As is the case for all connected technologies, mobile order-ahead apps are constantly at risk for cyberattacks, which target credit card information and other highly desirable data. Additionally, many restaurants that are new to the mobile ordering industry are not well-versed in best security practices. In the following Deep Dive, find out why fraudsters are targeting mobile order-ahead apps and how they’re getting the data they crave.
Consumers trust that mobile order-ahead apps will keep their sensitive information safe, but as more apps are created, the abundance of rewards points and personal information have become tempting targets for fraudsters.
According to a recent study, while fraud in general only increased 13 percent over the past year, fraud in the food and beverage industry increased by a staggering 60 percent. In addition, approximately 75 percent of merchants in this sector reported experiencing fraud attempts in 2017.
There are two main reasons this industry saw such a disproportionate increase in fraud attempts. The first is that restaurants and bars store a vast quantity of valuable data, such as credit card information. The second is that restaurants are relatively new to the digital space and have less experience with security best practices, making them an easy target.
How Order-Ahead Apps Are Exploited
Mobile apps have long been targets for “card and wallet tests,” where bad actors place an order to test the validity of stolen card numbers. Once the data is confirmed to be accurate, it’s either sold to other cybercriminals or used for more extravagant purchases.
Another common fraud method is known as “click and collect.” Criminals use multiple devices and stolen credit cards to place orders at several different restaurants in close proximity to each other, then quickly pick up all the orders before the businesses realize they’ve been swindled.
A less nefarious type of fraud is “friendly fraud,” which is perpetrated by customers looking to exploit the system, rather than outside actors. They might request chargebacks from apps or banks, claiming that orders never arrived when, in fact, they did. Other times, children may accidentally place an order on a parent’s device, resulting in the surprised parent demanding a refund for the unintentional order. Most restaurants typically give customers the benefit of the doubt, but that doesn’t make the fraud any less painful: Friendly fraud costs the restaurant industry up to $40 billion every year.
Account Takeovers on Mobile Order-Ahead Apps
The aforementioned types of fraud are usually detected and countered shortly after they occur, but account takeovers (ATOs) can be far more nefarious. When hackers gain access to a customer’s account, they can deplete the customer’s accrued rewards and steal their payment information. On top of that, they may be able to access the customer’s accounts on different platforms. Remembering multiple usernames and passwords can be difficult, which means consumers often end up using the same information for multiple accounts. Fraudsters can use a credential stuffing attack to determine whether they can access other accounts to steal more personal information.
According to recent industry studies, attempted ATOs in 2017 increased by more than 31 percent year over year – in Q3 of that same year, ATOs saw an increase of 51 percent. Industry experts attributed these increases to large data breaches, such as the Equifax attack, which affected more than 143 million consumers. Fraudsters were able to purchase those identities on the darknet for as little as $1 apiece.
As the mobile order-ahead market continues to expand, operators must remain vigilant and increase their security measures to protect themselves and their customers. If they don’t, they stand to lose billions – not just from fraudsters, but also from customers who may take their business elsewhere.