Breached Online Ordering Platforms Expose Hundreds of Restaurants
How many of us increased our online orders from restaurants because of the pandemic? Unsurprisingly, criminals have been motivated by that to engage in even more Card Not Present (CNP) fraud. A new report by Gemini Advisory, released today, highlights the growing risks restaurants (and consumers) face.
In the past 6 months, Gemini has reported on breaches of five companies that serve as online ordering platforms for restaurants through centralized platforms. According to their report, breaches involving those five companies have compromised approximately 343,000 payment cards.
The affected platforms take one of two forms. Three of the affected platforms — including Easy Ordering and E-Dining Express — operate as individual restaurants’ actual ordering infrastructure for placing orders. In this first model, the platforms are offered alongside physical restaurant point-of-sale (POS) solutions. Cybercriminals can steal directly from the restaurants relying on these platforms for payment, and exposed transactions from at least 70 different restaurants during this breach. (See note at bottom of post)
(Did you ever actually look up to see what site you were entering your order/payment information on once you connected to the restaurant link?)
Two of the platforms — Grabull and another that Gemini will not name at this time— operate as additional third-party ordering infrastructure for hundreds of participating restaurants to complement the restaurant’s infrastructure, like regional versions of popular services such as Grubhub and DoorDash. In this second model, any of the restaurants that saw orders placed through the platforms would have indirectly had payment card data stolen as a result of the infection. (See note at bottom of post)
Gemini analysts note that veteran hacking groups such as “Keeper” deploy Magecart attacks to capitalize on this illicit opportunity.
Read more on Gemini Advisory’s blog to learn more details about these attacks and what restaurants can do to harden their security or become more aware of the risks.
For myself and other consumers, I just wondered what, if anything we can do to reduce our own risk of having our payment cards compromised because a restaurant may be using a compromised platform without knowing it. Should we all be migrating over to virtual cards? Other than not ordering from restaurants online or paying cash, what can we do? I put the question to Gemini, and Christopher Thomas, Gemini’s Intelligence Production Lead, kindly answered me:
Unfortunately, there is very little a consumer can do to avoid transacting at a compromised restaurant, especially if the restaurant itself does not know that it has been breached. Using larger, global online ordering platforms with more robust investment in cybersecurity can be helpful for reducing the risk of compromise, although it does not completely eliminate the risk.
Regularly monitoring your bank account for fraudulent payments is a security practice not specific to this attack vector, but useful nonetheless. Paying with a credit card rather than a debit card can also help mitigate direct theft from your account. Virtual cards would also protect your card data since these are one-time use cards generated by your financial institution.
So maybe it is time for more of us to switch over to one-time use/virtual cards? Log in to your credit card account and look around for “virtual” to find out how to get a virtual card number. Each card issuer may differ, but since you already have a credit card number with the card issuer, getting a virtual number for one-time or limited use really is supposed to be fast and easy. Of course, since I’ve never tried it, I’m just repeating what I’ve read online. Let me know if it’s true. 🙂
Note of September 2, 2021: Last night, DataBreaches.net was contacted by the “Legal Team” for a firm that was originally named in Gemini Advisory’s report of April 29. The “Legal Team” claimed that the original reporting was inaccurate and misleading and had harmed their reputation and business. They pointed out that Gemini Advisory had updated their report.
I checked Gemini’s post and saw that there was an undated editor’s note explaining that “Gemini has updated this blog post to better accommodate the sensitive nature of this breach and ongoing incident investigations by the affected parties.” That note and editing apparently occurred in early May — after this site’s report on their original report. DataBreaches.net was not aware of the editing until last night.
Because Gemini edited their post to remove two names and slightly alter text, DataBreaches.net is editing this post to correspond to their revised reporting, but notes that Gemini Advisory’s update is neither a retraction nor a correction of their original reporting on the entities they named.