How Restaurants Can Respond to the Rise in App Fraud

In April, a Canadian reporter brought attention to a recent rash of app hacking that was costing McDonald’s customers thousands in fraudulent purchases.

It’s not an isolated incident. McDonalds along with Domino’s Pizza, Chipotle and other restaurants over the years have had issues with fraudulent online or mobile orders. While these problems most often arise from poor user security hygiene, the overall security of restaurants’ apps could also be improved.

These hacks illuminate a few issues with user and app security, and they’re teaching moments for restaurants who offer mobile apps or online customer profiles for simpler ordering and payment.

These hacks illuminate a few issues with user and app security, and they’re teaching moments for restaurants who offer mobile apps or online customer profiles for simpler ordering and payment.

Understanding how criminals crack user accounts and why security technologies let them through can help restaurants and their software providers make apps more resilient against fraud.

The Password Problem

There’s no doubt that bad passwords are a huge problem, and yes, customers need to be diligent about changing their password if they suspect or can confirm that their data’s been stolen in a breach.

Unfortunately, we know that most are not diligent about keeping passwords secure and up to date, whether due to apathy or management overload.

Surveys over the years estimate that the average internet user has somewhere between 20 and 200 passwords; keeping track of all those passwords, where they might overlap and when they’ve been breached would be challenging even for experts. That’s precisely why “credential stuffing” attacks are so successful.

Here’s how credential stuffing attacks exploit users’ bad password hygiene: Hackers use automated tools to run specially-configured attack programs, which are built (mostly by more sophisticated hackers) to get around specific security measures that hackers discover are built into apps. These programs then plug proxy IPs, stolen emails and passwords into dozens of sites or app logins at once. From there, they’ll either compile a record of successful logins for sale to low-level fraudsters, or they’ll abuse the account themselves. In both cases, the end result is typically offers for discounted orders, like “$5 for $25 of pizza.”

How Hackers Take Control

Most hacks originate with stolen access credentials, but it is a combination of bad password hygiene on the users’ part and inadequate security mechanisms behind an app that allow criminals to crack accounts with a relatively high success rate.

Most fraud detection software checks a variety of fraud indicators including but not limited to unique passwords, unique usernames associated with a device, the device type and its status, and more.

Fraud detection software will also check that the login request is coming from a recognizable IP address – a US address for US orders, a New York IP for New York orders, and so on – and that the device logging in is already associated with that IP address. Finally, measurement of click speed should help detect bot activity.

Those measures are table stakes for anyone offering an online or mobile ordering app, but most restaurant apps don’t take threat detection any further. Hackers building the “config” files mentioned before learn the indicators each app uses to detect fraud, and the tools they sell to account attackers are designed to use proxy IP addresses from the correct country and city, user agents to mimic device types, and use human like request speeds to avoid detection.

Once hackers get past the basic protective measures that should be built into any app, what does an account takeover look like?

First, they’ll change personal information like passwords, email addresses and account phone numbers. This is done gradually so as not to trigger anti-fraud tools – wholesale changes of personal information look suspicious while gradual changes just look like a user practicing good hygiene.

With that information changed, the account – and the (tokenized) credit card information on file – “belongs” to the attacker until their victim notices fraudulent activity and flags it to the affected restaurant or their bank.

If that sounds relatively simple, then you understand why account takeover is such an insidious crime, and why it’s been on the rise as criminal tools (crimeware) and strategies improve. 

Building Safeguards Against ATO

Most restaurants probably work with independent software vendors to develop, deploy and manage apps. Armed with an understanding of the ways hackers trick apps into thinking their activity is legitimate, restaurants and their software vendors can work together to put in place opt-in controls or activity alerts that can help stop or identify account takeover attempts.

One of the simplest and most effective additional security measures is 2-factor authentication, where SMS, email or push notifications are used as a secondary confirmation of user identity. To get around 2FA, hackers would need to first take over a user’s email account or their mobile number (called SIM hijacking), then crack their food app. The extra effort this takes, especially to hijack a mobile account, is not worth the time when easier targets are abundant. On top of stopping attackers, failed or incomplete 2FA attempts can also act as a signal that someone is pointing credential stuffing tools at your domain or app.

Since we know that attackers attempt to change personal information once they’ve accessed an account, it may be possible to create alerts for certain types of request traffic that indicates an account takeover in progress. Restaurants will need to work with their software providers to implement newer tools that score the risk associated with certain traffic to the app: Is the request coming through a TOR browser (put very simply, a dark web browser)?

That’s risky traffic – better force another authentication step or deny the request. In the case of personal info changes, checking email addresses against lists of breached addresses, or lists of known hackers, could make flagging and blocking them even easier.

Finally, putting reasonable limits on user activity could help to reduce the impact of fraud while also helping identify it more quickly. No matter how loyal your customers, it’s unlikely they’ll place 20 separate orders in an hour. Analyzing user habits can help you and your software provider set other limits that are unlikely to interrupt legitimate users.