Ordering dinner on your food delivery app? 5 tips to prevent hackers from accessing your account

Deliveroo staff packaging food for delivery.
Deliveroo staff packaging food for delivery.PHOTO: DELIVEROO

SINGAPORE - Ordering dinner using your favourite food app?

It takes just a few taps on the screen to get that burger or pizza, but such convenience may come at the expense of security.

There is room for security in mobile apps to be improved, experts told The Straits Times after accounts at food delivery service Deliveroo were compromised.

Last week, it was reported that hackers had ordered food using others' Deliveroo accounts in Britain.

On Nov 25, Deliveroo Singapore said it was aware that a small number of accounts in Singapore were compromised.


Deliveroo told The Straits Times this week that the company has helped the affected customers secure their accounts, and given them refunds.

"Customer security is crucial to us and we take any instance of fraud on our system very seriously," a spokesman said. "On the rare occasions when fraud does occur, we work with customers to secure their account and reimburse them for fraudulent transactions."

Deliveroo added that the cases involved passwords which were stolen from another company, then used to place orders on Deliveroo.

Other food delivery apps that The Straits Times checked with said data security is an important concern for them.

foodpanda said that it "has a security programme in place to help us with protecting our data as well as our customers' privacy".

"Customer security is crucial to us and we are constantly improving our security measures," said Mr Jakob Angele, CEO for foodpanda Singapore.

Uber, which operates UberEats, said that it works with regulators to "ensure the safety of its platform and those who use it, as well as maintaining appropriate levels of privacy".

Uber said it maintains "cutting-edge technical solutions", which it was not willing to reveal due to security concerns.

Food delivery apps are only one category of many that collect users' personal and financial information, including addresses and credit card details.

"The Deliveroo app is not an outlier among other mobile apps in terms of security," said Mr David Siah, country manager of cyber security firm Trend Micro. "In general, we have observed that mobile apps are not as secure as we think they are or would like them to be."

Besides hacked accounts, most mobile apps - especially free ones - collect user data such as their contact lists and location information, said Mr Siah. The information is then sold to advertisers.

"The real problem here is that these third-party advertisers cannot be fully trusted to protect these user information and data," he said. "Should an unfortunate breach occur, it can be difficult to follow the bread crumbs back to the advertisers - mobile apps take the blame in such cases."

Such cases emphasise the need for strong authentication - which involves "something you know and something you own", said Mr Tan Teik Guan, a mentor for SGInnovate.

Mr Tan, who has designed and implemented IT security systems for banks and the Government, is referring to two-factor authentication or 2FA, which banks have already implemented.

2FA requires the user to have a password - something they know, and a one-time password generated at random by a device or sent to their mobile phone - something they have.

"With e-commerce extending into many consumer apps, they require strong security and such organisations should already start investing in this," he said.


1. Use unique usernames and passwords for different online accounts

If 2FA is not available, the user should make sure they do not use the same password for multiple accounts.

But while this helps to improve the security of the accounts, it may not be sufficient.

Passwords should also be hard to break - strong passwords contain a mix of letters, numbers and symbols.

2. Know what data you are revealing

Users should be aware when apps request for data that seem irrelevant for its purpose.

"For example, a gaming app usually doesn't need access to your contact list, and such a request should constitute a warning for the users," Mr Siah said.

3. Do not download suspicious apps

They should also read the terms and conditions to make sure an app is properly protected before downloading, and refrain from downloading unknown or suspicious apps.

4. Download security apps and software

These apps and software can monitor the other apps on a device. Some alert the users when another app accesses sensitive data on their phone, said Mr Siah.

The user can then choose to revoke permission immediately, and stop the suspicious app from acquiring the information.

You can try apps by trusted companies, such as AVG, Avast, Norton or Kaspersky. 

5. Enable notifications of transactions

Users should also enable and look out for notifications on email and SMS of transactions conducted by their apps.

This will help them identify unauthorised transactions that could be "done remotely by a hacker".