Cyber thieves were able to hack the McDonald’s application on Canadian Patrick O’Rourke’s phone and steal more than $2,000 in food, the CBC reported.
The fraudster gained access to O’Rourke’s app account, and then used the attached debit card to make the purchases. The app did send him over 100 receipts for the purchases, but they all ended up in his rarely-checked “updates” inbox. Unfortunately, the app made no other attempts to alert him to the use of his account.
O’Rourke took the company to task, accusing it of not doing enough to protect him and other customers from fraud attacks.
“To me, it just seems like a little bit negligent … like they don’t really care,” he told the CBC. “McDonald’s should at least be sending out a mass email to everyone that has the account [to say], ‘Hey, you should reset your password.'”
McDonald’s is also coming under fire for how they handled the aftermath of the theft. First, it refused to take any blame for the security failure, with a spokesperson stating that customers should monitor their account and change their password if they notice suspicious behavior. Then, despite the obvious fraud, it refused to give O’Rourke a refund and told him to contact his bank to try and get his money back.
“I find it pretty shocking that a massive company like McDonald’s wouldn’t just take responsibility for something like this,” O’Rourke said. “They have more than enough money to be reimbursing people for these issues.”
Corporate Negligence, or Corporate Indifference?
Some experts fear this response is indicative of an emerging trend of corporate negligence when it comes to cyber security. With more consumers using applications to pay for goods and services, this kind of account takeover fraud (ATO) is increasingly common.
Cybersecurity expert Ritesh Kotak also spoke with the CBC, and expressed concerns that not enough is currently being done to protect consumers. He stated that while companies are eager to invest money into creating fancy app features to capture consumers’ cash, they are often equally uninterested in spending any money to create the security features needed to keep their customers safe.
“We’re moving to a cashless society,” he said. “They put all this money into app development, are they putting the same amount of money and rigour and research into the security component of it?”
Merchant Fraud Journal reached out to the Hamburgler for comment, but did not receive a response.
Sources: https://www.cbc.ca/news/business/mcdonald-s-app-fraudster-online-account-1.5113012