Stand and Deliveroo – Dick Turpin is back and he's making off with your dinner money

Dick Turpin is roaming the (information super) highway and stealing dinner from folk that have used poorly secured Deliveroo accounts

Dick Turpin is roaming the (information super) highway and stealing dinner from folk that have used poorly secured Deliveroo accounts

It’s probably been a while since you attended school, and the days of having your dinner money wrenched out of your hand by the school bully are now a fond and distant memory. But all that’s about to change, because losing your dinner money is back! And you don’t even have to go to school anymore. Now, there’s a new, more hip way for everyone to get mugged – cybercrime!

The BBC has recently reported that folk in the UK have been receiving bills from food delivery service Deliveroo for takeaways they didn’t order. And the reason for their unexpected expense? Their poor choice of passwords. The problem was that they had reused an old password to secure their Deliveroo account. Hardly a crime, right? Everyone does it, right?

Here’s the thing. Hackers have been stealing our passwords for years. And right now, 2.8 billion of those passwords are sitting in an online search engine. You, me or anyone else can find and buy any number of those passwords for next to nothing – cheap as chips.

Now, the existence of this search engine in and of itself is not an issue for everyone. It’s only an issue for those of us that reuse our passwords and don’t get around to changing them all that often. Unfortunately, that’s quite a big slice of the internet population. Studies show that most of us only use between three and five passwords in total. And not surprisingly, we’ve got more than five accounts to secure. So we’re reusing passwords in quite a few places.

To find out why this is an issue, let’s walk through a hypothetical example..

It’s 2006 and I’m dizzy with the possibilities of the new social media. I’ve just signed up for a MySpace account using my old buddy of a password ‘123qweasd’. The gloss quickly wears off, and it won’t be too many years before I’ve forgotten that I ever had a MySpace account, let alone what password I used.

Fast forward ten years to 2016, and a hacker by the name of ‘Peace’ has just put all 360 million MySpace passwords up for sale on the dark web. The hoard includes my trusty old favourite ‘123qweasd’ which rapidly finds its way into the password search engine along with yours and billions of others.

And spin forward to today. MySpace is now a footnote in internet history and right now I’m signing up for the latest big thing. Giddy with the prospect of never having to leave the house again for takeaway, I’m signing up for a Deliveroo account. As with most things that I sign up for, I’m keen to speed through the registration process and get to the meat and drink of it all, so I use my oldie-but-goodie password ‘123qweasd’ to secure my account.

And the instant that I hit the button to confirm my details, I have become silently vulnerable to having my dinner money stolen. Right now, my password ‘123qweasd’ is in the password search engine courtesy of ‘Peace’ and the MySpace hack. At this point, anyone can find it, buy it and use it to try and log into any of my accounts. They will have to make a few assumptions:

1) I’ve been using the same password for years and used it at least once to sign up for MySpace, Adobe, Sony, Linkedin, Dropbox, Ebay or hundreds of other websites that have ‘lost’ your and my identity records

2) I’m not too keen on eating out and have signed up for Deliveroo with a password that’s already in the password search engine

But if these assumptions are correct, then getting a free dinner out of me is pretty straight-forward. And I won’t know about my new vulnerability until I'm presented with the bill.

So what are the takeaways?

The thing to know is that reusing passwords is risky. It is risky because you’re unlikely to know when you become vulnerable. Businesses are getting hacked all the time. Only this month, AdultFriendFinder ‘misplaced’ 400 million accounts (and yes, they're in the search engine). If you reuse passwords, it’s really only a matter of time before a really important account that you use (e.g. payments, banking, tax, email, social media) quietly falls vulnerable. The only way to proactively protect yourself against this risk is to use a different password on each account of value. So, on the assumption that you are at least somewhat interested in taking action, here is the four step guide to hanging onto your dinner money, and much more besides:

Step 1. Get the Password Coach password assistant. It’s a book, not software, so there’s nothing to learn or install. Password Coach is entirely non-technical and has been designed to help protect those of us who reuse passwords because we can’t remember more than a few.

Step 2. Use the Coach to generate a bunch of new, secure passwords that are guaranteed NOT to be in any password search engine, and so safe.

Step 3. Cycle through all of the sites that you subscribe to that carry with them some element of financial or reputational risk and change the password on each of those sites (boring but essential).

Step 4. Print the Coach and stash it in a drawer. Or keep it on your Desktop and share it with your other devices using Dropbox. Your call. There are no passwords stored by the Coach, so it’s OK if someone else sees it.

I know this is a pain, and there are always going to be more fun things to do (like cleaning the toilet or having your hip replaced), but it’s a lot less painful than learning tricky software or dealing with the fallout from identity theft. The folk who lost a dinner because of a vulnerability they didn’t know they had actually got off pretty lightly. Yes, they are $150 down for a meal that they didn’t order, but it could have been so much worse. Now that anyone can easily find your old passwords, continuing to use them could cost you a lot more than your dinner money.

References

Password Coach

The password search engine

The Deliveroo story

The World's biggest password hacks