Phishing scam with London Restaurants

S

Sean Hardon

Location
Belfast, Northern Ireland
I was last night last night contacted by someone claiming to be from Andrew Edmunds Restaurant, I had made and cancelled a reservation with them on Open Table. I was very close to giving my security number when it was nagging in me that I hadn't seen a deposit come out of my account. So I made my excuses and broke off the conversation.

Andrew Edmunds had sent out an email on Sunday referencing it. When I re read it, it was to a T what was being attempted with me!

So beware.
 
Or Open Table database compromised, or Andrew Edmunds email account compromised - could be several vectors of attack.

Sean - would you mind sharing the email from Andrew Edmunds? I'm curious how they've explained this.
 
Here we go Julian, here's the email:

ANDREW EDMUNDS Phishing Scam

It has come to our attention that someone is calling customers impersonating a member of staff and are asking for credit card details to take or refund a money. Please be aware that this is currently happening with a number of restaurants. Please never pass on your credit card details over the...
shoutout.wix.com

I suspect Open table, as the bounder did have the date of cancellation, my phone number and the last 4 digits of my credit card.

What really dotted the i's and crossed the t's for me was when I said I'd call him back, he said he was from Andrew Edmund's IT department. I mean Andrew Edmund's with an IT dpt!!
 
Last edited:
Peter Simpson said:
Why would OpenTable have your credit card numbers?

I have made dozens of dinner reservations on OT in the USA and have never had to give them my credit card number. And never would!!
Click to expand...
Because sadly ‘no shows’ are rife in London and the UK, so popular restaurants have had to start taking card details along with bookings (especially larger ones), or even selling ‘tickets’ for meals in advance. Many people now sadly believe is OK to book several restaurants on the same date and choose which one to attend without thought of the consequences. Some smaller restaurants have reported 80+% no shows which is crushing financially.
 
Peter Simpson said:
Why would OpenTable have your credit card numbers?

I have made dozens of dinner reservations on OT in the USA and have never had to give them my credit card number. And never would!!
Click to expand...

I can honestly say it is a complete shock these days if you are NOT asked to enter full credit card details to make an online restaurant booking in the UK through OpenTable, ResDiary, etc.
 
Well, the alternatives move the problem elsewhere! eg. I use Global Payments (formerly Realex) to do this. Hopefully a company like Realex/GlobalPayments are a bit more serious about security than OpenTable, but there's always a risk.
 
Alex Lake said:
Well, the alternatives move the problem elsewhere! eg. I use Global Payments (formerly Realex) to do this. Hopefully a company like Realex/GlobalPayments are a bit more serious about security than OpenTable, but there's always a risk.
Click to expand...
Agree, but are OpenTable even PCI Compliant? I doubt it. A company like this would have had to run Network Segmentation Tests, Internal and External Vulnerability Tests, Penetration Tests plus have separation of concerns between Operations / Production Data and the rest of their Staff.

The likes of Auth0, Okta would be way more secure for identity management and the likes of Stripe and other payment providers would also be way more secure on the payment cards ... it's their core business the success of those companies is based on getting that right.
 
Tom Cannavan said:
I can honestly say it is a complete shock these days if you are NOT asked to enter full credit card details to make an online restaurant booking in the UK through OpenTable, ResDiary, etc.
Click to expand...
Recently booked a table at a top French restaurant. It wasn’t 3 months in advance, at the stroke of midnight, there was a full range of times available, straightforward web enquiry page, they didn’t need a two page questionnaire assessing our status, no credit card or advance payment.
There was a requirement to confirm 24 hours beforehand duly done.
Most importantly it didn’t feel like they were doing me a favour by ‘permitting’ the reservation.
 
Conor Twomey said:
Agree, but are OpenTable even PCI Compliant? I doubt it. A company like this would have had to run Network Segmentation Tests, Internal and External Vulnerability Tests, Penetration Tests plus have separation of concerns between Operations / Production Data and the rest of their Staff.

The likes of Auth0, Okta would be way more secure for identity management and the likes of Stripe and other payment providers would also be way more secure on the payment cards ... it's their core business the success of those companies is based on getting that right.
Click to expand...
They must be PCI compliant, surely! Those tests are generally performed by independent companies, and are not ruinously expensive. Is there a public register of PCI compliant organisations?
 
Alex Lake said:
They must be PCI compliant, surely! Those tests are generally performed by independent companies, and are not ruinously expensive. Is there a public register of PCI compliant organisations?
Click to expand...
Looks like they are and they use Stripe as the payment provider. I think the issue here is access to their production data by persons internally unknown or by some sort of external data breach
 
Conor Twomey said:
Looks like they are and they use Stripe as the payment provider. I think the issue here is access to their production data by persons internally unknown or by some sort of external data breach
Click to expand...
I've not used Stripe myself, but assume it tokenises payment details via an API. In which case, how is it that they have (and I presume they must have) still stored the card details on their own systems? That is PCI 101! Maybe log files or something....
 
You must log in or register to reply here.
Top