Toronto Man Scammed Over $2,000 by McDonald’s Mobile App

[Hydrogen]

Back in February, a Halifax woman claimed the McDonald’s mobile app resulted in a fraudster getting access to her payment details and spending $500 on a fast food bingefest.

Now, it appears more reports are coming in, with the latest seeing one Toronto man losing $2,000 via the McDonald’s mobile app, by yet another ‘Hamburglar’.

MobileSyrup’s Patrick O’Rourke is telling everyone to delete the McDonald’s mobile app, as he fell victim to fraudsters spending over $2,000 in fast food using his BMO debit card, linked to the app.

O’Rourke says he discovered the fraud after noticing his mobile orders were unable to complete. The scammers spent his money at various McDonald’s locations in Montreal.

McDonald’s issued the following statement regarding the matter, saying:

“I can tell you that every day, thousands of Canadians order, collect and pay for McDonald’s food and beverages on their smartphone through the My McD’s app. As you know, mobile ordering is quickly growing in popularity with all retailers, especially at McDonald’s.

While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app. We do take appropriate measures to keep personal information secure. McDonald’s also does not collect or store credit card information as My McD’s app only holds a token with the payment provider to allow purchases (I trust given your expertise you understand what “token” means).

Just like any other online activity, we recommend our guests be diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”

For now, O’Rourke says he’s caught in the middle with both McDonald’s and BMO pointing fingers at each other regarding the lost money. He is out $2,000 and it appears a long road is ahead to recover the money. The situation may have been different if a credit card was linked to the account instead of debit, as unauthorized purchases can usually be reversed when disputed, especially when scams are involved.

This does not appear to be an isolated event, as many users on RFD have recently also been saying they have been scammed by the McDonald’s app.

The MyMcD’s iOS app does not feature Apple Pay for in-app payments, but it should, it seems like. Two-factor authentication for logging into the app may be worth considering as well.

How to remove your payment card from the MyMcD’s iOS app? Launch the app, click on the ‘More’ tab, then go to Profile > Payment Methods. Once you see your card, swipe it to the left and you’ll see an option to delete it.

Have you had any issues with the McDonald’s mobile app and someone else spending your money?

https://www.iphoneincanada.ca/news/toronto-man-scammed-2000-mcdonalds/

....


This news story is related to news of starbucks and other large franchises / retailers recently accepting bitcoin transactions:

https://bitcointalk.org/index.php?topic=5142884.0

Payment processing systems recently rolled out by mcdonald's and others have utilized vulnerable systems and questionable security practices. This could open the door to bitcoin and crypto currency based payment systems which could prove themselves to be more security oriented and reliable over the long term.

Countries like sweden which are lean heavily towards cashless societies and RFID implanted chips to execute financial transactions could be vulnerable to the type of attacks exploited in mcdonald's payment app. That's another news story relating to potential vulnerabilities which could use more coverage than its receiving atm.

[1714949732]

1714949732

[1714949732]

1714949732

[1714949732]

1714949732

[1714949732]

1714949732

[1714949732]

1714949732

[1714949732]

1714949732

[Ranly123]

Back in February, a Halifax woman claimed the McDonald’s mobile app resulted in a fraudster getting access to her payment details and spending $500 on a fast food bingefest.

Now, it appears more reports are coming in, with the latest seeing one Toronto man losing $2,000 via the McDonald’s mobile app, by yet another ‘Hamburglar’.

MobileSyrup’s Patrick O’Rourke is telling everyone to delete the McDonald’s mobile app, as he fell victim to fraudsters spending over $2,000 in fast food using his BMO debit card, linked to the app.

O’Rourke says he discovered the fraud after noticing his mobile orders were unable to complete. The scammers spent his money at various McDonald’s locations in Montreal.

McDonald’s issued the following statement regarding the matter, saying:

“I can tell you that every day, thousands of Canadians order, collect and pay for McDonald’s food and beverages on their smartphone through the My McD’s app. As you know, mobile ordering is quickly growing in popularity with all retailers, especially at McDonald’s.

While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app. We do take appropriate measures to keep personal information secure. McDonald’s also does not collect or store credit card information as My McD’s app only holds a token with the payment provider to allow purchases (I trust given your expertise you understand what “token” means).

Just like any other online activity, we recommend our guests be diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”

For now, O’Rourke says he’s caught in the middle with both McDonald’s and BMO pointing fingers at each other regarding the lost money. He is out $2,000 and it appears a long road is ahead to recover the money. The situation may have been different if a credit card was linked to the account instead of debit, as unauthorized purchases can usually be reversed when disputed, especially when scams are involved.

This does not appear to be an isolated event, as many users on RFD have recently also been saying they have been scammed by the McDonald’s app.

The MyMcD’s iOS app does not feature Apple Pay for in-app payments, but it should, it seems like. Two-factor authentication for logging into the app may be worth considering as well.

How to remove your payment card from the MyMcD’s iOS app? Launch the app, click on the ‘More’ tab, then go to Profile > Payment Methods. Once you see your card, swipe it to the left and you’ll see an option to delete it.

Have you had any issues with the McDonald’s mobile app and someone else spending your money?

https://www.iphoneincanada.ca/news/toronto-man-scammed-2000-mcdonalds/

....


This news story is related to news of starbucks and other large franchises / retailers recently accepting bitcoin transactions:

https://bitcointalk.org/index.php?topic=5142884.0

Payment processing systems recently rolled out by mcdonald's and others have utilized vulnerable systems and questionable security practices. This could open the door to bitcoin and crypto currency based payment systems which could prove themselves to be more security oriented and reliable over the long term.

Countries like sweden which are lean heavily towards cashless societies and RFID implanted chips to execute financial transactions could be vulnerable to the type of attacks exploited in mcdonald's payment app. That's another news story relating to potential vulnerabilities which could use more coverage than its receiving atm.

This maybe an isolated case but some large franchise who plan to adopt on blockchain and accept Bitcoin to be their means of payment would surely look for a much higher security. Most of the systems are prone to hacks yet, if they improve their securities then their vulnerability to it will be minimized.

[CryptoBry]

Now, it appears more reports are coming in, with the latest seeing one Toronto man losing $2,000 via the McDonald’s mobile app, by yet another ‘Hamburglar’

This is just another example why many of us feel like nothing can be safe in our interconnected and online world as there will always be weaknesses, vulnerabilities, bugs, back door exploits and similar problems that can affect any system. At the end of the day, the consumers are the ones bearing the burden as these big corporations can take time to solve similar incidents. I am looking forward for the time when the blockchain technology can be utilized to safeguard and secure these payment facilities so that we can enhance the trust and confidence of them...this news is not serving well for the mainstream adoption of bitcoin and the likes as third party infrastructures can be exploited by genius hackers and scammers.

[The Sceptical Chymist]

This is just another example why many of us feel like nothing can be safe in our interconnected and online world as there will always be weaknesses, vulnerabilities, bugs, back door exploits and similar problems that can affect any system.

True, but pockets have been getting picked since the beginning of pockets.  What we have here is just another form of it.

What amazes me is that these thieves went on a burger binge with the stolen loot--it's almost comical if it didn't suck so bad for the victims.  And I'm not sure if McDonald's is ready for bitcoin yet, for many of the same reasons why most fast food franchises aren't.  Confirmation times is the big one that sticks out in my mind from their side, and network fees are a concern from the consumer side.  We all know that there can be points where the network is congested and both fees and wait times are increased, and that makes it impractical for fast food, fast coffee, or fast anything. 

If anything, McD's would probably create their own coin instead of using bitcoin.  But I'm not sure if they're ready to adopt blockchain tech anytime soon.  We'll see, though.

[sheenshane]

These kinds of cases often happen in each and every mobile application/retailer e-commerce apps in the whole world.McDonald's have nothing to do with this case, they are not the one who this O'rourke could point out. However, Mcdonalds must look and search for the person who is doing this. (the Toronto guy)

On the internet, you must always make sure to take care of all your information and never ever provide it to any unauthorized person. This Toronto guy might know O'rourke personally or he already caught O'rourke as his victim using phishing sites or emails.

O'rourke must learn that he has to be more secure in the future to avoid these kinds of cases. Because honestly, if you know or familiar with these kinds of scams and frauds, you could avoid it to happen to you.

[Hydrogen]

These kinds of cases often happen in each and every mobile application/retailer e-commerce apps in the whole world.McDonald's have nothing to do with this case, they are not the one who this O'rourke could point out. However, Mcdonalds must look and search for the person who is doing this. (the Toronto guy)

On the internet, you must always make sure to take care of all your information and never ever provide it to any unauthorized person. This Toronto guy might know O'rourke personally or he already caught O'rourke as his victim using phishing sites or emails.

O'rourke must learn that he has to be more secure in the future to avoid these kinds of cases. Because honestly, if you know or familiar with these kinds of scams and frauds, you could avoid it to happen to you.

It is possible mcdonald's app thieves hang out in a nearby parking lot with a laptop running a WIFI packet sniffer recording all mobile app transactions. The data would be encrypted but depending upon the strength of the encryption utilized it can be vulnerable to attack. Similar methods have been utilized to rip RFID financial data from credit cards and chips with RFID enabled.

Crypto currency payment apps could have an advantage here if they interact only with a retail scanner, bypassing the WIFI or internet connectivity portion of electronic payment systems. That could make them less vulnerable to man-in-the-middle-attacks or financial data being intercepted. It will take time for details to emerge, if they are ever published or publicized.

[1Referee]

On the internet, you must always make sure to take care of all your information and never ever provide it to any unauthorized person.

Peolpe hand over their information to third parties without realizing that it isn't a good thing. I remember that last year there was some sort of a low value shopping voucher you could claim locally, but for that you had to fill in a detailed form requiring pretty much all your information.

The worst part is that it wasn't even one of the participating stores themselves, but a random third party. What I think happened in the background is that people's data has been sold and with a small chunk of that they bought the vouchers to give it to all the participants. Another risk here is that hackers can gain access to their servers and actually abuse it.

Just say no to all that nonsense and don't use public wifi hotspots. Nowadays everyone has high GB data bundles anyway, so why do you need that wifi?

[LeGaulois]

Every new technology comes with new problem types. But I admit $2.000 it's a lot of burgers to eat 
There is still a long time before merchants start to use crypto just because of an application failed unfortunately and client too... Since most of the time banks reimburse the loss, so they don't care much

[Indamuck]

The amouht is so small that Mcdonalds will just refund the victim. No payment method will ever be 100 percent safe.  Its really funny that the thief just bought more fast food, so they are the real loser in the end from the bad health effects.

[traderethereum]

First of all, I don't use MyMcD to buy, and I am very aware of using the apps on my mobile phone will give a hole for the attacker to use my private information.
But that will only happen if I install the unknown apps and I don't know if the developer is good or not.
I see on many apps that including the Payment section so the user can add their debit or credit card in the apps and that will give an attacker to try to penetrate the apps and try to steal your money.
It will need awareness from the user itself to add their payment card or let it empty so they can prevent from the attacker.
It is better not to add debit or credit card to any apps, and maybe we could only add the tokens inside the apps, so we only use the tokens without adding the debit or credit card inside the apps.

[Ailmand]

This simply means that any business which is connected to an online business app is risky. Everything that involves money online is hackable and we can't take control of that. It's just so sad that it's now hard to entrust and link our debit card to any mobile apps these days. We should just try to get rid of this process but focus on fiat payment method.

[BitHodler]

Since most of the time banks reimburse the loss, so they don't care much

Not sure how the situation is in your country, but I have noticed how banks here started to be less willing to compensate people for their own stupidity, which if you take off your anti bank cap, is understandable.

If you as bank continue to compensate people in every possible way, they won't care about internet security anymore because they automatically assume that the bank will just cough up the money as if nothing happened.

That's one of the reasons I like Bitcoin so much, you are pretty much forced to take internet security seriously because if you don't, you could lose your money and there is no one you can complain to.

[LeGaulois]

Since most of the time banks reimburse the loss, so they don't care much

Not sure how the situation is in your country, but I have noticed how banks here started to be less willing to compensate people for their own stupidity, which if you take off your anti bank cap, is understandable.

If you as bank continue to compensate people in every possible way, they won't care about internet security anymore because they automatically assume that the bank will just cough up the money as if nothing happened.

That's one of the reasons I like Bitcoin so much, you are pretty much forced to take internet security seriously because if you don't, you could lose your money and there is no one you can complain to.

Same here but we need often to insist to get a refund
- someone steals your card without the PIN code, the bank refunds the loss if any.
- someone steals your card with the PIN code, the bank refuses to refund anything, it considers it's your own fault. (The funny thing is we have insurance on VISA cards including the loss of means of payment etc. )
But nowadays it can be easy for some to steal the card and get the code (often at the supermarket or ATM) and banks don't get that.

[dothebeats]

Read the news as 'Florida Man' due to memes but..

Anyways, I don't think the McDonald's app is at fault in here tbh. It could be something else, and the hackers are just using the card for ordering fast food (which sucks, lol), and it appears that these hackers are fond of McDonalds. Most of the time, I see services just reimburse immediately in order to contain the situation but it seems that they don't want to do something and wanted to know everybody that their app is insecure anyway.

Not sure how the situation is in your country, but I have noticed how banks here started to be less willing to compensate people for their own stupidity, which if you take off your anti bank cap, is understandable.

If you as bank continue to compensate people in every possible way, they won't care about internet security anymore because they automatically assume that the bank will just cough up the money as if nothing happened.

Local banks here do not give out refunds and reimbursements easily even if its clearly their platform's fault. Lost almost a thousand dollars just 2 months ago due to their 'maintenance' and it is only last week that I have received the reimbursement which sucks because why do I need to fight for my money anyways? But then again there are still some people who are just plain stupid and still wants to get a refund to conceal their stupidity, boost their ego and not lost a single penny.

[Haunebu]

Damn. This is new. I don't think such a small scale attack could make the employers think about adopting BTC as a payment option, but a series of attacks could make them consider it sometime in the future.

Even if the attacks don't happen, I am expecting them to consider offering BTC as a payment option following the lead of other popular retailers like Starbucks etc.

[el kaka22]

LOL, HAMBURGLAR! That is freaking funny I don't know where these people get these nicknames from but that is awesome . Also, how the hell does someone spend 2 thousand dollars on mcdonalds? Like it is one of the cheapest food places in the whole world, even in countries where food could be more expensive (or cheaper doesn't matter) mcdonalds usually rank at the top of the list for cheap food places.

So, when you spend 2000 dollars on mcdonalds in Canada Toronto that is like probably over 100 burgers, which means either the person didn't actually buy the burgers but there was an inside job where cashiers help him get cash and pay with app and they made some money too, or dude didn't realize he was being robbed for weeks even months before he realized it.

[justspare]

Now, it appears more reports are coming in, with the latest seeing one Toronto man losing $2,000 via the McDonald’s mobile app, by yet another ‘Hamburglar’

This is just another example why many of us feel like nothing can be safe in our interconnected and online world as there will always be weaknesses, vulnerabilities, bugs, back door exploits and similar problems that can affect any system. At the end of the day, the consumers are the ones bearing the burden as these big corporations can take time to solve similar incidents. I am looking forward for the time when the blockchain technology can be utilized to safeguard and secure these payment facilities so that we can enhance the trust and confidence of them...this news is not serving well for the mainstream adoption of bitcoin and the likes as third party infrastructures can be exploited by genius hackers and scammers.

They are the problems of themselves, and I see it as all pride, whatever you wished for in this statement has already been covered by bitcoin and that is why satoshi created a more secured system that would make it difficult for any vulnerabilities.

We started having all these issues when many people wants to create their own payment system like satoshi and they don’t seems to get it right, I wonder what need is it for people to still continue to create an online payment apps that are not secured rather than depending on what satoshi has already worked out, I am sure by now, they would have been realizing that bitcoin payment processor is still the safest.

[Jating]

This is part and parcels of this kind of technology. Criminals tend to exploit it the minute they found vulnerabilities. But I'm quite surprised how those crooks are really sophisticated. With the advent of new technologies, comes a long a new breed of intelligent criminals playing around with the latest McDonald's app.

Need for those web app developers to step up as well, and for the public to be very very careful with thieves just around the corner.

[xvids]

This is why I don't trust those kind of services that ask you to put up your card details.
And this is why blockchain should be used in online transaction to secure the users information or account.
They need to upgrade their app's security system to prevent this from happening again.

[Adriano2010]

I also don't like when this happen, someone withdraw from card the money but somehow the ATM has some error and not get money from and also the bank not give him money because appear as withdraw, but i think crypto is here to solve that problem an more secure to make transaction.