I attended the National Restaurant Association exposition in Chicago earlier this year, and looked at all the ways modern restaurant IT is spying on people.
But there's also a fundamentally creepy aspect to much of this. One of the prime ways to increase value for your brand is to use the Internet to practice surveillance of both your customers and employees. The customer side feels less invasive: Loyalty apps are pretty nice, if in fact you generally go to the same place, as is the ability to place orders electronically or make reservations with a click. The question, Schneier asks, is "who owns the data?" There's value to collecting data on spending habits, as we've seen across e-commerce. Are restaurants fully aware of what they are giving away? Schneier, a critic of data mining, points out that it becomes especially invasive through "secondary uses," when the "data is correlated with other data and sold to third parties." For example, perhaps you've entered your name, gender, and age into a taco loyalty app (12th taco free!). Later, the vendors of that app sell your data to other merchants who know where and when you eat, whether you are a vegetarian, and lots of other data that you have accidentally shed. Is that what customers really want?
I have only heard of this happening in Spain on the Costa del Sol, but it could happen anywhere. This scam depends on you paying a restaurant/bar bill in cash, usually with a €50 note. The waiter will take your payment, then return shortly after, apologetically telling you that the note is a fake and that you need to pay again. He will return the "fake" bill to you, and any change you're due. Of course, you gave him a REAL note, he gave you a FAKE note, and you gave him a second real note, so you paid €100 for a €50 meal. What I do now is write unobtrusively on all large notes I get, so I can challenge them if it happens to me.
Clever technique to put a checksum into the bill total when you add a tip at a restaurant.
I don't know how common tip fraud is. This thread implies that it's pretty common, but I use my credit card in restaurants all the time all over the world and I've never been the victim of this sort of fraud. On the other hand, I'm not a lousy tipper. And maybe I don't frequent the right sort of restaurants.
It's easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay for and receive your food. The video demonstrates the attack at a McDonald's in -- I assume -- France.
Wait until there is someone behind you and someone in front of you. Don't order anything at the first window. Tell the clerk that you forgot your money and didn't order anything. Then drive to the second window, and take the food that the person behind you ordered.
It's a clever exploit. Basically, it's a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.
It's relatively easy to fix. The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food. Or the second window could demand to see the receipt. Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer. But, of course, these security solutions reduce the system's optimization.
So if not a lot of people do this, the vulnerability will remain open.
EDITED TO ADD (9/20): The video has been removed from YouTube. It's available here.
Next week is the RSA Conference in San Jose, CA. I will speak on "The Economics of Security" at 4:30 PM on the 14th, and again on "Why Security Has So Little to Do with Security" at 2:00 PM on the 15th. I will also participate in a main-stage panel on ID cards at 8:00 AM on the 16th.
Also, my wife and I have written a 110-page restaurant guidebook for the downtown San Jose area. It's a fun read, even if you aren't looking for a San Jose restaurant. (Do people know that I write restaurant reviews for the Minneapolis Star Tribune?)
The restaurant guide will be available at the conference -- and of course you can download it -- but I have a few hundred to give away here. I'll send a copy to anyone who wants one, in exchange for postage. (It's not about the money, but I need some sort of gating function so that only those actually interested get a copy.)
Cost is $2.50 if you live in the U.S., $3.00 for Canada/Mexico, and $6.00 elsewhere. I'll accept PayPal to my e-mail address -- [email protected] -- or a check to Bruce Schneier, Counterpane Internet Security, Inc., 1090A La Avenida, Mountain View, CA 94043. Sorry, but I can't accept credit cards directly.