernames and passwords quickly become your problem when your customers feel the effects, and the reasons are threefold:

1. First, and perhaps of least importance, is the financial damage. Just Eat and Deliveroo will be out of pocket for the fraudulent orders. However, according to reports, these orders seem to have thus far been for relatively small amounts.
2. In second place we have an impact on user trust. Regardless of how the breach came about, every user affected will likely lose trust in that company and think twice about using the service again. They may even actively deter friends and family from using the service. For a service dependent on regular repeat users in a crowded marketplace with offline alternatives, the consequences could be catastrophic. The impact spreads beyond just the specific service or business and will often extend to any company in that sector. Hence Just Eat users affected by this will also stop using Deliveroo and even other services that have not been affected.
3. Last but certainly not least, is the widespread reputational damage that occurs when these stories are picked up by the mainstream media, with headlines and tone that clearly imply failing on behalf of the businesses affected. In this case, the victims. The headline for this particular story wasn’t “Just Eat and Deliveroo picks up the tab for poor user password hygiene” although that may have been fairer, instead the headline blame was put at the door of companies that have been affected. Most readers will, therefore, lose trust in these companies and possibly online services in general.

How did attackers access customer accounts in the first place?

Both the Deliveroo and Just Eat attacks will have been made possible by bot activity to identify compromised credentials. Even if the ultimate exploit was actually undertaken by humans.

Bots exploit business logic weaknesses, expanding attack vectors away from those defended by traditional application security. For many systems, business logic is the weak point and the range of infrastructure, products, data and services available to exploit those weaknesses mean that these attack vectors are becoming an extremely attractive target.

It is not your problem but it is your responsibility to have a sophisticated bot defense solution in place. It is vital that your bot management technology provides comprehensive protection against bot activity that targets weaknesses in your business logic across your website and API-based systems.

This needs to look beyond traditional bot defence that focused on reputational blacklist and JavaScript checks to include real-time analysis of user behaviors and identify bad actors.

Talk to the Netacea team today to find out how our best-of-breed bot management technology protects websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and account takeover. Alternatively, read our 3-Step Guide to Better Bot Management to discover what you can be doing to protect your business now.