One recent morning, on my way to work I decided — like many people often do — to buy a coffee.
Rather than wait in a long line at Toronto’s Union Station, I downloaded the McDonald’s iPhone mobile order app while commuting to the MobileSyrup office on the Go Train. I added my debit Mastercard to the app, and ordered a coffee with two sugars and two milks.
To my surprise, even though my card information was added correctly, the transaction failed.
I joined the line at McDonald’s and waited for my turn at the cash. The cashier explained that she didn’t know why the order didn’t go through, but that the information related to my order was in McDonald’s’ systems.
I walked away with coffee in hand thinking that McDonald’s new app wasn’t very good. I attempted the same purchase the following day and experienced identical results. At this point, I gave up and decided the company’s mobile ordering app wasn’t worth the hassle.
Little did I know how bad McDonald’s iOS and Android mobile app really is.
Roughly two weeks later and here I am with nearly $2,000 CAD defrauded from my bank account, all from various McDonald’s locations across Montreal, Quebec.
Sometimes the thief purchased only an Oreo McFlurry, and in other cases they went for the McChicken Extra Value Meal. In almost all instances, they upgraded the fries included in their meal to a poutine.
Regardless of the thief’s (or thieves’) food selection, most of these over 100 transactions were completed over just a couple days. They’re also all under $30 CAD and minutes apart from one another.
For whatever reason, McDonald’s’ mobile app doesn’t have safeguards in place to prevent multiple successive transactions like this. It seems the fast food company assumes that ‘hey, this guy must really like Filet-O-Fish enough to order dozens of sandwiches in just a few hours.’
While I’ve experienced distressing security breaches in the past, I’ve never suffered from fraud at this scale, let alone had my bank account’s security compromised. Further, although I initially assumed this was an isolated incident, I was wrong. A quick Google search reveals other Canadians suffering from similar issues with almost all of the fraudulent transactions occurring in Montreal.
@McDonalds my mobile app account was compromised and someone that wasn’t me ordered food off of my card. I changed my password — now how do I get my money back?
— Justin Amaker (@JustinAmaker) April 20, 2019
I’m also not the first journalist to write about the McDonald’s’ app’s issues. Vice’s Munchies, CTV and other publications covered security issues with the fast food company’s app back in early February. Moreover, several MobileSyrup readers recently reached out to us after they downloaded the app and fell victim to the same type of fraud.
“We take appropriate measures to keep personal information secure, including on our app. Just like any other online activity, we recommend that our guests use our app diligently by not sharing their passwords with others, creating unique passwords and changing passwords frequently,” reads McDonald’s’ boilerplate statement to the media regarding the security issues from back in February.
I was sent a similar statement by Adam Grachnik, McDonald’s senior manager of external communications, when I reached out concerning potential security issues with the company’s app, as well as to address my situation.
“I can tell you that every day, thousands of Canadians order, collect and pay for McDonald’s food and beverages on their smartphone through the My McD’s app. As you know, mobile ordering is quickly growing in popularity with all retailers, especially at McDonald’s.
While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app. We do take appropriate measures to keep personal information secure. McDonald’s also does not collect or store credit card information as My McD’s app only holds a token with the payment provider to allow purchases (I trust given your expertise you understand what “token” means).
Just like any other online activity, we recommend our guests be diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”
Similar to the above statements, in all the reports of fraud I’ve come across related to the McDonald’s mobile app, a customer service representative from the company claims that the source of the security breach is connected to the strength of the user’s password. While this is likely true in some instances, a glance at @McDonald’s’ or @McDonaldsCanada’s Twitter feed reveals dozens of customers dealing with near identical fraudulent orders.
This makes it difficult to believe that this is a security issue purely related to password security and not related to a broader security flaw present in the McDonald’s app. It’s also worth noting that the instance of fraud I experienced, which comes to slightly over $2,000 when I add all the transactions together, is the most significant I’ve come across.
To put this issue in perspective, if McDonald’s has suffered a security breach, this wouldn’t be the first instance. Back in March 2017, McDonald’s India leaked the personal information of 2.2 million users, including user names, email addresses, phone numbers, home addresses and social profile links. There have also been reports of other security flaws in the fast food company’s app that have since been fixed.
Circling back to my personal experience with this apparent security flaw in McDonald’s’ mobile app, immediately after realizing someone in Quebec was purchasing thousands of dollars worth of food with my banking information, I contacted the fast food giant’s customer service department.
I was greeted with a curt, rather unhelpful customer service agent who asked me to read out the dozens of transactions. When I was finished, I was told me there was “nothing they could do to help me” and that “this is a fraud issue” and the responsibility of my bank.
This isn’t the case as the security flaw is clearly the fault of McDonald’s’ app as the transactions are made directly through the fast food company’s iOS iPhone app. I didn’t lose my debit Mastercard card either as the customer service rep suggested given that I was holding it in my hand when I placed the call.
Next, I called up my bank, cancelled my debit Mastercard and was told I needed to then go to a physical Bank of Montreal location to fill out a fraud form and sign many documents.
The fraud investigation thankfully resulted in my favour, even though the BMO teller I filed the claim with said there was a possibility the bank’s fraud department could conclude it is McDonald’s responsibility to reimburse me.
Same thing for me, you’ll waste your time with @McDoCanada.
Their application has a security breach but they do not want to admit it, so they will say it’s your fault and will do nothing more than apologize. The best we can do is to WARN as many people as possible about that ?
— Dany Buteau (@DanyButeau) April 23, 2019
When fraudulent purchases were made through my account with my credit card my bank cancelled the card and reversed the charges. When I called McDonald’s all I got was a “sorry” and we’re investigating ?♂️
— Darren Woloshyn (@darren_woloshyn) April 25, 2019
Happened to me a while ago. Someone in Ontario had about $100 worth of food. Weird things too.
Who orders a Filet or Fish with no sauce or cheese?!
It’s been hearing about it happening with Skip the Dishes a lot too. pic.twitter.com/vup122qlET
— CJ K (@cjkeats) April 24, 2019
Same happens to me, I change my password, remove my credit card, uninstalled the app and call my credit card company and got charges reversed. What a freaking pain.
— Guillaume Dauphinais (@delphs) April 24, 2019
One of the main issues I encountered with the fraud process is the fact that I used a debit Mastercard to place the transactions. This form of payment features less fraud protection when compared to a standard Mastercard or Visa credit card.
Usually, I would use my credit card with apps like this but accidentally inputted my debit Mastercard in this particular case. It’s a silly mistake, but both my bank’s standard Mastercard and debit Mastercard card look very similar, and I hastily added the information to the McDonald’s app.
For those concerned about their banking information stored in the fast food giant’s mobile app, the best course of action right now is to pull your card information and also reset your password. Also, request that McDonald’s delete your mobile order account from their system.
Note: I am currently in the process of speaking to various security researches to determine if there is a security flaw present in McDonald’s mobile order app. If you have any information regarding this scam or knowledge related to the security of the app, please reach out to firstname.lastname@example.org.
Update 11/07/2019 4:35pm: Here are a few ways hackers may have stolen my McDonald’s app account information.
Update 25/04/2019 2:03pm: The Bank of Montreal (BMO) has refunded all of the fraudulent McDonald’s app transactions. McDonald’s still hasn’t taken any responsibility for the fraudulent transactions. The story has been updated to reflect this.
Update 25/04/2019 11:50am: The story has been updated with more information regarding the payment method I used with the McDonald’s app.