Phishing scam with London Restaurants

I was last night last night contacted by someone claiming to be from Andrew Edmunds Restaurant, I had made and cancelled a reservation with them on Open Table. I was very close to giving my security number when it was nagging in me that I hadn't seen a deposit come out of my account. So I made my excuses and broke off the conversation.

Andrew Edmunds had sent out an email on Sunday referencing it. When I re read it, it was to a T what was being attempted with me!

So beware.
 
Or Open Table database compromised, or Andrew Edmunds email account compromised - could be several vectors of attack.

Sean - would you mind sharing the email from Andrew Edmunds? I'm curious how they've explained this.
 
Here we go Julian, here's the email:


I suspect Open table, as the bounder did have the date of cancellation, my phone number and the last 4 digits of my credit card.

What really dotted the i's and crossed the t's for me was when I said I'd call him back, he said he was from Andrew Edmund's IT department. I mean Andrew Edmund's with an IT dpt!!
 
Last edited:
Why would OpenTable have your credit card numbers?

I have made dozens of dinner reservations on OT in the USA and have never had to give them my credit card number. And never would!!
Because sadly ‘no shows’ are rife in London and the UK, so popular restaurants have had to start taking card details along with bookings (especially larger ones), or even selling ‘tickets’ for meals in advance. Many people now sadly believe is OK to book several restaurants on the same date and choose which one to attend without thought of the consequences. Some smaller restaurants have reported 80+% no shows which is crushing financially.
 

Tom Cannavan

Administrator
Why would OpenTable have your credit card numbers?

I have made dozens of dinner reservations on OT in the USA and have never had to give them my credit card number. And never would!!

I can honestly say it is a complete shock these days if you are NOT asked to enter full credit card details to make an online restaurant booking in the UK through OpenTable, ResDiary, etc.
 
Well, the alternatives move the problem elsewhere! eg. I use Global Payments (formerly Realex) to do this. Hopefully a company like Realex/GlobalPayments are a bit more serious about security than OpenTable, but there's always a risk.
 
Well, the alternatives move the problem elsewhere! eg. I use Global Payments (formerly Realex) to do this. Hopefully a company like Realex/GlobalPayments are a bit more serious about security than OpenTable, but there's always a risk.
Agree, but are OpenTable even PCI Compliant? I doubt it. A company like this would have had to run Network Segmentation Tests, Internal and External Vulnerability Tests, Penetration Tests plus have separation of concerns between Operations / Production Data and the rest of their Staff.

The likes of Auth0, Okta would be way more secure for identity management and the likes of Stripe and other payment providers would also be way more secure on the payment cards ... it's their core business the success of those companies is based on getting that right.
 
I can honestly say it is a complete shock these days if you are NOT asked to enter full credit card details to make an online restaurant booking in the UK through OpenTable, ResDiary, etc.
Recently booked a table at a top French restaurant. It wasn’t 3 months in advance, at the stroke of midnight, there was a full range of times available, straightforward web enquiry page, they didn’t need a two page questionnaire assessing our status, no credit card or advance payment.
There was a requirement to confirm 24 hours beforehand duly done.
Most importantly it didn’t feel like they were doing me a favour by ‘permitting’ the reservation.
 
Agree, but are OpenTable even PCI Compliant? I doubt it. A company like this would have had to run Network Segmentation Tests, Internal and External Vulnerability Tests, Penetration Tests plus have separation of concerns between Operations / Production Data and the rest of their Staff.

The likes of Auth0, Okta would be way more secure for identity management and the likes of Stripe and other payment providers would also be way more secure on the payment cards ... it's their core business the success of those companies is based on getting that right.
They must be PCI compliant, surely! Those tests are generally performed by independent companies, and are not ruinously expensive. Is there a public register of PCI compliant organisations?
 
They must be PCI compliant, surely! Those tests are generally performed by independent companies, and are not ruinously expensive. Is there a public register of PCI compliant organisations?
Looks like they are and they use Stripe as the payment provider. I think the issue here is access to their production data by persons internally unknown or by some sort of external data breach
 
Looks like they are and they use Stripe as the payment provider. I think the issue here is access to their production data by persons internally unknown or by some sort of external data breach
I've not used Stripe myself, but assume it tokenises payment details via an API. In which case, how is it that they have (and I presume they must have) still stored the card details on their own systems? That is PCI 101! Maybe log files or something....
 
Top