Food delivery apps like DoorDash are increasingly vulnerable to hackers aiming to take over user accounts, posing significant risks to customers and platforms alike.
According to Sift, a company specializing in fraud detection, approximately 20% of accounts associated with ordering and delivering restaurant food have experienced attempted account takeovers by hackers. This rate far exceeds the average of 2.5% across industries tracked by Sift, which includes sectors like cryptocurrency and transportation.
One contributing factor to this vulnerability is the limited use of two-factor authentication (2FA) by food delivery apps. Sift’s research reveals that only 3.5% of log-ins on food delivery platforms utilize 2FA, compared to a 10% average across all apps monitored by Sift. Brittany Allen, Trust & Safety Architect at Sift, highlighted this discrepancy, noting that while consumers readily embrace multiple security steps for banking apps, such measures are less common in food delivery apps, despite the valuable information they often contain, such as account balances and loyalty points.
Hackers are drawn to food delivery accounts due to the infrequent use by many customers, making suspicious activities less noticeable. Allen emphasized that this makes such accounts particularly attractive targets for hackers seeking to exploit them for fraudulent purposes.
Once hackers gain control, they can exploit these accounts in various ways, from placing unauthorized orders to harvesting loyalty points or selling the accounts themselves. Telegram and social media platforms like Facebook and Instagram have become channels for advertising and selling compromised food delivery accounts, posing additional risks to consumers.
The threat extends beyond individual users to gig workers as well. Instances of account takeovers among drivers for services like Walmart’s Spark delivery have been reported, with some drivers finding their accounts used for unauthorized shopping and delivery.
While steps have been taken to enhance security, including Walmart’s implementation of selfie verification for Spark drivers, vulnerabilities persist, highlighting the ongoing challenge of securing food delivery platforms against increasingly sophisticated cyber threats.