Security & Fraud

Why Mobile Rewards Programs Attract Fraud

Why Mobile Rewards Programs Attract Fraud

In the latest Mobile Order-Ahead Tracker, PYMNTS explores the latest developments in the world of QSR rewards programs and how credential stuffing and account takeovers are plaguing the industry.

According to the Restaurant Readiness Index, 80 percent of QSR managers and customers reported positive experiences with loyalty programs. So, what are the downsides?

Rewards and loyalty programs also make attractive targets for fraud. These programs might not seem to be worth hackers’ time on the surface, but they store a great deal of personal data. They are also attractive because in many cases, customers sign up to take advantage of a one-time offer, then forget about it. It could be some time before a hacker’s presence is even detected.

Here are some examples of restaurants and retailers that have bounced back from mobile data breaches and what they are doing to ensure security.


Chipotle is on the route to recovery after suffering setbacks due to food safety concerns, falling sales – oh, and an April data breach.

One of its moves in an attempt to win back customers was the launching of Chipotle Rewards in May.

PYMNTS spoke with Curt Garner, Chipotle’s chief technology officer, about the restaurant’s new rewards program and how it safeguards against fraudsters.

The fast-casual restaurant was an early mobile adopter, launching an iPhone ordering app in 2009. But it took a decade for the chain to roll out a rewards program. “We took the position in the early days that we wouldn’t rush to put things in place that wouldn’t support a great experience for our customers,” Garner said.

Chipotle attributed the April attack to credential stuffing, in which a hacker uses a bot to automatically enter usernames and passwords stolen from other websites to try to find matches.


Coffee and donut giant Dunkin’ also fell victim to a rewards points hack last year—and then again in February. These were also credential stuffing attacks where hackers were able to use passwords they gleaned from other sites to get into the DD Perks rewards accounts.

The intent wasn’t to access users’ names, emails or other personal information – it was to get into the DD Perks accounts and profit. Cybercriminals attempted to sell accounts and loyalty credits.


Hacks aren’t exclusive to the U.S. or relegated to restaurant rewards programs. In Japan, convenience store chain 7-Eleven fell victim to a data breach last month that compromised approximately 900 customers' accounts.

The attack occurred at 20,000 Japanese locations shortly after the launch of 7-Eleven’s 7pay mobile app. In a recent interview with PYMNTS, Rich Stuppy, chief customer experience officer at Kount, blamed the attack on prioritizing customer convenience over security, a flaw shared by many other mobile apps and digital services.

Security Solutions

Chipotle has been using artificial intelligence (AI) and machine learning (ML) for risk assessment with human assistance when necessary.

“When you’re looking at account takeovers, for example, it’s predominantly automated bot attacks that have an identifiable signature. As a retailer, you can say there’s no practical purpose for a customer to be trying to log onto your network using a bot. The security platforms that utilize AI and machine learning can also spot attack patterns, and very quickly block those transactions as well,” said Garner.

Chipotle has also partnered with payments providers and security firms, and even resubmits its app to the hackers every time it is updated to ensure that the software remains secure.

Third-party ordering provider ChowNow also leverages AI and ML to analyze each transaction conducted on its app and cross-references it with other transactions to determine its legitimacy.

Other restaurants are turning to biometrics to increase security.

Providing fast and frictionless ordering experiences that don’t compromise the safety of customer information requires tapping into modern authentication technologies and partnering with security experts for tailored solutions, according to Dan Simpson, CEO of Taziki’s Mediterranean Café.

Last year, the company launched a version of its app that included a new feature allowing customers to log in via face or fingerprint recognition. Despite some persistent wariness, the iPhone X has made biometrics more acceptable to the public.

Fast-casual pizzeria &pizza revamped its mobile order-ahead app and rewards program. Security was paramount in the eatery’s app redesign, and it utilized the same cloud-based point-of-sale system present at all of its physical locations to handle in-app transactions. Importantly, the restaurant doesn’t store any card data.

“None of the card data ever resides with &pizza,” said Kevin Blesy, head of strategy, in an interview with PYMNTS. “We do the right vetting upfront before we put something as important as payment processing in the hands of a third party.”



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border.

Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.