GBQ recognizes the growing connection between restaurant patrons to the restaurant through digital means such as websites and mobile apps both in and out of the store. This is a story from the field where the company anonymously shares incidences they have experienced, in the hope others might learn.
“We received our monthly statement from our processor like we always do. My staff accountant brought it to me saying it looked like something was off. When I looked at it, it looked like there was an issue with the decimal place. It was 10 times our normal statement amount! Certainly, a mistake. We called the processor and the statement was correct.”
This restaurant company depends heavily on revenue from online ordering to serve customers throughout their geographic footprint. This had the potential to be devastating.
After investigating, the restaurant’s eCommerce provider discovered that hackers used a bot attack on the restaurant’s online ordering site. In the attack, bots attempted to determine full credit card data for stolen VISA credit cards. They did this by pushing through hundreds of thousands of authorizations using various combinations of credit card numbers, AVS and CVV codes.
This kind of attack is called an enumeration attack. Enumeration attacks are a type of fraud attack in which a criminal systematically submits transactions with enumerated values such as Payment Card primary account numbers (PANS), expiration dates and CVV codes. The intent is to test a series of stolen PANs with other values to identify cards that can be used for other purposes. Typically, these bot attacks are distributed and are not focused on just one ecommerce site.
The restaurant company does not actually incur a direct loss. Nothing is ordered for delivery. If the card becomes authorized, the hacker is successful and likely victimizes the card holder in another illegal action.
But indirectly the impact can be huge as this restaurant company discovered. Authorization attempts incur a small processing fee from the eCommerce processor and VISA. A few cents here or there may not seem like a big deal but across hundreds of thousands of automated attempts it adds up as the company discovered to a number large enough to leave a mark. “Of course, for each of those authorizations, we were charged a fee by VISA (and our eCommerce provider). Our total loss was close to $100,000.”
Under their contract with the eCommerce provider, there were VISA pass through fees associated with each AVS/CVV validation attempt performed. Those fees were multiplied by the total volume of these validation attempts.
In the end, our client negotiated a credit for some, but not all, of the fees from VISA.
The company reflected on what they learned from the experience, reviewed their controls in place on their website, and made some improvements to protect against these attacks in the future.
Key takeaways and learning points
Items to consider to protect yourself from this type of bot attack:
- Read your payment card processing agreements closely. Identify all the fees associated with card transactions.
- Overall, preventing bot attacks requires a multi-layered approach that involves implementing various safeguards and monitoring the site for unusual activity. It’s important to stay up-to-date on the latest threats and to work with payment providers and other experts to implement the necessary protections.
- Coordinate with your web developer, POS provider, web hosting provider, marketing management, IT management and your security expert to ensure controls are in place to prevent enumeration attacks.
- Routinely assess the vulnerability of your web and mobile apps. Vulnerability scans and penetration tests can help find weaknesses before the attackers do. If the apps are built and maintained by a third party ask them for assurance that they are operating in a secure manner. At a minimum, ask for a copy of their SOC report and proof they conducted vulnerability and penetrating testing on a routine basis.
- Implement CAPTCHA. CAPTCHA, which by now we have all experienced, is a security measure that requires users to prove they are human by completing a task that is difficult for bots to perform. This can help prevent bots from accessing the site and attempting to steal credit card data.
- Use rate limiting or throttling. Rate limiting is a technique that limits the number of requests that can be made to a site within a certain time period. This can help prevent bot attacks that involve sending large numbers of requests to the site.
- Ensure your POS provider monitors for unusual activity. It is important to monitor the site for unusual activity, such as a sudden increase in the number of requests or authorizations. This can help detect bot attacks early and prevent them from causing too much damage.
- Implement fraud detection tools. Fraud detection tools can help identify suspicious activity on the site, such as multiple authorizations from the same IP address or unusual patterns of activity. These tools can help prevent fraudulent transactions from being processed.
- Implement Geofencing. Geofencing can be used to protect websites from fraud by leveraging location-based technology to enhance security measures. Nobody from another continent is going to legitimately be ordering meals online from your US-based restaurant.
Consider the customer experience
It is imperative that the customer experience is included in choosing methods to secure the site. This restaurant company made the following security upgrades to their website:
- They turned throttling on that only allows up to 30 card validation requests per IP address per day. They chose 30 as the limit in order to accept multiple orders from large corporations, schools, hotels, etc. where multiple people during the day might place an order.
- To prevent off shore attacks they turned on IP Geofencing checking the country of origin of payment requests blocking requests outside of the United States.
- As some card testing happens from US-based IP addresses, they also added Google’s Enterprise Silent ReCAPTCHA to web ordering and added shared secret authentication for mobile ordering apps.
Staying ahead of cybersecurity risks can be very difficult to do in today’s business environment; however, it is imperative to try and become as knowledgeable about the different risks out there. Knowledge is power and making sure you have the technology expertise available to devise a plan to mitigate these risks will help everyone sleep a little better at night. If you have questions about this type of cybersecurity incident or would like to know more about the steps you can take to be prepared, please reach out to Doug Davidson or your GBQ contact.
