Best Indian Online Shopping Deals & Loot Offers

On my way to work one recent morning, like many people often do, I decided to buy a coffee.

Rather than wait in a long line at Toronto’s Union Station, I downloaded the McDonald’s mobile order app while commuting to the MobileSyrup office on the Go Train. I added my debit Mastercard to the app, and ordered an orange pekoe tea with two sugars and two milks.

To my surprise, despite the fact that my card information was added correctly, the transaction failed.

I joined the line at McDonald’s and waited for my turn at the cash. The cashier explained that she didn’t know why the order didn’t go through, but that the information related to my order was in McDonald’s’ systems.

I walked away with tea in hand thinking that McDonald’s new app wasn’t very good. I attempted the same purchase the following day and experienced identical results. At this point, I gave up and decided the company’s mobile ordering app wasn’t worth the hassle.

Little did I know how bad McDonald’s iOS and Android mobile app really is.

Roughly two weeks later and here I am with nearly $2,000 CAD defrauded from my bank account, all from various McDonald’s locations across Montreal.

Sometimes the thief purchased only an Oreo McFlurry, and in other cases they went for the McChicken Extra Value Meal. In almost all instances, they upgraded the fries included in their meal to a poutine. Regardless of the thief’s (or thieves’) food selection, most of these over 100 transactions were completed over just a couple days. They’re also all for under $20 CAD and minutes apart from one another.

For whatever reason, McDonald’s’ mobile app doesn’t have safeguards in place to prevent multiple successive transactions like this. It seems the company assumes that ‘hey, this guy must really like Filet-O-Fish enough to order hundreds of sandwiches in just a few hours.’

While I’ve experienced distressing security breaches in the past, I’ve never suffered from fraud at this scale, let alone had my bank account’s security compromised. Further, although I initially assumed this was an isolated incident, I was wrong. A quick Google search reveals other Canadians suffering from similar issues with almost all of the fraudulent transactions occurring in Montreal.

@McDonalds my mobile app account was compromised and someone that wasn’t me ordered food off of my card. I changed my password — now how do I get my money back?

— Justin Amaker (@JustinAmaker) April 20, 2019

I’m also not the first journalist to write about the McDonald’s’ app’s issues. Vice’s Munchies, CTV and other publications covered security issues with the fast food company’s app back in early February. Moreover, several MobileSyrup readers recently reached out to us after they downloaded the app and fell victim to the same type of fraud.

“We take appropriate measures to keep personal information secure, including on our app. Just like any other online activity, we recommend that our guests use our app diligently by not sharing their passwords with others, creating unique passwords and changing passwords frequently,” reads McDonald’s’ boilerplate statement to the media regarding the security issues from back in February.

I was sent a similar statement by Adam Grachnik, McDonald’s senior manager of external communications, when I reached out about this story and asked for redress for my situation.

“I can tell you that every day, thousands of Canadians order, collect and pay for McDonald’s food and beverages on their smartphone through the My McD’s app. As you know, mobile ordering is quickly growing in popularity with all retailers, especially at McDonald’s.

While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app. We do take appropriate measures to keep personal information secure. McDonald’s also does not collect or store credit card information as My McD’s app only holds a token with the payment provider to allow purchases (I trust given your expertise you understand what “token” means).

Just like any other online activity, we recommend our guests be diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”

Similar to the above statements, in all the reports of fraud I’ve come across related to the McDonald’s mobile app, a customer service representative from the company claims that the source of the security breach is related to the strength of the user’s password. While this is likely true in some instances, a glance at @McDonald’s’ or @McDonaldsCanada’s Twitter feed reveals dozens of customers dealing with near identical fraudulent orders.

This makes it difficult to believe that this is a security issue purely related to password security and not related to a broader security flaw present in the McDonald’s app. It’s also worth noting that the instance of fraud I experienced, which comes to slightly over $2,000 when I add all the transactions together, is the most significant I’ve come across.

To put this issue in perspective, if McDonald’s has suffered a security breach, this wouldn’t be the first instance. Back in March 2017, McDonald’s India leaked the personal information of 2.2 million users, including user names, email addresses, phone numbers, home addresses and social profile links.

Circling back to my personal experience with this apparent security flaw in McDonald’s’ mobile app, immediately after realizing someone in Quebec was purchasing thousands of dollars worth of food with my banking information, I contacted the fast food giant’s customer service department.

I was greeted with a curt, rather unhelpful customer service agent who asked me to read out the dozens of transactions. When I was finished, I was told me there was “nothing they could do to help me” and that “this is a fraud issue” and the responsibility of my bank.

This isn’t the case as the security flaw is clearly the fault of McDonald’s’ app as the transactions are made directly through the fast food company’s iOS iPhone app. I didn’t lose my bank card either as the customer service rep suggested given that I was holding it in my hand when I placed the call.

Next, I called up my bank, cancelled my debit card and was told I needed to then go to a physical Bank of Montreal location to fill out a fraud form and sign many documents. While a fraud investigation is currently underway, BMO says that the result will likely be the bank’s fraud department concluding the transactions are McDonald’s fault and not its responsibility. This investigation could also take up to a month, according to my bank.

Same thing for me, you’ll waste your time with @McDoCanada.
Their application has a security breach but they do not want to admit it, so they will say it’s your fault and will do nothing more than apologize. The best we can do is to WARN as many people as possible about that

— Dany Buteau (@DanyButeau) April 23, 2019