The Benefits And Shortcomings Of Multifactor Authentication For QSR Fraud

Multifactor authentication (MFA) can stop more than 99 percent of cyberattacks directed at quick-service restaurants (QSRs) — so long as customers are ready to make their mobile phones a part of the process. In the Mobile Order-Ahead Tracker, Michael Chachula, director of Digital at The Coffee Bean & Tea Leaf, explains how restaurants can harness MFA to make their mobile ordering operations seamless and fraud-free.

One of the many unfortunate side effects of the ongoing pandemic on the quick-service restaurant (QSR) industry is the multitude of ways that fraudsters are exploiting the crisis.

Millions of new consumers flocked to online ordering systems over the course of the past year as they sought convenience and safe ways to make purchases, yet bad actors eagerly took advantage of their unfamiliarity with online security best practices. Account takeover (ATO) losses rose by 72 percent from 2019 to 2020, for example, and other fraud types ran rampant as well.

Restaurant operators and mobile app developers worked quickly to deploy new security methods and augment their existing ones. One of the most common security methods deployed was multifactor authentication (MFA), which involves customers entering more than one authentication detail like a password, biometric scan or code sent to their mobile phone. This type of authentication has the potential to lock out the vast majority of fraudsters. QSRs should also be aware of the tool’s potential shortcomings.

“Multifactor authentication can be effective, but the recovery process can be very interesting,” said Michael Chachula, director of Digital at coffeehouse chain The Coffee Bean & Tea Leaf. “If somebody loses their information or their device, they almost have to hack themselves to get their information back.”

Chachula spoke to PYMNTS about the profile of fraud threats affecting QSRs in the present and coming years as well as the pros and cons of the MFA systems intended to fight them.

Fraud Threats Facing QSRs

One of the most common targets for fraudsters are the stored rewards points that many QSR customers accrue over time to exchange for free items or other benefits. Fraudsters typically attempt to obtain these points by staging complete ATOs, often armed with malware that can steal customers’ login credentials and allow the bad actors access.

“Someone usually gets a password or clones a device, using either an algorithm or some type of fraud program, malware or things of that nature,” Chachula said. “People click [unsolicited] links that contain malware, and that malware actually takes over your apps and starts to directly attack account loyalty programs.”

Fraudsters could potentially refine these techniques for money laundering, according to Chachula, leveraging users’ QSR accounts to process ill-gotten funds into clean currency. These bad actors could even deploy machine learning (ML) to break into thousands of accounts at once, overwhelming QSR defenses.

“I think there’s going to be an organized crime component of running account takeovers and using private information to hijack accounts for money laundering,” he explained. “Folks could use loyalty platforms to purchase something and then do a refund for cash and even use a machine learning platform that builds algorithms to try to break through firewalls and tokenization.”

MFA could be a simple yet critical step that can slow these attempts, by making them harder and less profitable for the fraudsters. QSRs that are exploring this option should be aware of its potential drawbacks, however, including what happens if customers misplace their devices.

The Pros And Cons Of Multifactor Authentication

MFA has a widespread success rate against multiple forms of attacks, with Google estimating that it can prevent more than 96 percent of bulk phishing attempts and more than 76 percent of targeted fraud attempts. It can also effectively block most attacks that leverage bots, as there is currently no known bot that can intercept application-generated authentication codes on their way to users’ smartphones.

The shortcomings with MFA come from user error, according to Chachula. Someone losing access to their phone, whether by misplacing it or being in an area with poor reception, is effectively locked out of their account entirely.

“Think about what happens if someone’s trying to order and the phone dies,” he said. “How do you authenticate if their phone’s not handy or if they lose signal or something of that nature? We need to impress upon folks that this is part of the checkout process, and you need your phone to be able to complete it as easy and frictionless as possible.”

Bots might not be able to intercept text messages now, but that current reality does not preclude the possibility of a bad actor deploying this type of technology at some point in the future. Security best practices that were effective in the past, like passwords, are quickly falling by the wayside, and there is no guarantee MFA will be effective forever.

“As payment [technologies] move forward, various people are doing nefarious things, and regardless of if you have 10-factor authentication, at some point they’re going to find some sort of machine learning method to circumvent it,” Chachula warned.

MFA is for now a remarkably effective and easy-to-implement tool that punches far above its weight when it comes to QSR security. That is no excuse for restaurants and app providers to stop innovating, however, as the technologies that defeat or abuse this method could potentially be just around the corner.