How Chipotle Is Keeping Rewards Out Of The Hands Of Hackers

Mobile order-ahead apps are becoming more and more popular among quick-service restaurants (QSRs), and many eateries are turning to loyalty and rewards programs to encourage customers to make return visits. They’ve been well-received by both QSRs and customers, with PYMNTS’ Restaurant Readiness Index finding that nearly 80 percent of both groups report having positive experiences with loyalty programs.

As with many aspects of the mobile ordering scene, however, fraud continues to creep into the picture. Chipotle and Dunkin’ both reported rewards program breaches in recent months, with cybercriminals using stored payment information to make hundreds of dollars’ worth of fraudulent purchases.

In the August Mobile Order-Ahead Tracker, PYMNTS explores the latest developments in the world of QSR rewards programs, including program debuts from Chipotle and Costa Coffee, revamped ordering solutions from Jersey Mike’s and Shake Shack and how credential stuffing and account takeovers are plaguing the industry.

Developments From Around the Mobile Order-Ahead World

Coffee giant Starbucks is one player reaping rewards from mobile ordering, with its Starbucks Rewards loyalty program reaching 17.2 million active users in July. Starbucks Rewards members account for approximately 42 percent of the chain’s daily transactions, and its delivery program, Starbucks Delivers, has expanded to more than 2,700 stores in 11 markets, thanks to a partnership with Uber Eats.

Starbucks competitor Dunkin’ is also expanding its mobile ordering capabilities. The company recently partnered with Grubhub and Seamless to offer Dunkin’ Delivers delivery options in New York City, with plans for more major markets to be added by the end of the year. Dunkin’ is also looking to add new features to its mobile ordering app over the next several months, including a guest checkout option.

It’s not all good news in the mobile order-ahead industry, however. 7-Eleven Japan recently fell victim to a data breach that compromised approximately 900 customer accounts. The fraudsters were able to use weak security questions to have password change requests sent to their emails — many customers did not change their birthdates from the app’s default setting, granting hackers access to their accounts. The hackers made more than ¥55 million ($500,000 USD) worth of fraudulent purchases before 7-Eleven suspended the app’s mobile payment functionality.

For more on these and other mobile order-ahead news items, download this month’s Tracker.

How Chipotle Rewards Customers, Not Hackers

Fast casual Mexican grill Chipotle was one of the first players on the online ordering scene, launching its mobile app in 2009 and recently expanding its digital offerings to include a loyalty program. The company has seen its share of struggles, including a credential-stuffing attack that resulted in hundreds of dollars stolen from customers. For this month’s Feature Story, PYMNTS spoke with Curt Garner, Chipotle’s chief technology officer, about the QSR’s fledgling rewards program and how it safeguards against fraudsters.

Find the rest of our feature story in the Tracker.

Deep Dive: How QSRs Protect Their Loyalty Programs

The mobile ordering scene is becoming more competitive, and rewards programs are being popularized among QSRs as a means of attracting repeat customers. While consumers are getting their fill of free food from such programs, fraudsters are getting their fill of users’ private data. This month’s Deep Dive explores how these seemingly innocuous programs are prime targets for bad actors, and how QSRs are hardening their defenses against them.

About the Tracker

The Mobile Order-Ahead Tracker™, done in collaboration with Kount, serves as a monthly framework for the space, providing coverage of the most recent news and trends, along with a provider directory highlighting the key players across the segments that comprise the mobile order-ahead ecosystem.