
I tried to buy a coffee with McDonalds mobile app, instead I was defrauded $2000 - Aegis11
https://mobilesyrup.com/2019/04/23/mcdonalds-mobile-app-defrauded-2000-dollars/
======
floatingatoll
Has anyone wire-analyzed the McDonalds app? It seems likely they're trusting
the app to provide "customer ID" and people are just using a mitmproxy to hack
in random customer IDs, based on classical failures in this space. (I haven't
been to a McDonalds in years, nor am I in Canada, so this isn't something I
can analyze.)

------
tynpeddler
I have so many questions.

How exactly does this tokenization of the cards work? If the token is
equivalent to the card, then it doesn't really provide any security since
theft of the token would still allow the thief to buy things.

Does McDonald's do any fingerprinting of the user device? It seems like the
token should be encrypted using the device fingerprint to ensure that the
token can only be used from the device itself.

What encryption does the McD's app use to talk to their servers? Is someone
snooping tokens, device fingerprints and user credentials to pull this off?

How has a card network not put a boot to McDonald's ass yet? I know McDonalds
is big, but so are the card networks and the card networks are very serious
about PCI data.

How does the refund process work around this app? It seems hard to believe
that one person is eating all the food that's being ordered. So either the
thief is a very fat man, is a Robin Hood figure who distributes McD's to the
poor, or has figured out a flaw in the McDonalds process that lets him refund
transactions in such a way that he can recover the cash value, or cash
equivalent, of the order. The last seems most likely to me.

~~~
aeternus
Tokens are equivalent to your card, but only at a specific merchant. This can
still be a problem for large merchants but is much less of a problem compared
to a thief being able to use your account # anywhere.

The most likely cause here is just a guessed password. Tokens are typically
stored server-side, it is possible but unlikely that the McD app is doing
something like passing that un-encrypted.

With the number of password lists online, it is very easy for thieves to try a
leaked password you've used on another site. Especially if the app does not
have proper login rate-limiting.

------
PaulHoule
Is that really fraud or did the wires get crossed?

It's hard to believe an individual could eat $2000 of McDonald's food in two
weeks. (For that matter, that someone could eat a poutine and not go to the ER
afterwards...)

~~~
whitepoplar
Maybe they purchased gift cards to resell?

~~~
PaulHoule
I saw a screen that showed what looked like a large number of meals.

~~~
craftinator
I noticed that is well. My best (and most paranoid) guess is that this is
being done by McDonald's employees. Not the ones working at the stores, but
ones that run the systems. They capture card info on new subscribers, then
generate a bunch of bogus orders. Because they work with the systems, covering
tracks is a lot easier. Does this sound plausible to anyone else?

~~~
PaulHoule
It seems like they'd get caught sooner or later.

~~~
Kalium
Yeah, I would think that inventory would begin to show discrepancies in time.
If records says you sold one thousand fish sandwiches but stock says you sold
one hundred, and this keeps happening, there might be some questions asked.

------
voski
I find myself not actually giving out my real credit card or debit card number
to companies now a days. Everyone wants to store your card info but I can’t
trust them to not have a security breach.

There is an app called Privacy. I just generate a one time use or locked to
merchant card with a limit.

------
mindslight
I don't understand this trend of outraging at incompetent merchants as if
they've caused anything more than a minor inconvenience - talking about "my
money" and going so far as to claim _you_ were "defrauded" [0] - as opposed to
simply following your card's dispute process which will predictably set the
situation right. They sound a little less friendly in Canada, but seem to have
the same shape - dispute the charge, receive a new card, some months later
receive a closure letter that you scan for your records, done.

I can see it being stressful the first time if you aren't aware how it works,
which is why I'm writing this comment. But after going through it, it should
be fairly clear that this is just a routine part of the payments system.
Hearing "take it up with your bank" from a merchant's customer service is
actually a nice thing - it means you don't have to waste more time trying to
straighten things out with them directly.

The process is definitely an annoying artifact of basing a payments system on
23 digit (76 bit) widely-shared-secrets. But keep in mind the whole thing is
actually friendlier than an irreversible (eg Bitcoin) or even worse an
assumed-to-be-foolproof system would be, and I say that as a fan of bearer
instruments.

[0] McDonalds is the party that was defrauded.

------
cmurf
I keep seeing this bad advice: _we recommend ... changing passwords
frequently_ from large corporations who can certainly afford to hire people
who know better, and double check the veracity of PR statements they issue. So
what sort of incompetency is this?

The article also doesn't go into any detail how the fraud is happening, if the
app itself is compromised, or something in McDonald's app payment backend is
compromised. Which is worse? Both seem incredible.

~~~
username444
I sell products online in Canada, and 90% of our credit card fraud comes from
Montreal. It's an absolute cesspool of activity like this. It's a huge center
of money acitivity in Canada, and they're only getting more aggressive.

We've made several fraud reports with the various agencies and banks, as well
as with the Montreal police.

The Montreal police are to blame here - theres absolutely zero willingness to
investigate and pursue this.

I'd put money in this being an inside job. One of the contractors working for
McDonald's Canada has a backdoor or way of copying card information, and is
selling access to multiple people in a network. This isn't one person making
these transactions, it's a network of people.

------
socrates1998
Jesus, you would think a billion dollar company would give a shit about it's
customers.

