It is indeed true that stealing large numbers of McDonald’s hamburgers is unlikely to make you rich. They’re not exactly a viable currency and despite those stories over the years they tend not to keep well – not a good store of value therefore. But if something can be stolen a useful guide to human beings is that it will be stolen. So it should be entirely unsurprising that a McDonald’s app has been hacked and used to steal food.
The problem lurking in the background being that people all too often forget that anything linked to a payment system is itself a payment system. Thus it needs to be surrounded with payment system levels of security. A McDonald’s app that lets you buy Big Macs must have some connection, somewhere, into the main payments system. Some link to a bank account, debit or credit card, something. Thus the app itself is a link into the banking and payments system and thus must have that same level of security as the payments system itself:
Users of a McDonald’s app in Canada are having their accounts commandeered by hackers who are using the accounts to order food for themselves, racking up bills in excess of CAD $2,000.
That’s a lot of Maccy D’s.
Patrick O’Rourke, the managing editor of MobileSyrup, reported on his own experience with the app. He claims that he recently downloaded it and attempted to buy a cup of coffee at one of the chain’s Toronto locations, only for the transaction to fail. Over the following two weeks, however, nearly $1,500 in fraudulent purchases had been charged to his account through the app. According to O’Rourke, the purchases were all under $25 and were often times made within minutes of each other.
You can imagine how this works. There’s a guy in the queue saying he needs some cash right now. In order to get it he’s willing to buy your Happy Meal on his account if you give him the cash. At, say, a 50% discount. Voila, he’s now processed your McD’s account into cash in his pocket. After all, the selling of food stamps on the same basis is hardly unknown, is it?
If you’ve hacked the McDonald’s app then you’ve hacked into the payment system, haven’t you? Maybe it can only be used at a McDonald’s but that’s enough.
As O’Rourke points out in his piece, this statement from McDonald’s suggests that a major cause for the breaches is weak passwords. But since O’Rourke found dozens of tweets about similar My McD breaches, he is suspicious about the company blaming users’ password practices. He thinks it’s likely a security flaw in the app is allowing hackers to breach people’s accounts.
As I say, anything that connects into the payments system had better have security as good as that payments system. Otherwise it’s just a back door into it, isn’t it?
This being a rather more general point too. Unless you’re willing to insist upon direct deposit and only direct deposit into a vendor specific app – something that no one would actually want – then any such payment able app is going to have to have the same sort of security as the banking system itself. If not then you’ve just given the criminals free run of your customers’ accounts….