How Chipotle Is Protecting Its Mobile-First Diners From ATO Attempts

How Chipotle Is Protecting Its Mobile-First Diners From ATO Attempts

June 24, 2021 at 12:45PM

Consumers are not relinquishing the ease and convenience of mobile order-ahead experiences, and neither are the fraudsters who have targeted these platforms with increasing frequency. Many of these bad actors are coming to eateries’ digital channels armed with previously stolen data that can be used to mimic legitimate customers, making protection against account takeovers (ATOs) and related fraud a top priority for quick-service restaurants (QSRs), said Dave Estlick, chief information security officer at fast-casual Mexican grill Chipotle.

“I think that certainly the industry — and not only our industry vertical but all verticals — has seen a rise over the last several years in synthetic attacks,” Estlick said. “Bank account takeover is still top-of-mind as consumers continue to reuse credentials on multiple sites.”

Ensuring that digital diners can smoothly and safely place orders while also preventing fraudulent activity is a must for QSRs looking to stay competitive, especially as more consumers head to these apps first to interact with restaurants. Chipotle reported an almost 134 percent year-over-year rise in digital orders for Q1 2021, with orders from its site and mobile app accounting for about half of its quarterly sales, for example. Maintaining such growth requires QSRs to keep a close eye on where and how fraudsters are attempting to take aim at their platforms.

Creating An Invisible Fraud Barrier

Protecting against mobile and digital-focused fraud requires QSRs to understand how the fraud world works, Estlick explained. ATOs, credential stuffing and clickjacking — in which fraudsters slip malicious hyperlinks or malware onto companies’ digital channels to skim consumers’ money or data — represent the top three digital security threats currently facing businesses. It is therefore essential for eateries to have tools in place that can quickly and easily distinguish between legitimate customers and fraudsters armed with stolen credentials.

“We actually use a method that allows us to identify synthetic attacks and report back in a natural way that kind of leads the fraudsters away from us as a potential target,” he said.

Chipotle protects against such synthetic fraud using a combination of its in-house solution and a third-party tool that utilizes artificial intelligence (AI) and machine learning (ML) to automatically detect higher-risk or potentially fraudulent transactions. QSRs must also be sure not to tip their fraud protection hand, Estlick warned. Fraudsters who learn the intricacies of eateries’ tactics for preventing ATO or synthetic identity fraud will simply pivot to other attack vectors, he said. Eateries must therefore provide seamless experiences from the perspective of legitimate customers while ensuring that fraudsters trying their luck with stolen credentials cannot easily see the security measures at work behind the scenes.

“[We are] making sure that from an experience perspective, the interaction seems normal and consistent,” Estlick said. “That would be for both a [fraudster and a] legitimate customer, making sure that you are not adding friction that would potentially lead to abandonment. [We are] equally [making certain that] what are identified or anticipated as fraudulent requests are responded to in a way that seems natural, [so] as not to tip off the fraudsters that ‘Wait a minute, we have identified your particular attack method,’ because all that is going to do is force them to … retool and relearn and come back.”

Keeping up that invisible barrier is key to creating the quick and easy ordering experience that mobile-first consumers have come to expect while also reducing fraud threats. This requires QSRs to keep careful watch over how fraudsters’ tactics are changing and put technologies in place that allow adjustment of preventive measures as quickly as bad actors are retooling their attacks. This is where AI and ML may come into greater play in the future.

Preparing For The AI Fraud Protection War

QSRs — as well as most other online businesses — have been working toward against credential stuffing and ATOs for years, but selling stolen credentials remains a thriving business for malicious actors online. The goal for restaurants is to flag those accounts as stolen or fraudulent from the start, Estlick continued, thus making it less lucrative for that first set of fraudsters selling that information. This is where AI and other automated technologies could prove critical, as these solutions can keep track of stolen data and provide greater visibility into which credentials have been compromised before fraudsters even attempt to use them, he added.

“So the idea there is, if you are successful enough, that first [fraudster] set gets to the point for your particular brand where they are saying, ‘I do not even want to try Chipotle; it is not even worth the time because even if I think that I get a [credentials] list, they are going to have some visibility [into] it,’” Estlick said.

AI will likely play a significant role in the future of fraud protection, but fraudsters are also exploring the benefits of the technology for their own ends. Preparing for a future in which fraud protection will come down to AI against AI should be a top goal for eateries as mobile-first dining becomes the norm.