It’s not the first “Hamburglar” hack and it probably won’t be the last, but a recent McDonald’s app attack has some lessons to teach us about securing our accounts in the age of digital loyalty programs.
A tech writer in Toronto who used the McDonald’s app learned that a scammer had broken into his My McD’s account and purchased more than 100 meals — racking up around $2K in charges. The app was linked to his debit card, and he was oblivious to it all, receiving no notifications from McDonald’s or the bank.
It’s safe to say that no one could eat that much McDonald’s and survive, so chances are the victim’s username had been reused or compromised, the hacker guessed it or otherwise accessed it, then traded it on the dark web to be exploited by multiple criminals.
A PR nightmare for Mickey D’s
This looks bad on McDonald’s — especially since similar things have happened in other areas including Quebec and Nova Scotia involving the same app. It’s likely not a widespread issue for McDonald’s specifically, though, but an illustration of what will inevitably happen more and more as these loyalty and rewards programs become more common.
Rewards apps = easy targets
Loyalty programs and apps are attractive targets for cybercriminals: they’re easy to hack, highly profitable, and — let's face it — police don’t care about a $2K McDonald’s bill, so fraudsters can get away with it. We’re seeing many issues with rewards campaigns and users’ accounts being drained.
What should companies do?
Companies could allow users to load the app with a certain amount of money, and set limits, to remove the possibility of a thief racking up a steep bill.
Corporations could also set up two-factor authentication on their apps, meaning any time someone logs in from a new device that wasn’t previously using the app, it would require them to prove they are who they say they are, and not allow transactions if they can’t validate their identity.
2FA? We’re lovin’ it!
Two-factor authentication often isn’t built into apps – even though it would be easy enough for these corporations to do – because companies are not subject to any regulatory requirements around security, and because customers just aren’t asking for 2FA.
The best way to get companies to change their behaviour in Canada is to voice your concerns.
Supersize your password
If you’re using an app like this, make sure to secure your account by creating long, strong passwords, never reusing passwords, using a password manager, and using two-factor authentication where the app supports it.
To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @ firstname.lastname@example.org or 1-877-516-9245 and check out our blog on 7 Reasons to start using a password manager today!