Hamburglar strikes again, feasts on $2k in meals using customer's McDonald's app
cbc.caI saw a similar post on reddit about a week ago ( https://www.reddit.com/r/canada/comments/bgrl7n/canadian_mcd... )
From the top comment, speaking to support on the phone:
> "He then admitted that the issue was that The App would occasionally load the wrong user's account, which was allowing people to purchase using someone else's CC."
If that is what is happening, maybe it is similar to the caching issue Steam had when serving store pages a year or two ago.
> "I expected them to do the refund because it was their fault," he said. "It's their application. If it's not secure, they should take responsibility."
The internet has been retelling some version of this story forever: company system screws paying customer, and company refuses to help or even admit a problem.
Wow they just told him to deal with his bank. Be like getting mugged in a store and the store says to just go to the police, they have nothing to do with it. Pretty shallow...
It’s more like going to a store, and someone stealing $2k from your when you swipe your car in the store’s machine. Then the store telling you “sorry, it’s not our problem. Go talk to your bank”. This was McDonald’s app that Mcdonald’s owns and people trust them with their financial security. When McDonald’s fails terribly at this it affect everyone involved in apps. Trust is easy to lose, and extremely hard to gain back once it’s gone.
The Movie "the Founder" sort of explains things.
This is a good PSA for never using a debit card online.
I don't think the MyMcD application allows use of Canadian debit cards, which can't generally be used online [0]. I think it only allows credit cards—I've tried adding a credit card to take advantage of a deal, but the app is so terrible that I gave up after 15 minutes.
[0] Canadian debit cards are secured through chip and PIN, and the number on the front isn't a secret. You can use things like online bill pay or Interac e-transfer (which is not really used by businesses), and some banks allow you to create a virtual Visa card that's attached to your chequing account, but debit cards themselves are physical tokens that can't be used online.
It took several tries but many years ago I got bank of America to issue me a real debit card that couldn't be run without a pin (no visa logo). I haven't had success with any current banks, I assume because the visa mode is more profitable.
I don't understand what is the problem. The victim didn't order those food and therefore should not pay for it.
As annoying as it is, this is why I hardly ever store my credit card online for “future use”
Were these users on the Android version of the app? Would this exploit be device agnostic or would something in how Android handles in-app payments have effected this? Does the platform matter here?