
Hamburglar strikes again, feasts on $2k in meals using customer's McDonald's app - t1o5
https://www.cbc.ca/news/business/mcdonald-s-app-fraudster-online-account-1.5113012
======
neetodavid
I saw a similar post on reddit about a week ago (
[https://www.reddit.com/r/canada/comments/bgrl7n/canadian_mcd...](https://www.reddit.com/r/canada/comments/bgrl7n/canadian_mcds_app_is_not_safe/)
)

From the top comment, speaking to support on the phone:

> "He then admitted that the issue was that The App would occasionally load
> the wrong user's account, which was allowing people to purchase using
> someone else's CC."

If that is what is happening, maybe it is similar to the caching issue Steam
had when serving store pages a year or two ago.

------
irq-1
> "I expected them to do the refund because it was their fault," he said.
> "It's their application. If it's not secure, they should take
> responsibility."

The internet has been retelling some version of this story forever: company
system screws paying customer, and company refuses to help or even admit a
problem.

~~~
thatoneuser
Wow they just told him to deal with his bank. Be like getting mugged in a
store and the store says to just go to the police, they have nothing to do
with it. Pretty shallow...

~~~
codeddesign
It’s more like going to a store, and someone stealing $2k from your when you
swipe your car in the store’s machine. Then the store telling you “sorry, it’s
not our problem. Go talk to your bank”. This was McDonald’s app that
Mcdonald’s owns and people trust them with their financial security. When
McDonald’s fails terribly at this it affect everyone involved in apps. Trust
is easy to lose, and extremely hard to gain back once it’s gone.

~~~
m463
The Movie "the Founder" sort of explains things.

------
rhinoceraptor
This is a good PSA for never using a debit card online.

~~~
frosted-flakes
I don't think the MyMcD application allows use of Canadian debit cards, which
can't generally be used online [0]. I think it only allows credit cards—I've
tried adding a credit card to take advantage of a deal, but the app is so
terrible that I gave up after 15 minutes.

[0] Canadian debit cards are secured through chip and PIN, and the number on
the front isn't a secret. You can use things like online bill pay or Interac
e-transfer (which is not really used by businesses), and some banks allow you
to create a virtual Visa card that's attached to your chequing account, but
debit cards themselves are physical tokens that can't be used online.

~~~
jdofaz
It took several tries but many years ago I got bank of America to issue me a
real debit card that couldn't be run without a pin (no visa logo). I haven't
had success with any current banks, I assume because the visa mode is more
profitable.

------
codedokode
I don't understand what is the problem. The victim didn't order those food and
therefore should not pay for it.

------
ydnaclementine
As annoying as it is, this is why I hardly ever store my credit card online
for “future use”

------
crsv
Were these users on the Android version of the app? Would this exploit be
device agnostic or would something in how Android handles in-app payments have
effected this? Does the platform matter here?

