Deep Dive: How QSRs Can Prevent ATOs With MFA, AI

There is a multitude of fraud concerns that keep quick-service restaurant (QSR) owners up at night, but account takeovers (ATOs) are one of the most concerning. Such identity theft sees bad actors assuming control over customer accounts for a variety of purposes, including stealing their payment information to make fraudulent purchases, draining their accounts of reward points or even stealing their personal data and selling it on dark web marketplaces.

The increasing popularity of mobile order-ahead services has made consumers more aware of and concerned about ATOs than ever before, with 41 percent of QSR patrons worried about being victimized. This fear is not unfounded, but app developers and QSRs are leveraging ample techniques to try to keep consumers safe.

How ATOs Work

Fraudsters leverage a variety of techniques to stage ATOs, most of which involve obtaining legitimate users’ login detail through many different channels, such as phishing emails or malware. Some cybercriminals may even purchase logins in bulk from dark web marketplaces. Consumers commonly use the same usernames and passwords for multiple accounts, so a data breach at an unrelated organization could still leave QSR apps vulnerable to ATOs.

Fraudsters can do significant damage to businesses and customers once they gain account access and seize rewards points or hijack stored payment information. U.S. businesses lost $5.1 billion to ATOs in 2017 and are expected to lose $25.6 billion this year. The average ATO costs victims an average of $290 and takes 15 hours to resolve.

Some ATO-related customer losses can skyrocket, however. One such incident took place last year, when a Toronto-based technology reporter attempted to purchase a cup of coffee on his McDonald’s app. The transaction failed, and it was revealed that a bad actor had infiltrated the account and used it to spend more than $2,034 CAD ($1,432 USD) at a McDonald’s in Montreal.

Additional consumers throughout Canada were also struck by the fraudster, who the media soon dubbed the “Quebec Hamburglar.” A woman in Halifax, Nova Scotia was defrauded almost $500 CAD ($352 USD), for example.

These fraudulent purchases usually happened in waves at several different Montreal-based McDonald’s locations at once, leading authorities to believe that the Hamburglar was actually a team of several fraudsters, or one bad actor sharing payment details with others — all of whom tended to upgrade their side orders of fries to poutine. The Hamburglar was still victimizing McDonald’s customers as recently as November 2019, and has yet to be caught.

This incident shows the sheer amount of personal damage an ATO can incur if it is not promptly prevented or detected. There are many various tools that QSRs and app developers can deploy to do so.

Keeping Accounts Secure

 One of the most effective tools against ATOs is passwordless authentication, which kneecaps fraudsters’ abilities to access customer accounts with passwords obtained from online marketplaces or through phishing. Many QSR apps integrate passwordless login options on customers’ smartphones, such as Apple’s Touch ID or Face ID, although making these opt-out options rather than opt-in would likely increase their ubiquity. Passwordless authentication is also more convenient for customers, who can forgo the chore of entering passwords and periodically resetting them.

Another option for preventing ATOs is multifactor authentication (MFA), which requires customers to provide additional information along with their passwords. The most common implementation is a code sent via text message. This significantly hinders ATO attempts, as fraudsters would need to somehow intercept this code or have physical access to victims’ phones to successfully infiltrate their accounts.

Some prevention methods work behind the scenes rather than blocking attempts at the point of entry. Artificial intelligence (AI) and machine learning (ML) systems are some of the most effective methods, as they harness pattern recognition protocols to detect unusual activity. Kount’s new AI-powered ATO prevention system analyzes more than a trillion different data points to detect and flag suspicious logins and transactions, which are then blocked or sent to human analysts for further inspection, for example.

Such tools are only half the equation, however. Mobile order-ahead app users should also take steps to protect themselves by embracing cybersecurity best practices. Limiting the number of passwords shared between multiple sites can prevent fraudsters from hacking into accounts with stolen information, and not clicking on unsolicited links reduces consumers’ likelihood of falling victim to phishing and malware.

ATOs will likely never disappear, but between fraud-fighting technology and customer awareness, their footprint can be contained.