By Dave Senci, Vice President of Product Development, NuData Security, a Mastercard company

Online orders from quick-service restaurants (QSRs) surged 225% during the pandemic, helping companies stay afloat and providing customers a safe way to enjoy their favorite meals. To defend these mobile transactions against fraud, restaurants should create their apps with security top of mind.

There’s no doubt that restaurant mobile apps are a convenient way for customers to order food. But these apps — like any other platform for online transactions — offer bad actors opportunities to attack user accounts in an attempt to steal mobile rewards, credit card numbers, and other personal information. Many establishments had to pivot to provide online ordering tools for their customers — and they had to do it quickly to continue operations without in-person dining.

Although restaurants have been hard at work to secure their mobile apps, cybercriminals have been working just as diligently to find new ways of infiltrating systems. With this in mind, it’s important for restaurants to take a proactive approach to ensure their mobile offerings are secure.

NuData finds 96% of login attacks on financial institutions were ‘sophisticated’
Why HTTPS isn’t as secure as it seems — and what that means for your company

The risks of ordering through a mobile app

To avoid fees from third-party delivery providers, many restaurants developed in-house mobile apps or enhanced existing ones during the pandemic. Digital capabilities such as online ordering helped restaurants survive the pandemic, but they also present opportunities for fraudsters, especially when companies aren’t versed in security best practices.

Before the pandemic, many restaurants only accepted in-person transactions at a drive-through window or restaurant counter. Protecting card-not-present transactions, like those processed through a mobile app, require different and often more sophisticated security tactics. For restaurants just launching their first mobile apps, the learning curve is steep — and that makes them prime targets for bad actors. One study found that restaurant industry fraud increased 32% during the pandemic.

Vulnerable transactions pose a series of threats for both companies and customers. Data leaks and breaches can expose customers’ sensitive information, including addresses and credit card numbers. Attackers can also take over customers’ mobile ordering accounts to make fraudulent purchases with their payment information.

But for companies, the repercussions go far beyond the cost of reimbursing fraudulent transactions. Research shows that 81% of consumers would stop engaging with a brand in the event of a data breach, so security flaws are a customer retention issue, too.

Cybercriminals’ tactics are constantly evolving and maintaining security is an ongoing process. It’s important for consumers to be aware of the risks of mobile ordering, but companies need to provide secure ordering and payment methods. This means building apps with more sophisticated security.

How to secure your mobile ordering app

To avoid financial and reputational damage — and to boost revenue — your restaurant’s mobile ordering app should be properly secured. But to preserve a convenient digital experience, whatever protections you add must be virtually frictionless. No one wants to input a multi-factor authentication (MFA) code every time they order a pizza.

Instead of requiring users to take extra authentication steps, another option is to continuously verify user identities with behavioral analytics and passive biometrics.

• Behavioral analytics looks at a user’s habits, like where they typically log on to a device or app from and when. This information can be used to build a behavioral profile of the user that can be used to flag anomalous activity. If someone logs in to your food delivery account from the next state over at an odd time of day, they are likely a fraudster — even if they input the correct password at login.

• Passive biometrics builds user profiles based on users’ inherent behavior, including how a person types or how they hold their device. These behaviors are entirely unique to you, and very difficult for attackers to imitate. An unusual typing cadence or other passive biometric indicators can be another clue that the fraudster logged into your account, isn’t you.

Combining these approaches makes it very difficult for cybercriminals to imitate users even when they have the correct password. And if an attacker attempts to log in with stolen credentials, you can program your app to require further authentication or automatically lock them out.

A more streamlined approach to cybersecurity

Food delivery mobile apps have become ubiquitous since the start of the pandemic, becoming an integral part of many consumers’ lives — and many restaurants’ revenue streams. But customers won’t stick around if their personal information is compromised in a breach or their accounts are stolen in an attack. To retain loyal customers for the long term, you must deliver a digital experience that’s both secure and convenient, and that means leaning into modern technologies that keep your app friction-free.