Ordering food through an app on a mobile phone has become an increasingly popular way to satisfy the appetite. However, it has also become the latest target for thieves and hijackers to get food without paying for it as a McDonald’s app customer found out.
Hijacking Accounts
Lauren Taylor of Halifax, Nova Scotia suffered from this type of theft after her bank account was almost emptied when someone used her McDonalds app to buy $500 worth of food. The food was ordered over 1200 kilometres away in Montreal, Quebec.
The thief managed to run up bills over a period from 25-29 January. Receipts were sent to her email each time, but, Taylor didn’t check her inbox regularly. When she did check her emails, there was only $1.99 left in her account.
Getting the Food
When the food is ordered, it isn’t an easy task to get it when you reach the restaurant. When you arrive, customers are asked to check in, the app then debits the card on the customer’s account. Then, a four digit code needs to be provided by the customer to get the food.
However, if a hijacker can access the customer’s app data, then this would may be an easy task
Diligent Use of the App
McDonald’s in Canada denied there was a security issue with their app. A spokesperson told Canada’s CBC that “Just like any other online activity, we recommend that our guests use our app diligently by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”
Taylor claims that she did and that with the McDonals’s app and she changes her passwords regularly. She also stated that she never shares them, and keeps them strong.
Customers in Halifax and Ontario have also been targeted.
Previous Data Problems
McDonald’s has had data issues in the past. In 2017, the Indian branch of the company urged people to upgrade its McDelivery app after it reported a data leak. Details of around 2.2 million users were including names, emails and home addresses.
In January 2017 a cybersecurity engineer Tijme Gommers found a vulnerability in the McDonald’s website, allowing customer passwords to be stolen.