Has anyone wire-analyzed the McDonalds app? It seems likely they're trusting the app to provide "customer ID" and people are just using a mitmproxy to hack in random customer IDs, based on classical failures in this space. (I haven't been to a McDonalds in years, nor am I in Canada, so this isn't something I can analyze.)
I have so many questions.<p>How exactly does this tokenization of the cards work? If the token is equivalent to the card, then it doesn't really provide any security since theft of the token would still allow the thief to buy things.<p>Does McDonald's do any fingerprinting of the user device? It seems like the token should be encrypted using the device fingerprint to ensure that the token can only be used from the device itself.<p>What encryption does the McD's app use to talk to their servers? Is someone snooping tokens, device fingerprints and user credentials to pull this off?<p>How has a card network not put a boot to McDonald's ass yet? I know McDonalds is big, but so are the card networks and the card networks are very serious about PCI data.<p>How does the refund process work around this app? It seems hard to believe that one person is eating all the food that's being ordered. So either the thief is a very fat man, is a Robin Hood figure who distributes McD's to the poor, or has figured out a flaw in the McDonalds process that lets him refund transactions in such a way that he can recover the cash value, or cash equivalent, of the order. The last seems most likely to me.
Is that really fraud or did the wires get crossed?<p>It's hard to believe an individual could eat $2000 of McDonald's food in two weeks. (For that matter, that someone could eat a poutine and not go to the ER afterwards...)
I find myself not actually giving out my real credit card or debit card number to companies now a days. Everyone wants to store your card info but I can’t trust them to not have a security breach.<p>There is an app called Privacy. I just generate a one time use or locked to merchant card with a limit.
I don't understand this trend of outraging at incompetent merchants as if they've caused anything more than a minor inconvenience - talking about "my money" and going so far as to claim <i>you</i> were "defrauded" [0] - as opposed to simply following your card's dispute process which will predictably set the situation right. They sound a little less friendly in Canada, but seem to have the same shape - dispute the charge, receive a new card, some months later receive a closure letter that you scan for your records, done.<p>I can see it being stressful the first time if you aren't aware how it works, which is why I'm writing this comment. But after going through it, it should be fairly clear that this is just a routine part of the payments system. Hearing "take it up with your bank" from a merchant's customer service is actually a nice thing - it means you don't have to waste more time trying to straighten things out with them directly.<p>The process is definitely an annoying artifact of basing a payments system on 23 digit (76 bit) widely-shared-secrets. But keep in mind the whole thing is actually friendlier than an irreversible (eg Bitcoin) or even worse an assumed-to-be-foolproof system would be, and I say that as a fan of bearer instruments.<p>[0] McDonalds is the party that was defrauded.
I keep seeing this bad advice: <i>we recommend ... changing passwords frequently</i> from large corporations who can certainly afford to hire people who know better, and double check the veracity of PR statements they issue. So what sort of incompetency is this?<p>The article also doesn't go into any detail how the fraud is happening, if the app itself is compromised, or something in McDonald's app payment backend is compromised. Which is worse? Both seem incredible.