What to know about credit card fraud in restaurants and how to protect yourself

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

As the New York Times reported back in 2011, diners signing the check for a steak dinner also wound up picking up the tab for “cases of vintage French wine, Louis Vuitton handbags, Cartier jewelry and even a Roy Lichtenstein lithograph of Marilyn Monroe.”

Twenty-eight people were ultimately indicted in the scheme, which involved waiters using lipstick-sized electronic skimmers to extract data from the magnetic strips of credit cards. As hefty credit card bills weren’t unusual for the diners, many weren’t even initially aware that their information had been stolen.

While the above example is not typical, credit card fraud happens all too often. Fraud is especially easy to perpetrate at restaurants, as diners hand over their credit cards without a second guess (and don’t often see where their card goes once it’s handed over). Though in some instances it’s the work of rogue employees targeting specific diners, sometimes the perpetrators are hackers stealing massive quantities of customer data at one time; in recent months, large-scale credit card data hacks have been reported at chains including Wendy’s, Arby’s, Sonic, Whole Foods, and Chipotle.

There are a couple of ways credit card fraud can occur at a restaurant:

Skimmer: “A skimmer is a small device that attaches to a reader,” says Yinzhi Cao, an assistant professor of computer science and engineering at Lehigh University. “When a credit card is swiped, the skimmer captures the magnetic field, and then collects it, saving the data of everyone who swipes.”

While skimmers are most often used at ATMs and gas stations, they’ve been used at restaurants before (like in the New York case mentioned above). “It’s starting to become more prevalent at restaurants,” Carter says. “Usually it’s the waitstaff — they get your credit card, and they have skimmers that are so small they can be held in the palm of your hand.”

Hacking: In 2015, criminals hacked their way into the database of some 500-plus restaurants owned by Landry’s by installing a program on the payment-processing devices at chains including Rainforest Cafe and McCormick &

Schmick’s. According to a company statement, “the program was designed to search for data from the magnetic stripe of payment cards that had been swiped (cardholder name, card number, expiration date, and internal verification code) as the data was being routed through affected systems.”

Restaurants offer an ideal environment in which to commit identity theft, mainly because the card is out of its owners’ possession for several minutes. “At restaurants, you still have to give the server your card,” says Carter. “Once it leaves your hands, you don’t know where it goes.”

Restaurants are also an ideal location to perpetrate credit card fraud because cards at restaurants are almost always swiped — even chip cards, which were designed to ward against fraud. “The chip doesn’t really help at a restaurant,” says Cao. “That credit card information is still magnetized, even if it has a chip. Most stores and companies are moving toward the chip — when you use a chip, the card never leaves your hand — but restaurants haven’t gotten on board for the most part.”


Until a device like SafePay catches on (Cao, a researcher, says he hasn’t secured much funding for the device), there are a couple of tips consumers can keep in mind to ensure credit card numbers stay out of the hands of fraudsters: First, use cash or a pre-paid card. “Cash is pretty much foolproof,” says Carter. “But I also suggest buying a pre-paid card and loading it with money to use at restaurants. If the number is stolen, your loss will be less so long as you don’t load too much money on it.”

Meanwhile, order and pre-pay apps like the ones on offer at Starbucks, McDonald’s, Chipotle, and a growing number of chains mean consumers’ credit cards can stay in their pockets and away from fraudsters. But apps, which may not require two-factor authorization or that consumers change their passwords regularly, can be vulnerable, too. Earlier this year Starbucks’ app — widely heralded as one of the most successful restaurant payment apps on the market — was docked for having a security weakness that allowed a thief to hack into it, load money from a saved credit card, and use it as their own account.

Read the full story over at Eater.

This story was summarized by Canadian Fraud News Inc.