In recent weeks, fraudsters have managed to hack into a number of Groupon accounts in the UK. Users have seen hundreds of pounds siphoned from their banks.
Groupon has said the problems experienced by certain customers have not been caused by a security breach on its website or mobile app, but instead claims the affected victims' accounts have been compromised by sophisticated scammers. Fraudsters reportedly accessed login and password information via third party websites.
Reports from Groupon customers have been seen since early December saying that they've had purchase confirmation emails for items that they hadn't bought, and, in some cases, were left with up to £700 out of pocket.
To make matters worse, many customers have claimed that they've been unable to get through to Groupon's customer services department to log their case. One user stated, “they were reviewing the matter and someone would get back to me within 10 days.”
Groupon has confirmed it will refund users if their account has been targeted by fraudsters and money has been spent without their consent. The company stated, “As with any major online retailer, we take fraud extremely seriously and have a dedicated team to investigate customer issues as soon as they are reported.”
“If someone believes they've been a victim of a gradient attack, we investigate it and if confirmed, block the account immediately and refund the customer's money back to them.”
Despite the company's statement of intent and losing out financially, frustrated customers have been left infuriated by what appears to be poor customer service.
One Twitter user wrote to Twitter handle, @Groupon_UK, saying, “Could someone please contact me asap directly as I have had my account hacked and fraudulent transactions have gone through.”
Another tweet said, “Someone has hacked my account, changed the details and spent £700 out of my account. Customer services is useless. Unacceptable.”
Jonathan Sander, VP of product strategy at Lieberman Software believes the users are to blame for their own mistakes. “What we're seeing with the Groupon security complaints is the triumph of social media noise over common sense.”
“If Groupon users decided to do what every security expert on Earth, and likely every other service the user interacts with has told them again and again not to do — use the same password for many websites and services — then how can the user expect anything but these terrible results?”
In emailed commentary to SC Media UK, Ilia Kolochenko, CEO of High-Tech Bridge said, “Large companies normally should have advanced anti-fraud systems, such as detection of unusual user activity or suspicious behaviour. Nowadays machine learning technologies can do this pretty well. This is not an easy task though, as you can erroneously block a legitimate user from making a purchase, and some companies prefer to allow criminal activities rather than investing in advanced anti-fraud systems with low level of false-positives, putting their users at great risk. If fraud prevention systems are not properly implemented, consumers may have a valid reason to sue negligent retailers and claim reimbursement for their financial losses.
“For end-users, I suggest using strong and unique passwords for every service, enabling two-factor authentication where available, and using a dedicated prepaid credit card for online shopping. These measures can significantly reduce the risk of falling victim to cyber-criminals.”
Lee Munson, security researcher at Comparitech.com commented: “Users need to be aware of the risks of recycling login credentials – which means one breach can undermine ALL their accounts – as well as be informed specifically about this incident so they can at least change their Groupon password right away.
“As for Groupon itself, even though it hasn't been breached, it appears it could still learn a lesson or two about incident response so that its customers can retain the belief that the company has their best interests and security at heart.”
At the time of publication, Groupon had not disclosed how many customers reported being hacked.