Deep Dive: How Multifactor Authentication Can Help Counter Mobile Ordering Fraud Schemes

Mobile ordering has taken off over the past year as restaurants have been forced to shut their doors and later limit their capacities, yet the fast, widespread distribution of vaccines in the U.S. over the past several months has led many states to relax or lift their dining restrictions. Mobile ordering behaviors are here to stay, however, with online food transactions increasing by 134 percent since the beginning of the pandemic.

This growth in online ordering volume has ushered an increase in fraudsters targeting restaurants and customers, in large part due to the influx of new users that lack knowledge of ideal security practices. Online fraud in the restaurant industry grew by 32 percent during the early months of the pandemic, and cybercriminals leveraged account takeovers (ATOs), identity fraud and myriad other techniques to scam victims out of funds, rewards points and personal data like payment card information and passwords.

Restaurants and app developers are working to develop security measures to keep their platforms and customers safe, and some methods like multifactor authentication (MFA) have shown immense promise. The following Deep Dive explores the varied tactics that fraudsters deploy against the restaurant industry and details how MFA can drastically reduce the effectiveness of these criminal techniques.

Fraud Threats Facing The Mobile Order-Ahead Space

 A plethora of threats face the quick-service restaurants (QSR) and mobile ordering app fields, but one of the most prevalent is identity fraud, which cost consumers $56 billion in 2020. Delivery services accounted for 18 percent of all identity fraud incidents last year, with fraudsters stealing customers’ identities through tactics like phishing and either using the stolen identity information to make purchases or selling the data to other fraudsters on dark web marketplaces. Identity theft can also be staged even if fraudsters do not gain access to customers’ identities through mobile order-ahead apps: 65 percent of consumers recycle passwords between multiple online accounts, so a data breach at any one of them could potentially compromise all of the consumers’ accounts.

A related threat that is potentially even more dangerous than identity theft is the ATO, which occurs when bad actors assume control over a customer account. Bad actors could use stored payment information to make fraudulent purchases, drain accounts of reward points or even steal personal data like usernames, passwords and email addresses and sell these on dark web marketplaces. ATO attempts increased 282 percent last year, with each successful attack costing consumers up to $290 and 15 hours to resolve, to say nothing of the lost trust between QSRs and their customers.

QSRs and app developers are exploring a number of different countermeasures to the pervasive fraud threat, but few have proven to be as effective as MFA.

How Multifactor Authentication Keeps Consumers Safe

MFA works by requiring more than one identifying detail when logging in or conducting a transaction, following the operating logic that it is much more likely for a fraudster to steal a single credential than multiple credentials needed to access an account. The common adage for MFA is “something you know, something you have and something you are,” and the typical MFA system requires two of the following: a password, a code sent to a customers’ smartphone or a biometric trait like a fingerprint. These authentication methods can stop potential bad actors cold, as the passwords they steal from data breaches are then useless on their own. Studies have found that using MFA can prevent more than 99.9 percent of attacks that rely on stolen credentials.

QSRs and app developers should be aware of the potential drawbacks of implementing MFA, however. The reason customers recycle passwords in the first place is to reduce the effort needed to log in, and the extra step MFA requires could add a layer of friction some consumers may not have the patience for. Many customers could potentially decline this extra step if it is an option or opt to order from a different restaurant or app. Customers have also expressed data privacy concerns with giving large companies their personal cell phone numbers or tying their data to their smartphone, as losing their device could mean that they lose the ability to verify their identities entirely.

The efficacy rate of MFA speaks for itself, however, and the savings when it comes to preventing fraudulent purchases could more than make up for any customer hesitancy in adopting this system. The growing proliferation of MFA in personal and corporate environments is bringing more and more customers into the fold every day, and QSRs would do well to hop on board.