Remember meForgot password?
    Log in with Twitter

article imageI'm hatin' it — McDonalds app users hacked by hamburglar

By Karen Graham     Apr 23, 2019 in Internet
Montreal - For the past several months, hamburglars have been on the loose in Canada, hacking into mobile phone user's McDonald's apps. They have hijacked people's accounts and ordered hundreds of dollars of food for themselves.
Lauren Taylor of Halifax, Nova Scotia told CBC Canada someone spent almost $500 of her money on fast food during a five-day period from January 25th to the 29th. It does leave you to wonder how anyone could down $100 a day worth of McDonald's without getting a serious belly-ache.
Taylor didn't check her emails for several days, but when she did, there were dozens of order confirmations in her email inbox with the last four digits of her Visa debit card between Jan. 25-29. Strangely enough, all the orders were made in Montreal. When she checked her bank account, she had $1.99 left.
McDonald s Canada s  Keep Calm  Caesar On  crispy chicken salad.
McDonald's Canada's "Keep Calm, Caesar On" crispy chicken salad.
McDonald's Canada
Whoever it was, they ate all day every day for five days, consuming everything from large fries, Big Macs, poutine, junior chicken meals, Filet-O-Fish sandwiches, McDouble burgers, bacon and hashbrown, McWraps, Egg McMuffins, and hot cakes.
McDonald's Canada responded, saying there was no security breach on the McD's app. "We take appropriate measures to keep personal information secure, including on our app," Ryma Boussoufa, a company spokesperson, wrote in an email.
"Just like any other online activity, we recommend that our guests use our app diligently by not sharing their passwords with others, creating unique passwords and changing passwords frequently."
Sounds like an answer, all right - but Taylor doesn't know anyone in Quebec and on top of that, she has never been to Quebec. "This is an app that's supposed to be secure," she said. "So why do I live in Nova Scotia and why is my card being used in Quebec? That's crazy."
A McCafe mug
A McCafe mug
Flickr user Heikolon (CC BY-ND 2.0)
Delete the McDonald's app
This is what MobileSyrup’s Patrick O’Rourke is telling everyone after he was cleaned out to the tune of $2,000. And it was all because he wanted a cup of coffee.
O'Rourke wanted a cup of coffee while on his way to work one morning. Rather than wait in a long line at McDonald's, he downloaded the McDonald’s mobile order app - added his debit MasterCard to the app - ordered his coffee, and to his surprise, found that while his debit card information was added correctly, his transaction had failed.
O'Rourke writes, "I joined the line at McDonald’s and waited for my turn at the cash. The cashier explained that she didn’t know why the order didn’t go through, but that the information related to my order was in McDonald’s’ systems."
He tried ordering coffee the next morning and got the same bad results. This is when he decided the app wasn't worth the hassel. "Little did I know how bad McDonald’s iOS and Android mobile app really is," he said.
McDonald's Canada
About two weeks later, O'Rourke discovered nearly $2,000 had been drained from his bank account through transactions from various McDonald’s locations across Montreal. Most of the over 100 transactions were completed in a period of about two days, with none of them being over $20.
But just like Lauren Taylor and her hamburglar, O'Rourke's hamburglar must love poutine because he or she upgraded the fries in the meal to poutine. O'Rourke says it is surprising that McDonald's doesn't have a safeguard in place that picks up on multiple, successive transactions.
Apparently, the company assumes that ‘hey, this guy must really like Filet-O-Fish enough to order hundreds of sandwiches in just a few hours," says O'Rourke.
Adam Grachnik, McDonald’s senior manager of external communications in Canada, said in a statement: "I can tell you that every day, thousands of Canadians order, collect and pay for McDonald’s food and beverages on their smartphone through the My McD’s app. As you know, mobile ordering is quickly growing in popularity with all retailers, especially at McDonald’s.
While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app. We do take appropriate measures to keep personal information secure. McDonald’s also does not collect or store credit card information as My McD’s app only holds a token with the payment provider to allow purchases (I trust given your expertise you understand what “token” means).
Just like any other online activity, we recommend our guests be diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”
A McDonald s Happy Meal
A McDonald's Happy Meal
Calgary Review (CC BY 2.0)
It has happened before and quite often
The bottom line to all this? These two incidents are not isolated cases. There have been many incidents reported to the police and McDonald's dating back over several years. In January 2017, cybersecurity engineer Tijme Gommers announced he had found a vulnerability showing how to steal customer passwords from the McDonalds website.
And in the same year, McDonald's India customers were asked to upgrade their apps after it was found a breach in the app had disclosed personal information on 2.2 million customers.
The fast-food company would like to blame the hacking on customers not using a strong enough password. The McDonalds app requires passwords to be eight to 12 characters long, with upper and lowercase characters and at least one number. The only thing safer than that is to delete the app.
More about Mcdonalds, mobile app, Hackers, multiple hacks, Canada
Latest News
Top News