On the Declining Security of McDonalds' Coupons
Phase 1: The Original Coupon System
In the beginning, the coupon system worked like this:
- Printed coupon arrives with mail.
- Customer presents mailer coupon to cashier.
- Cashier enters code on cash register to give discount.
- Cashier retains and destroys used coupon.
The attack model for this system is quite simple.
- Staff Collusion. Cashier either gives discount when no coupon was presented, or returns the used coupon to customer after use. There is little that can be done to prevent this sort of attack. If a manager became suspicious, video surveillance could be checked, but the time and effort of doing this would be disproportionate to any losses incurred.
- Personal Forgery. The coupons could be copied, but the costs in doing so would exceed any fraudulent gains. The coupons are double-sided and four-color printed on flimsy, glossy paper. This is beyond the abilities of a simple ink-jet or color laser printer to reproduce.
- Bulk Forgery. An attacker could print a large number of coupons cheaply using standard printing processes. This is how the originals are produced. However, the set-up costs for this are high. To be profitable, the attacker would need to be able to sell the coupons. The coupons have an expiry date, and many involve two-for-one or similar offers. Although the claimed value of the coupon booklet are high ("up to $61 in savings") a consumer would need to have a very strange diet and to always be buying meals for friends to realize anywhere near this profit. None of the coupons are for free meals, so realistically, it is unlikely an attacker could sell the coupons for enough money to recover his costs.
So at this stage the major risk is staff collusion. Unless a staff member is giving out an unusually high number of discounts (detectable from the cash register logs), there is no major threat here.
Phase 2: The Mobile App
I'm not sure when McDonald's introduced their smart phone app, but it significantly increased the attack surface. The way the application worked (it may have changed since I last used it) was this:
- Customer installs app on smart phone.
- Customer uses app to download current coupons from internet for current geographical location to smart phone.
- Customer opens app in store and displays coupon to cashier.
- Cashier swipes coupon to register it as "used".
- App remembers used state of coupon to prevent re-use.
This introduced some interesting new possible attacks:
- Re-use attack. Whether a coupon has been used or not is stored on the phone. The user can either re-install the app or delete the data associated with the app to allow coupon re-use.
- Impersonation attack. From the cashier's perspective, all she sees is an image of a coupon on the phone. When the image is swiped, if the application is functioning correctly, the image changes to a new one. There is no way the cashier can tell if she is interacting with the real application, or a program which simply looks like the real application.
Phase 3: The Kiosk
Over the past year, McDonald's has been introducing a new way of ordering: the touch screen kiosk. This replaces the cashier in the transaction with a touch screen, scanner, payment terminal, and receipt printer. If a customer uses this method of ordering, the system is as follows:
- At the beginning of the transaction, the customer touches a "I have mailer coupons" button.
- The kiosk activates a barcode scanner, and the customer is instructed to scan the barcode on the coupon.
- If the kiosk cannot read the barcode, it falls back to inviting the customer to enter the numbers from the barcode.
- The kiosk shows the menu items involved in the coupon offer, and the customer makes selections and customizations as required.
- The customer proceeds with further order items and payment.
This system introduces some interesting attack possibilities:
- Forgery attacks (1). The system now reads a black and white barcode, rather than inspecting the entire coupon. This part of the coupon is easily reproducible even on a black-and-white printer. (It's a cheap laser-scanner, so it won't read the image of the coupon shown on a mobile phone).
- Forgery attacks (2). By exploiting the scanner fall-back mode, even the barcode is unnecessary. The attacker just needs to remember the number printed underneath the barcode. Not only is no physical forgery required, there is no physical evidence associated with an attack.
- Coupon re-use attacks. The coupons can obviously be re-used. Indeed, it's not even clear if this is still an attack, as there is no request for the customer to dispose of the coupon after use.
But do these vulnerabilities matter?
While it is interesting to look at the changing attack surface, all attacks (and possible defences) need to be examined from a business perspective. We can observe that:
- The objective of the coupon campaign is presumably to get more customers to try the McDonald's menu more often. Giving cheaper food to customers who would have purchased anyway is just one of the costs involved.
- The coupons are all "buy something get something free" or "get something at a reduced price". Although the restaurant makes a reduced profit on each transaction, it is unlikely that any coupon results in a loss-making transaction. It's entirely feasible that a restaurant could make up for reduced transaction profits with increased volume.
- The coupons have a limited validity period.
What this means is that even if a criminal gang flooded the market with forged coupons, or if every customer re-used their coupons during the promotional period, this would not be a major problem. (Indeed, if a criminal gang printed every coupon, this would reduce McDonald's printing costs!)
This is in sharp contrast to the Subway stamp system (collect 8 stamps, get a Subway sandwich free) which had to be withdrawn after criminals started forging and selling the stamps. There forgeries had a significant value (one free sandwich) and involved a significant loss to the restaurant chain.
So although this is an interesting example of how changing technology changes an attack surface, unless McDonald's introduces a loss-making coupon with a significant resale value there is little for McDonald's management to be concerned with.
Michael Z. Bell