Phishing scam with London Restaurants

Tom Cannavan

Administrator
Most importantly it didn’t feel like they were doing me a favour by ‘permitting’ the reservation.

It's a joy when places don't require it, but I have to say that while I really resented being asked for CC details a few years ago when it started to spread among finer restaurants, I now expect it and accept it is a necessary evil.
 

Tom Cannavan

Administrator
I've not used Stripe myself, but assume it tokenises payment details via an API. In which case, how is it that they have (and I presume they must have) still stored the card details on their own systems? That is PCI 101! Maybe log files or something....

I use Stripe as my processing partner of online-tastings.co.uk and think they are game-changingly fantastic - easy, low commission, great tools. I do not get or have access to the credit card details of my customers.
 
I use Stripe as my processing partner of online-tastings.co.uk and think they are game-changingly fantastic - easy, low commission, great tools. I do not get or have access to the credit card details of my customers.
But they will have other options where the client does get the details and passes them through via the API. This can be used to give a highly tailored user experience and can be considered "more professional". However, it's important to destroy records once passed.
 

Tom Cannavan

Administrator
But they will have other options where the client does get the details and passes them through via the API. This can be used to give a highly tailored user experience and can be considered "more professional". However, it's important to destroy records once passed.

Very good point - there are facilities to build APIs which I have never considered, and I guess those could pass very different data.
 
I can honestly say it is a complete shock these days if you are NOT asked to enter full credit card details to make an online restaurant booking in the UK through OpenTable, ResDiary, etc.
In America I almost always get an email from OT one or two days prior asking me to confirm my reservation.

Also I know OT USA requires restaurants to report if you showed up or not. This usually happens within minutes of your reservation time. I assume this is so regular no-shows can be kicked off the app.

One time I received an email from OT saying I was a no-show, when in fact we did show up. Trying to get that changed proved to be impossible. No reply to emails or voice messages. I guess the way they keep the cost of this service affordable is to have it totally automated, with minimal human involvement. In retrospect I should have called the restaurant to have them correct it.
 
Location
SW1X
I had something similar a few weeks ago. I booked a private room at a St James’s restaurant for a work dinner. We got a call the day before (with the restaurant name, booking size and time) asking for a hefty deposit to ‘confirm the booking’. My secretary, not wanting to jeopardise the table, got halfway through giving the credit card details before remembering she had already paid a deposit so called the restaurant directly to check. To be told that it had happened multiple times that week.
 

Tom Cannavan

Administrator
One time I received an email from OT saying I was a no-show, when in fact we did show up.

Yes, booking a restaurant in Venice with The Fork booking service (now part of Michelin) they cancelled my reservation with the restaurant after it had been made and confirmed, and never told me. We turned up and they had struck us off the list. Thankfully we did get a table after a short wait, so handled well.
 
I've not used Stripe myself, but assume it tokenises payment details via an API. In which case, how is it that they have (and I presume they must have) still stored the card details on their own systems? That is PCI 101! Maybe log files or something....

First 6 digits (type of card / bank) and last 4 digits are not considered sensitive data under PCI terms
A lot of companies will store this as a reminder to their customers as to which card they used
If the scammer was quoting only the last 4 digits then they may have access to a data breach where that is all they have - if they had the full card number, they wouldn't be phoning to scam anyone - they would be out spending!

There are a lot of dodgy companies out there regarding storage of data, there are companies who store full unsecured credit card data and who have made the decision to risk any issue v. the cost of PCI compliance - many get away with it... I am not aware of any issues with OpenTable / ResDiary as far as that is concerned - their payment gateways handle the PCI compliance, so they won't be storing full details (we add these to client websites)...
 
First 6 digits (type of card / bank) and last 4 digits are not considered sensitive data under PCI terms
A lot of companies will store this as a reminder to their customers as to which card they used
If the scammer was quoting only the last 4 digits then they may have access to a data breach where that is all they have - if they had the full card number, they wouldn't be phoning to scam anyone - they would be out spending!

There are a lot of dodgy companies out there regarding storage of data, there are companies who store full unsecured credit card data and who have made the decision to risk any issue v. the cost of PCI compliance - many get away with it... I am not aware of any issues with OpenTable / ResDiary as far as that is concerned - their payment gateways handle the PCI compliance, so they won't be storing full details (we add these to client websites)...
Ah yes, good point. I suspect you're right!
 
But they will have other options where the client does get the details and passes them through via the API. This can be used to give a highly tailored user experience and can be considered "more professional". However, it's important to destroy records once passed.
I don't see where the client gets the details here - it'll be passed as a hashed object straight into the API, storage is unnecessary for a customised user experience - it's only required for recurring payments.

Even then, I haven't seen card processors offering this in that way for a long time. Even the old Stripe API had you store a customer ID object and the tokenised card information would be stored on Stripe's servers and thus taking most of the PCI-DSS liability.

I think the discussion of card details being stored by anyone is superfluous - that's not what is happening here. Knowledge of booking data is being used to confidence scam payments over the phone. It's nothing to do with a card processor.

Even in its simplest form, someone might just be siphoning off booking emails for this data. Opentable have a bad leak, simple as that.
 
I don't see where the client gets the details here - it'll be passed as a hashed object straight into the API, storage is unnecessary for a customised user experience - it's only required for recurring payments.

Even then, I haven't seen card processors offering this in that way for a long time. Even the old Stripe API had you store a customer ID object and the tokenised card information would be stored on Stripe's servers and thus taking most of the PCI-DSS liability.

I think the discussion of card details being stored by anyone is superfluous - that's not what is happening here. Knowledge of booking data is being used to confidence scam payments over the phone. It's nothing to do with a card processor.

Even in its simplest form, someone might just be siphoning off booking emails for this data. Opentable have a bad leak, simple as that.
Indeed - i had the (wrong) impression that they'd got the full card number and were only calling up for the CSC.

However, in my imagined scenario, they were perhaps getting the card details from a web/app log or something like that. Not a deliberate data storage.
 
Indeed - i had the (wrong) impression that they'd got the full card number and were only calling up for the CSC.

However, in my imagined scenario, they were perhaps getting the card details from a web/app log or something like that. Not a deliberate data storage.
I can confirm in the conversation the person who contacted me only had the last 4 digits of my card number, that's what prompted me to think it was bone fide. It was only the nagging doubt that I had not seen any transaction on my statements that stopped me from giving him the CCV.
 
The scam email shown does have the classic hallmarks of poor English, with two errors in the first sentence - always the most useful giveaway to those of us who are not tech-savvy.
In a new (to me) development on us soft foodie targets, I was scanning an area I know pretty well last night on Google Maps to check transport details, and passed over a placemarker for a restaurant I'd never heard of - Chateau-X. Curiosity piqued, I clicked and even my (ancient, unsafe) home laptop balked, with a full-on big red 'Dangerous Website' alert page, at which I shut down entirely within half a second ... anyone else come across this on a Google Maps placemarker?
 
The scam email shown does have the classic hallmarks of poor English, with two errors in the first sentence - always the most useful giveaway to those of us who are not tech-savvy.
In a new (to me) development on us soft foodie targets, I was scanning an area I know pretty well last night on Google Maps to check transport details, and passed over a placemarker for a restaurant I'd never heard of - Chateau-X. Curiosity piqued, I clicked and even my (ancient, unsafe) home laptop balked, with a full-on big red 'Dangerous Website' alert page, at which I shut down entirely within half a second ... anyone else come across this on a Google Maps placemarker?
Quite likely a brief lapse with their security certificate prompting an unsafe flagging from Google Elizabeth, the site loads fine for me now. Basically anyone publishing a website registers with a service that certifies they own the web address they're using and this certificate is recognised by software like Google, a lack of which will prompt a rather alarming warning page as you observed. It's usually a matter of the certificate not being renewed on time or a cock up on the IT bod's side rather than anything sinister, but always worth mentioning to the business involved.
 
0345 602 0120

Just had a call from this number purporting to be The Ledbury reservations team with details of previous visit and a claim that the ‘Deposit’ hadn’t been refunded. Asked whether I wanted it returned to card or as vouchers. When I pointed out that they weren’t calling from the number I usually associate with The Ledbury, we mysteriously lost connection. Beware.
 
0345 602 0120

Just had a call from this number purporting to be The Ledbury reservations team with details of previous visit and a claim that the ‘Deposit’ hadn’t been refunded. Asked whether I wanted it returned to card or as vouchers. When I pointed out that they weren’t calling from the number I usually associate with The Ledbury, we mysteriously lost connection. Beware.
Should have asked for vouchers ;)
 
Top