It could be taken as a sign of how competitive the order-ahead-and-pay feature has become in the rapidly developing market for mobile payments. In a lawsuit filed in federal court on May 2, CardFree Inc. has accused rival mobile-payments developer Scvngr Inc. of fraudulently accessing CardFree’s technology to process orders and payments with large restaurant chains.
Boston-based Scvngr, better known as LevelUp, exploited a flaw in the Android mobile operating system to generate fake accounts that gave LevelUp users access to CardFree’s system and opened the door to place orders with CardFree merchants, the suit alleges. CardFree’s platform supports mobile orders and payments for a number of national chains, including Dunkin’ Brands and Taco Bell. LevelUp claims links to 5,500 restaurant locations nationwide for payments, offers, and order-ahead capability, plus another 2,000 in Boston for order ahead only.
“LevelUp has been unable to offer the types of order-ahead service that CardFree has developed. In its efforts to market itself to larger merchants, it has represented to them that it had developed order-ahead technologies like those offered by CardFree. But LevelUp’s representations to potential clients were built upon a lie,” charges CardFree’s suit, filed in United States District Court for the Northern District of California.
San Francisco-based CardFree alleges the fraud affected “thousands” of transactions and “hundreds” of accounts, though a spokesperson says the company feels it has rooted out all of the fake accounts. The company is asking the court to enjoin LevelUp from its alleged conduct and demanding both compensation for costs and punitive damages. The suit also asks for a jury trial.
Representatives with LevelUp did not respond to repeated efforts to obtain comment. JPMorgan Chase & Co., which in September paid more than $10 million for a stake in LevelUp and is using the company’s technology as part of its Chase Pay mobile app, refused to comment on the case.
Mobile order-ahead-and-pay functionality is catching fire. Starbucks Corp., a pioneer in the service, introduced it in 2015 as part of its mobile app, and within a year found it was so successful order-ahead customers were crowding out walk-ins in many of its stores. In March, meanwhile, fast-food kingpin McDonalds Corp. said the feature would be available at all of its 14,000 U.S. stores by year’s end.
According to CardFree’s suit, the Android flaw allowed LevelUp to decompile the source code underlying the CardFree application. This in turn allowed the company to then isolate a secure access token they could use to link to application programming interfaces on CardFree’s servers. While Android was the starting point, iPhone users were vulnerable, as well. “There isn’t the same vulnerability in iOS, but once the tokens were obtained they were used across platforms including iPhone,” says a CardFree spokesperson.
According to the lawsuit, “LevelUp embedded this fraudulently obtained token into its own application so that its customers using the application would unwittingly masquerade as users of a legitimate CardFree application and place orders using CardFree’s service.”
CardFree charges LevelUp then created bogus CardFree accounts that would allow its unknowing users to place orders with merchants it had no relationship with, though CardFree did. For these accounts, LevelUp used its headquarters ZIP code and a common date of birth as part of the requested credentials, a tactic that later became a clue that something was amiss, CardFree officials say. The company traced the Internet Protocol address where the transactions based on the bogus accounts were initiated. The trail led to LevelUp, says the suit.
“Through this scheme, LevelUp tricked its customers into believing that LevelUp had a relationship with a CardFree merchant, and could provide order-ahead services for that merchant,” the suit alleges, But LevelUp allegedly wasn’t always able to follow through. In some cases, the suit says, orders never arrived at the chosen location, possibly because of the awkwardness of “piggybacking” a LevelUp app on CardFree’s APIs, the suit says. CardFree also charges that LevelUp pocketed tips offered by users, and did so even in cases where merchants did not accept tips.
All told, CardFree charges LevelUp with violations of the Computer Fraud & Abuse Act, the Digital Millennium Copyright Act, and the Stored Communications Act. The lawsuit is case number 3:17-cv-02514.