Here’s how I think hackers stole $2,000 from me through the McDonald’s app

I've finally figured out how the Hamburglar might have robbed me

Back in late April, after attempting to purchase a coffee through McDonald’s iOS mobile ordering app, someone, or multiple people, gained unauthorized access to my account’s credentials.

They then proceeded to purchase upwards of $2,000 CAD worth of fast food through the ordering app with my linked debit card.

Thankfully, my bank refunded the money a few days later, and the stressful ordeal was, at least for the most part, over. For a detailed account and the full sequence of unfortunate events leading up to the fraud, as well as what happened directly after, follow this link.

In the media storm that erupted following me chronicling my experience in a MobileSyrup story, a few things happened (or didn’t). McDonald’s, unsurprisingly, still hasn’t added two-factor authentication to either its iOS or Android mobile ordering app.

The fast-food giant also has not included an option for more secure forms of payments like Apple Pay and Google Pay, nor has it taken any level of responsibility for what happened to myself and many other people. Reports regarding MobileSyrup readers who have experienced similar fraud through the McDonald’s app continue to roll in as well.

On the plus side, the mainstream coverage the story received on notable publications like CBC, Business Insider, Gizmodo and more, caught the attention Alexis Dorais-Joncas, the security intelligence team lead at Montreal-based ESET. After explaining the situation to Dorais-Joncas in detail, as well as providing documentation related to the scam, including detailed receipts, a few patterns started to emerge.

First, several purchases were made at different McDonald’s locations across Montreal over a brief time frame through the My McDs App. This means it wouldn’t be impossible for a single person to be at both these locations in the city simultaneously.

This in itself has a few explanations; either one single person stole my account credentials and ordered food for several people, or various individuals had access to my account. For a look at where some of the transactions took place in Montreal, check out this map.

How did this happen?

So how did my password get compromised in the first place? This still remains unclear, but, likely, whatever password I used for my McDonald’s App was also utilized for another app that experienced a security breach.

Dorais-Joncas described the process of getting access to my account as “credentials stuffing.” Hackers often massively test username/password combinations that stem from data leaks to find successful authentication on a variety of platforms, ranging from social networks like Facebook to food ordering apps from companies like Starbucks and McDonalds.

He went on to say that the McDonald’s app features weak rate limiting, with his security team being able to test username and password combinations at a rate of 400 per minute from a single IP address before being blocked for a short time.

According to Dorais-Joncas, the McDonald’s app allows attackers to perform credential stuffing at a rapid rate.

There are a few simple things McDonald’s could do to fix these issues. For one, when creating a new account, sending out a link to the user’s email for activation to detect logging into a new device, could solve the problem. McDonald’s would then send an email to the account owner stating something along the lines of, “Hello, you’ve signed in from a new device from CITY, COUNTRY. If you did not initiate this action, contact us immediately.”

Further, adding basic fraud protection such as email notifications or SMS validation when something suspicious occurs with your McDs App account would solve several issues. This includes when the app is used on a new phone, or when a certain number of transactions have occurred over a short period.

Finally, McDonald’s could implement a change as simple as allowing only one account to log into a device at a time.

Welcome to the dark web

There’s also a dark web side to what could have happened with my account. Following Dorais-Joncas and his team’s investigation, David Hétu, CSO and co-founder of Flare Systems, a Canadian darknet intelligence company, also contributed to uncovering what might have caused my app to get hacked.

According to Hétu, there is consistent chatter on dark web platforms related to people using stolen credit cards to pay for people’s meals at McDonald’s. Theoretically, someone could hang around a McDonald’s location and pay for meals with the stolen card in return for cash from these customers. While this strategy doesn’t work on a larger scale, it could net a fair amount of money if you recruited people to help you with the scam.

Regarding the sale of app accounts, Hétu uncovered two vendors selling McDonald’s accounts on the dark web for between $15 USD and $20 USD (roughly $19.60 CAD and $26.14 CAD). These listings state the phone’s GPS must indicate you’re at a McDonald’s location for the order to go through. With this in mind, it’s relatively easy to spoof your location through an Android device or a jailbroken iPhone.

Hétu also uncovered individuals listing McDonald’s U.K. app accounts for $3 USD (about $3.92 CAD), with roughly 35 sales occurring at the time of the investigation. That said, there are no details regarding the source of these accounts. Almost amusingly, the seller also promised to replace any account that doesn’t work, according to Hétu.

Practice good password hygiene

In the end, I still don’t know what happened with my McDonald’s account. I’ve reset all of my passwords and now use 1Password, a Toronto-based password manager app, across all my devices more diligently.

However, I haven’t let this scare me away from purchasing food and other products on the internet, despite hilariously negative reader comments on CBC’s story surrounding the scam demanding that I return to using cold hard cash.

While McDonald’s and other food ordering apps could certainly protect their user’s sensitive information better, practising simple password hygiene is also an excellent method of preventing what happened to me.

Don’t use the same password more than once. If your account happens to be compromised, regardless of the app or platform, reset it immediately. Finally, always use a credit card whenever possible with ordering apps and when purchasing products on the internet. It’s far easier to get your money back if credit card fraud occurs when compared to the money being stolen from your bank account.

Comments