How Does Credit Card Fraud Through a Restaurant Work?

On a typical April evening in Manhattan a few years ago, well-heeled customers were dining at a slew of high-end steakhouses including Morton’s, the Capital Grille, Smith & Wollensky, and the Bicycle Club. They ordered bottles of wine, filet mignon, and the occasional porterhouse. When the checks came, they plunked down company cards, personal Visas, and the occasional American Express Black card.

What transpired next, and over the next eight months between April and November 2011, would shock even a New York attorney general. As they handed over their credit cards, at least 50 diners unknowingly handed over their identities, which were stolen by a group of servers in a scheme to buy and resell luxury items.

As the New York Times reported back in 2011, diners signing the check for a steak dinner also wound up picking up the tab for “cases of vintage French wine, Louis Vuitton handbags, Cartier jewelry and even a Roy Lichtenstein lithograph of Marilyn Monroe.”

Twenty-eight people were ultimately indicted in the scheme, which involved waiters using lipstick-sized electronic skimmers to extract data from the magnetic strips of credit cards. As hefty credit card bills weren’t unusual for the diners, many weren’t even initially aware that their information had been stolen.

While the above example is not typical, credit card fraud happens all too often. Fraud is especially easy to perpetrate at restaurants, as diners hand over their credit cards without a second guess (and don’t often see where their card goes once it’s handed over). Though in some instances it’s the work of rogue employees targeting specific diners, sometimes the perpetrators are hackers stealing massive quantities of customer data at one time; in recent months, large-scale credit card data hacks have been reported at chains including Wendy’s, Arby’s, Sonic, Whole Foods, and Chipotle. Below, more about credit fraud: Jow it works in a restaurant, and how some are trying to make it harder to perpetrate.

What is credit card fraud, and how does it happen at restaurants?

“Basically, it’s when a someone steals another person’s credit card information intentionally to use for fraudulent purposes,” says Misty Carter, research specialist for the Association of Certified Fraud Examiners.

There are a couple of ways credit card fraud can occur at a restaurant:

Skimmer: “A skimmer is a small device that attaches to a reader,” says Yinzhi Cao, an assistant professor of computer science and engineering at Lehigh University. “When a credit card is swiped, the skimmer captures the magnetic field, and then collects it, saving the data of everyone who swipes.”

While skimmers are most often used at ATMs and gas stations, they’ve been used at restaurants before (like in the New York case mentioned above). “It’s starting to become more prevalent at restaurants,” Carter says. “Usually it’s the waitstaff — they get your credit card, and they have skimmers that are so small they can be held in the palm of your hand.”

When a diner hands the server her credit card, the server will swipe it through the restaurant’s own point-of-sale system and then through a skimmer, which records the credit card number. “A lot of times, there’s an organized crime ring behind it all,” Carter says. “Usually, the waitstaff would just be a part of the larger ring.”

In other words, if your credit card number is stolen at a restaurant, it likely isn’t because of one fraudulent server, but an entire ring of credit card thieves. Carter says that servers in these scenarios usually get paid based on how many card numbers they steal. Once the ringleader gets a hold of the credit card number, they can take a gift card from just about any retail store, demagnetize that card, and then re-magnetize it using the stolen credit card information.

Hacking: “Hacking is huge,” Carter says. “When you look at big companies — Home Depot, etc. — their customer information tends to be stolen through hacking.”

In 2015, criminals hacked their way into the database of some 500-plus restaurants owned by Landry’s by installing a program on the payment-processing devices at chains including Rainforest Cafe and McCormick & Schmick’s. According to a company statement, “the program was designed to search for data from the magnetic stripe of payment cards that had been swiped (cardholder name, card number, expiration date, and internal verification code) as the data was being routed through affected systems.”

According to a 2015 report from Barclays, the U.S. is responsible for 47 percent of the world's credit card fraud, despite only accounting for 24 percent of total worldwide card volume. And it’s a trend that’s on the rise: Approximately 31.8 million U.S. consumers had their cards breached in 2014, more than three times the number affected the year prior.

How easy is it to perpetrate credit card fraud through a restaurant versus, say, a retail store or a gas station?

Restaurants offer an ideal environment in which to commit identity theft, mainly because the card is out of its owners’ possession for several minutes. “At restaurants, you still have to give the server your card,” says Carter. “Once it leaves your hands, you don’t know where it goes.”

If a diner’s credit card information is stolen, they likely won’t realize it right away — another boon to fraudsters. “Most people who use their credit card use it at a lot of different places,” says Carter. “So, by the time their charges show up on a statement, it’s been a month or a few weeks. They may not even remember where they used it. It’s very hard to determine whether or not you got scammed at a restaurant.”

Restaurants are also an ideal location to perpetrate credit card fraud because cards at restaurants are almost always swiped — even chip cards, which were designed to ward against fraud. “The chip doesn’t really help at a restaurant,” says Cao. “That credit card information is still magnetized, even if it has a chip. Most stores and companies are moving toward the chip — when you use a chip, the card never leaves your hand — but restaurants haven’t gotten on board for the most part.”

Has newer technology like chip cards or contactless cards made fraud any harder?

Even chip cards aren’t foolproof. According to Carter, there are ways that criminals can steal credit card numbers without even coming in to contact with the card. “There are devices — some that can fit inside a wallet — that, when they get near to your wallet, can capture your credit card information. Essentially, it send out signals and demagnetizes the area around the card.”

Those devices are pretty rare, but Carter cautions that even chip cards and contactless cards (which are popular in Europe but haven’t found much of a market in the U.S.) aren’t immune to fraud.

Cao recently led a team of researchers in developing a method to prevent mass credit card fraud using existing magnetic card readers (i.e. the traditional swiping technology). The technique, called SafePay, works through a smartphone, by communicating with a bank’s server and creating a disposable credit card number during transactions. That disposable number is then sent to a card-shaped device, simulating the behavior of a physical magnetic credit card.

“Once the one-time number is used, it then expires,” he says. “Even if someone steals the number, it has already become useless.” Chao says that the device is on par with a contactless card or a chip card, in terms of safety; the real advantage is in its deployment.

But until a device like SafePay catches on (Cao, a researcher, says he hasn’t secured much funding for the device), there are a couple of tips consumers can keep in mind to ensure credit card numbers stay out of the hands of fraudsters: First, use cash or a pre-paid card. “Cash is pretty much foolproof,” says Carter. “But I also suggest buying a pre-paid card, and loading it with money to use at restaurants. If the number is stolen, your loss will be less so long as you don’t load too much money on it.” Secondly, check credit cards statements regularly. “Make sure that everything appears to be correct on your statements and then contact the bank immediately if you find unauthorized charges,” says Carter. “Usually, if it’s a credit card, the bank will give you your money back while they investigate the charges.”

Meanwhile, order and pre-pay apps like the ones on offer at Starbucks, McDonald’s, Chipotle, and a growing number of chains mean consumers’ credit cards can stay in their pockets and away from fraudsters. But apps, which may not require two-factor authorization or that consumers change their passwords regularly, can be vulnerable, too. Earlier this year Starbucks’ app — widely heralded as one of the most successful restaurant payment apps on the market — was docked for having a security weakness that allowed a thief to hack into it, load money from a saved credit card, and use it as their own account. Starbucks denied the claims, but issued a statement that read, in part: “...only a tiny fraction of one percent of account holders [were] impacted, significantly reducing fraudulent activity to a level vastly better than industry average. We strongly encourage our customers to follow best practices to protect their accounts.”