McDonalds tells customers to show ID as card fraud bites… again

Fast food chain McDonalds has resorted to asking customers for identification in a bid to reduce the weight of fraud losses caused by scammers obtaining free burgers using dodgy payment cards.

The company has started putting signs up warning diners they could be randomly selected for ID checks “due to some recent fraudulent credit card usage”, a move that suggests its point of sale payment systems have again become vulnerable to ravenous crooks.

It’s a curious development that has privacy advocates and payments industry insiders questioning how random requests for ID would actually curtail fraud losses and how McDonalds intends to use the information it collects.

“Are we truly random here or engaged in racial profiling?” asked Australian Privacy Foundation board member and respected University of Canberra legal academic Dr Bruce Baer Arnold, adding there was also a question as to whether this was “corporate policy or just a licensee on a frolic”.

It’s a reasonable question.

The latest McDonalds notice.

McDonalds has not yet not responded to questions put by iTnews to its head office about the ID checks, including whether they were approved from the top or whether identity documents provided by customers was being retained.

Payments industry sources, who asked not to be identified, were puzzled about how the identity requests would mitigate fraud, suggesting the solution’s efficacy was essentially optical.

But clearly something is up.

One suggestion was that some card transactions at the point of sale may not actually check the available balance of cards, just that they are active. In the case of credit cards, and potentially some scheme debit products, this could mean transactions were approved despite there being insufficient funds.

This may have happened, it was suggested, because some merchants opted for a trade-off of faster transaction processing times that skipped individual authorisation below a certain dollar value, typically $10 to $20.

Because fast food is essentially not re-saleable – unlike alcohol, nappies, batteries, cosmetics and fuel – it was downgraded in terms of the fraud risk.

What is widely known is that very low value card transactions are sometimes used by carders to validate which stolen or cloned cards work or don’t work.

Because of cross-border inconsistencies in requirements and functionality for combinations of PIN numbers, signatures, magnetic swipe, smartcard insertion and tap functions there are still clearly avenues for cunning fraudsters to exploit.

For example some US retailers will still request a signature with a tap, smartcard insertion or swipe rather than a PIN whereas signatures have largely been phased out in Australia.

McDonalds is no stranger to payment scams or card fraud, especially at point of sale. A decade ago it was the main vector in a $4 million card sting in Perth busted by Western Australian Police.

In 2009 a fraud ring surreptitiously swapped-out McDonalds payment terminals and replaced them with nearly identical compromised substitutes that grabbed bank debit card mag-stripe numbers – and PINs – that were then transferred to blank cards to raid bank accounts.

The question now is whether any personal identification information collected by McDonalds abates fraud or just creates a new honeypot.

When the Golden Arches see fit to respond, we’ll let you know.