Cheddar’s is a restaurant that I hardly go to (Other than today, I’ve been once last year with a group, and several times about 13-14 years ago). But there is one close to where I live and I fondly remember their Monte Cristo sandwiches and thought it would be a great place to try again.
I sign up and I get sent some coupons for free Chips and Queso, and a promise to send me a birthday coupon for a free desert when the time comes. Great.
I try to use these coupons but I just get told “Sorry, but this coupon has expired or not valid” (the code is not expired and the coupon is valid, unless they’re sending out invalid coupons).
I message their customer relations people who are not very helpful. They just say “Oh try using the website instead of the app”. The website gives the same error as the app.
But they tell me something curious: “The code is valid when I [the CSR] use it”, meaning they went through the process of creating an order (but presumably stopped short of actually making the order) and the code was accepted.
I try to create new accounts and get the same thing. Apparently my shit-list status carries over to new accounts (implying either an IP-address level ban on the server, or something in the app that tells them I’m the same guy when I create a new account without first uninstalling the app completely).
So here’s what I did to finally narrow this down and work around the issue:
- Uninstall the app and delete all of its data from my phone and then reinstall it. (My understanding is that apps can’t uniquely identify your device unless they request permission and you allow them to)
- Turn off WiFi (so that my connection just appears to be that of a regular NAT’d cell phone data user)
- Temporarily disable the IPSEC tunnel on my phone (one of the things I suspect might have triggered the shitlist flag)
Then I take these measures:
- Start the app but don’t give it any data that might suggest it is me. This means:
- No granular location data (iOS lets you give it imprecise location data, i.e. it might tell the app you’re a mile or two from your actual location)
- For the order, I gave it the phone number of someone (who agreed to it) with a real cell phone that isn’t tied to me and was never used for a Cheddar’s account. I thought about using a Google Voice number but thought better of it (in case they’re screening for “VoIP”-type services being used)
- I don’t actually sign into an account and just check out as a guest.
Guess what? The “invalid” or “expired” coupon suddenly works!
What gives, Cheddar’s? I can’t be accused of abusing something I haven’t even had a chance to use yet. I haven’t been kicked out of a Cheddar’s before either.
Here are some thoughts on what MIGHT have happened:
- Some apps / websites use “VPN detection” which looks at the MSS of the path between you and them. If your MSS is deemed “suspicious”, you might get flagged as a VPN and forbidden from using their services on reason you’re hiding something from them / a probable cyber-criminal / whatever. I’ve encountered a small number of websites that do this. In my case, I use an IPSEC tunnel on all my personal devices that goes to an IPSEC gateway at my own house to protect my traffic and to grant me access to self-hosted resources that I don’t open up to the Internet. Nothing nefarious about that.
- I’m on the mailing list of other Darden Restaurants. In particular Olive Garden sent me two birthday coupons the last time I had a birthday. I don’t know why, but I was happy to oblige their generosity. Did I get on the “shit list” for something that was entirely their fault (i.e. enjoying two birthday cake slices when maybe they only intended for me to have one?).
So my conclusion and complaint (to app developers) is this – it’s fine to want to protect your services from abuse. It’s not fine to treat paying customers as would-be criminals and then give them no clues why they’re trapped in this mess or how to resolve it.
If you think something suspicious is going on, tell them to contact support (don’t give vague errors that don’t really hint at the problem) and empower your CSRs to resolve it. Cheddar’s CSRs had no clue what was going on and didn’t know what to do other than suggest I try ordering through the website instead.
What did I actually do wrong to deserve this? I have no idea and nobody is able to tell me! I’m kinda not sure I want to continue eating here now.