Breached Online Ordering Platforms Expose Hundreds of Restaurants

How many of us increased our online orders from restaurants because of the pandemic?  Unsurprisingly, criminals have been motivated by that to engage in even more Card Not Present (CNP) fraud.  A new report by Gemini Advisory, released today, highlights the growing risks restaurants (and consumers) face.

In the past 6 months, Gemini has reported on breaches of five  companies that serve as online ordering platforms for restaurants through centralized platforms. According to their report, breaches involving those five companies have compromised approximately 343,000 payment cards.

The affected platforms take one of two forms. Three of the five affected platforms —  Easy Ordering, MenuSifu, and E-Dining
Express — operate as individual restaurants’ actual ordering infrastructure. Those three platforms exposed transactions from at least 70 different restaurants.

(Did you ever actually look up to see what site you were entering your order/payment information on once you connected to the restaurant link?)

The other two platforms —  Food Dudes Delivery and Grabull —  operate as additional third-party ordering infrastructure for hundreds of participating restaurants.

Gemini analysts note that veteran hacking groups such as “Keeper” deploy Magecart attacks to capitalize on this illicit opportunity.

Read more on Gemini Advisory’s blog to learn more details about these attacks and what restaurants can do to harden their security or become more aware of the risks.

For myself and other consumers, I just wondered what, if anything we can do to reduce our own risk of having our payment cards compromised because a restaurant may be using a compromised platform without knowing it. Should we all be migrating over to virtual cards?  Other than not ordering from restaurants online or paying cash, what can we do?  I put the question to Gemini, and Christopher Thomas, Gemini’s Intelligence Production Lead, kindly answered me:

Unfortunately, there is very little a consumer can do to avoid transacting at a compromised restaurant, especially if the restaurant itself does not know that it has been breached. Using larger, global online ordering platforms with more robust investment in cybersecurity can be helpful for reducing the risk of compromise, although it does not completely eliminate the risk.

Regularly monitoring your bank account for fraudulent payments is a security practice not specific to this attack vector, but useful nonetheless. Paying with a credit card rather than a debit card can also help mitigate direct theft from your account. Virtual cards would also protect your card data since these are one-time use cards generated by your financial institution.

So maybe it is time for more of us to switch over to one-time use/virtual cards?  Log in to your credit card account and look around for “virtual” to find out how to get a virtual card number. Each card issuer may differ, but since you already have a credit card number with the card issuer, getting a virtual number for one-time or limited use really is supposed to be fast and easy. Of course, since I’ve never tried it, I’m just repeating what I’ve read online.  Let me know if it’s true. 🙂

About the author: Dissent

Comments are closed.