Mobile order-ahead apps are growing more popular by the day, and restaurants are clamoring to get on board. A QSR Magazine study found that 73 percent of diners have used mobile ordering, 63 percent have at least one mobile ordering app on their phones and 35 percent use mobile ordering every time they visit QSRs.
Consumers are eager to utilize these services, but cybercriminals are just as ready to exploit them. Overall digital fraud increased by 13 percent in the past year, with the food and beverage industry seeing an increase of 60 percent – nearly four times above average. It’s open season for hacks on mobile order-ahead apps as data breaches continue to make headlines regularly and cybercriminals purchase stolen identities on darknet marketplaces.
Account Takeovers Plague the QSR Industry
Cybercriminals can obtain stolen identities for as little as $4, meaning it’s easier than ever for them to launch account takeover (ATO) attacks. They can use individuals’ credentials to gain access to accounts and then obtain stored payment information, allowing them to make purchases or drain accounts of accrued awards points.
Such attacks have plagued McDonald’s customers in Canada over the past few months, racking up thousands of dollars in fraudulent charges. One consumer in Nova Scotia reported more than $480 CAD in illicit orders over four days, while a victim in Toronto faced more than $2,000 CAD worth of charges in McFlurries, Big Macs, Chicken McNuggets and poutine. The transactions occurred in rapid succession at multiple locations, suggesting that the hacker distributed stolen data to other criminals.
Chipotle’s customers reported a similar string of attacks in April, with victims swindled out of up to $500 USD each. One victim did not even have a Chipotle account, but had used the QSR’s guest checkout option. Chipotle denied any breach of its databases or systems. This is not the first time the chain has experienced fraud issues – it suffered a data breach at 2,250 of its restaurants in 2017, and the ensuing investigation found that hackers searched for data on the magnetic strips of customers’ credit cards.
The McDonald’s and Chipotle hacks are currently unsolved, underscoring the difficulty of catching and prosecuting cybercriminals.
The Ineffectiveness of Card Verification in the Digital Age
Mobile order-ahead fraud is so widespread and difficult to stop because it is conducted remotely. Credit card theft has existed for as long as credit cards have, but physical verification methods such as signatures, state-issued IDs or PIN codes made it difficult to use stolen cards. The advent of the digital age has allowed hackers to commit card-not-present (CNP) fraud, which occurs when fraudsters use stolen information to make online purchases that do not require identity verification. Cybercriminals do not even need physical cards to commit CNP fraud – the card’s number, expiration date, security code and personal billing information is enough, and all of that information is widely and cheaply available on darknet marketplaces. Such details can also be acquired via phishing schemes.
CNP schemes hurt businesses as much as they hurt consumers. Banks and credit card providers are likely to refund cardholders when their money is stolen, but businesses have no such safety net. Chargebacks911 states that merchants absorb fees of up to $100 per transaction when customers request chargebacks. If these rates exceed a certain amount, businesses can face fines of up to $10,000.
QSRs do not typically offer high-value items, but electronic gift cards are popular targets for CNP fraud. Gift cards rouse little suspicion from law enforcement and are easily converted into cash. Cybercriminals use stolen credit cards to buy thousands of dollars in gift cards, which they then sell at discounts online, leaving the franchisor responsible for the subsequent chargebacks.
Scamming, the Old-fashioned Way
CNP attacks can be countered via advanced security methods, such as biometric authentication or tokenization, but not every type of fraud revolves around hacking, phishing or data theft. Old-fashioned confidence schemes still run rampant, whether they take place in person or over social media.
Confidence schemes usually involve fraudsters asking someone to deposit $50 into their bank accounts with the promise of providing $100 in restaurant credit. The criminals inevitably abscond with the cash and do not follow through on their offer, resulting in damage to the restaurant’s name.
It is incumbent that restaurants and consumers protect themselves against fraud by taking advantage of best practices like complex passwords or two-factor authentication (2FA). Sometimes even that is not enough to defend against smooth-talking criminals, however. Consumers and businesses alike must understand the threat and be on their guard – otherwise, they could be robbed blind.