18 comments

[ 3.2 ms ] story [ 51.4 ms ] thread
Is that really fraud or did the wires get crossed?

It's hard to believe an individual could eat $2000 of McDonald's food in two weeks. (For that matter, that someone could eat a poutine and not go to the ER afterwards...)

Maybe they purchased gift cards to resell?
I saw a screen that showed what looked like a large number of meals.
I noticed that is well. My best (and most paranoid) guess is that this is being done by McDonald's employees. Not the ones working at the stores, but ones that run the systems. They capture card info on new subscribers, then generate a bunch of bogus orders. Because they work with the systems, covering tracks is a lot easier. Does this sound plausible to anyone else?
It seems like they'd get caught sooner or later.
Yeah, I would think that inventory would begin to show discrepancies in time. If records says you sold one thousand fish sandwiches but stock says you sold one hundred, and this keeps happening, there might be some questions asked.
Has anyone wire-analyzed the McDonalds app? It seems likely they're trusting the app to provide "customer ID" and people are just using a mitmproxy to hack in random customer IDs, based on classical failures in this space. (I haven't been to a McDonalds in years, nor am I in Canada, so this isn't something I can analyze.)
I find myself not actually giving out my real credit card or debit card number to companies now a days. Everyone wants to store your card info but I can’t trust them to not have a security breach.

There is an app called Privacy. I just generate a one time use or locked to merchant card with a limit.

Seriously, what did you expect. You order crap food from a crap business and expect there to be a non-crap experience? Further you use a card which is non-single usage.

The only smart way is to NOT order McDonalds food. All their food is crap and makes you feel crap. The only way you can disagree to this is if you're simply unaware their offerings are total crap because you have no food culture and are not at all in touch with your body.

Downloading specific apps for specific businesses are a security risk. Use their webpage or pay at the counter. Also when dealing with shady outlets like McDonalds, use a virtual card for single usage. Plenty of providers will offer you this.

Let this be a lesson. Eating McDonalds means you don't value your health and body and using a non-single use card with such a merchant is asking for trouble.

This also shows the danger of having a card where the merchant can charge you whenever they feel like. Anybody who goes around with a single card and registers it with multiple apps and merchants are at risk at having their account emptied at any time. In that regard bitcoin is a much better solution, as it's a push, not a pull transaction. Anyone who reads this comment and still behave like the author will not have my sympathy when they're robbed.

Judgmental much? It might surprise you but most people eat things they enjoy that are not healthy.

How is ordering from the web any more or less of a security risk than an app? They are both probably using the same backend system and API.

But, I am very careful where I put my debit card. I use a credit card for almost any untrusted payment. Yes you can dispute both, but the money isn’t coming out of your account with a credit card.

The number of single vendor cards that I'd need to carry would be enormous. The idea of moving away from credit cards (inherently long lived payment authorizations) as a payment system is fabulous but in the meantime your idea is probably not realistic.
You're not wrong, you're just an asshole. A funny one, though.

The story is relevant, however, because we expect companies to protect personal and financial data even for people who are so profoundly foolish as to act against their own interest by patronizing them.

We accept that the tobacco companies sell an addictive product that causes cancer and COPD, among other diseases, but heaven help them if they should leak some customer data.

This is rather like Mrs. Lincoln complaining that she didn't get to see the end of the play.

I keep seeing this bad advice: we recommend ... changing passwords frequently from large corporations who can certainly afford to hire people who know better, and double check the veracity of PR statements they issue. So what sort of incompetency is this?

The article also doesn't go into any detail how the fraud is happening, if the app itself is compromised, or something in McDonald's app payment backend is compromised. Which is worse? Both seem incredible.

I sell products online in Canada, and 90% of our credit card fraud comes from Montreal. It's an absolute cesspool of activity like this. It's a huge center of money acitivity in Canada, and they're only getting more aggressive.

We've made several fraud reports with the various agencies and banks, as well as with the Montreal police.

The Montreal police are to blame here - theres absolutely zero willingness to investigate and pursue this.

I'd put money in this being an inside job. One of the contractors working for McDonald's Canada has a backdoor or way of copying card information, and is selling access to multiple people in a network. This isn't one person making these transactions, it's a network of people.

I have so many questions.

How exactly does this tokenization of the cards work? If the token is equivalent to the card, then it doesn't really provide any security since theft of the token would still allow the thief to buy things.

Does McDonald's do any fingerprinting of the user device? It seems like the token should be encrypted using the device fingerprint to ensure that the token can only be used from the device itself.

What encryption does the McD's app use to talk to their servers? Is someone snooping tokens, device fingerprints and user credentials to pull this off?

How has a card network not put a boot to McDonald's ass yet? I know McDonalds is big, but so are the card networks and the card networks are very serious about PCI data.

How does the refund process work around this app? It seems hard to believe that one person is eating all the food that's being ordered. So either the thief is a very fat man, is a Robin Hood figure who distributes McD's to the poor, or has figured out a flaw in the McDonalds process that lets him refund transactions in such a way that he can recover the cash value, or cash equivalent, of the order. The last seems most likely to me.

Tokens are equivalent to your card, but only at a specific merchant. This can still be a problem for large merchants but is much less of a problem compared to a thief being able to use your account # anywhere.

The most likely cause here is just a guessed password. Tokens are typically stored server-side, it is possible but unlikely that the McD app is doing something like passing that un-encrypted.

With the number of password lists online, it is very easy for thieves to try a leaked password you've used on another site. Especially if the app does not have proper login rate-limiting.

Jesus, you would think a billion dollar company would give a shit about it's customers.
I don't understand this trend of outraging at incompetent merchants as if they've caused anything more than a minor inconvenience - talking about "my money" and going so far as to claim you were "defrauded" [0] - as opposed to simply following your card's dispute process which will predictably set the situation right. They sound a little less friendly in Canada, but seem to have the same shape - dispute the charge, receive a new card, some months later receive a closure letter that you scan for your records, done.

I can see it being stressful the first time if you aren't aware how it works, which is why I'm writing this comment. But after going through it, it should be fairly clear that this is just a routine part of the payments system. Hearing "take it up with your bank" from a merchant's customer service is actually a nice thing - it means you don't have to waste more time trying to straighten things out with them directly.

The process is definitely an annoying artifact of basing a payments system on 23 digit (76 bit) widely-shared-secrets. But keep in mind the whole thing is actually friendlier than an irreversible (eg Bitcoin) or even worse an assumed-to-be-foolproof system would be, and I say that as a fan of bearer instruments.

[0] McDonalds is the party that was defrauded.