How to Get Free Food at a Fast-Food Drive-In

It's easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay for and receive your food. The video demonstrates the attack at a McDonald's in -- I assume -- France.

Wait until there is someone behind you and someone in front of you. Don't order anything at the first window. Tell the clerk that you forgot your money and didn't order anything. Then drive to the second window, and take the food that the person behind you ordered.

It's a clever exploit. Basically, it's a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It's relatively easy to fix. The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food. Or the second window could demand to see the receipt. Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer. But, of course, these security solutions reduce the system's optimization.

So if not a lot of people do this, the vulnerability will remain open.

EDITED TO ADD (9/20): The video has been removed from YouTube. It's available here.

Posted on September 10, 2007 at 6:27 AM • 94 Comments

Comments

AlexSeptember 10, 2007 7:11 AM

I haven't worked food service in about 25 years, but this sort of thing happened all the time when I did. The success of the exploit depends not so much on the cleverness of the criminal, but how much the minimum wage earner actually *cares*.

RonKSeptember 10, 2007 7:23 AM

Great, another excuse for an automatic license plate number reading system.

I doubt that most people would bother to figure out how to switch their plate numbers properly in order to game this. It could be hard if there is enough distance between the last window and a computer-controlled exit gate (assuming crashing through the gate is also too much trouble).

Fred X. QuinbySeptember 10, 2007 7:59 AM

"Or the second window could demand to see the receipt."

Where I live they put the receipt in the bag at the second window. But now that I think about it, I WANT fast-food queues to be full of security holes. Hopefully, terrorists will be drawn the defects in the system and die of heart disease.

JessSeptember 10, 2007 8:01 AM

Actually, if you order more than you can pay for (or more than you say you can, I guess...) once you get to the window, nearly everyone will give you the food anyway. It's not like they want to eat it themselves. Although probably this wouldn't work too many times at the same restaurant. I guess not having enough money to pay for a Big Mac inspires a certain amount of sympathy.

Although for me, it rather calls into question why one is driving at all.

Toby DiPasqualeSeptember 10, 2007 8:42 AM

Actually, there is a group of McDonald's in the Midwest that is already resilient to this kind of attack, but became so for different reasons. At these McD's, when you order, your picture is taken and you are actually speaking to a person in a call center several states away. The intent of this move was to consolidate line-support costs and reduce mistakes, which it did wonderfully (1% error rate vs. the 4% industry average). However, with this in place, the person handing out the food gets to check the picture of the person in the car, heightening the chance that this ruse would not work at those particular outlets. I wish I could remember who owned these stores but I first heard of this scheme in an audiobook on economics.

miwSeptember 10, 2007 8:52 AM

With team play, the second car can order the food that the first car collects. First car drives away, second card makes the discovery, and leaves without paying and without their order, to rendez-vous with the first car to collect their part of the ordered food.

CGomezSeptember 10, 2007 8:55 AM

I think the major problem is simply that you don't get what you want. Sure, for someone desperate it's worth it, but I think if you are driving a car through a drive through, it's simply not worth the time and effort.

Security is a tradeoff. For the pennies that food costs a fast-food restaurant, it seems worth it to ignore this hole. After all, taking and verifying tokens adds to the process, and one part of the fast-food experience that will define a happy customer (and repeat business) is that it's _fast_ and convenient.

Any little inconvenience (long lines, long wait for order, slow cashiers) tends to be a negative experience in fast food, and repeat business is far more important than one bag of stolen fries.

EdSeptember 10, 2007 9:00 AM

"I think the major problem is simply that you don't get what you want."

Huh?

I think the major problem is that this is dishonest, unethical, immoral, and illegal.

Doesn't anyone care about that any more?

NyhmSeptember 10, 2007 9:08 AM

@miw, Brilliant augmentation. However, the second car would have already paid when it "discovered" the problem at the second window. It could demand its money back or wait for the order to be filled again (two for the price of one). Either way, you're technique provides each car with a good haul (not risking it for just a coffee or apple pie).

Chris MSeptember 10, 2007 9:13 AM

I went thru all of college and never heard of this. And I know a lot of guys who dumpster dive and whatnot. I think the benefit (getting random food and having to time the attack just right) far out weight just digging thru your cushions for 99 cents.

I did work with a guy who hit us (his co workers) up for money to get the 99 cents and came back with food for 4 because of a mistake made by a two window system. But, what makes that a cool story is how rare it is.

Even in the 1960's McD's was tracking sales vs stock to make sure there was no theft going on. My father was almost fired for a discrepancy but it turned out his co-worker couldn't do math and was coming with the wrong totals on orders. I have to assume they haven't gotten worse at tracking errors

TomSeptember 10, 2007 10:11 AM

Another variation on this theme is the "coupon" attack -- when I was in college it was relatively easy to find 2'fer coupons to fast food restaurants. Essentially buy one get one free. Of course all of these coupons had expiration dates, but it didn't really matter.

The trick wasn't really something you had to do, but the lack of the person taking your order to actually take the coupon from you. This worked better in the drive through, especially when it was busy. Between the time you ordered and the time you got to the first window, the order taker had most likely forgotten that you said you had a coupon.

And in the event he/she did remember, at least you had the coupon to prove you were ordering in good faith. Should the coupon be expired, look surprised and just pay for two. The number of free sandwiches we used to get with this trick was pretty staggering. This also worked for a while with pizza places, but they seem to have gotten wise to the trick. At least, certain chains have.

AdrianSeptember 10, 2007 10:15 AM

A lot of drive-thru's I've been to in the last few years that still use the two window system will hand you a receipt when you pay that you have to give to the person at the second window in order to receive your food.

PeterSeptember 10, 2007 10:17 AM

I don't think you need pictures or license plates! To stop this, wouldn't it be enough for the first window to pass a "blank order" to the second window?
Or am I missing something?

sooth_sayerSeptember 10, 2007 10:25 AM

Things must be bad at BT that one has to resort stealing fries -- unless they were coming with "blow fish".

This is so lame that I doubt even if high schoolers will try it.

I keep saying .. Bruce .. get off this beat and let's talk SHA and MD5.

Nick LancasterSeptember 10, 2007 10:26 AM

@Peter: Makes sense, though I think they'd rather have a wrong order go through and someone lose a hamburger than have a wrong no-order go through and gum up the pacing of their line.

MSKSeptember 10, 2007 10:50 AM

Another type of attack that can take advantage of the disconnect between the two stations is the "Paper Moon" attack (my own name as a way of remembering it from the movie Paper Moon with Ryan and Tatum O'Neil). It helps to do this when volume is high.

In this attack, you need 2 cars. In the first car, the purchase buys something small - say an order of fries. They pay for it with a $20 bill. On the $20 bill is an innocous message - something like "Happy Birthday, Love Grandma". They get their change, proceed to the next window and get their food.

Meanwhile, the next car comes up, also orders something small and pays for it with a $5 bill. They get their change and proceed to the next window. At the food window, they state that they just realized they were given the wrong change. The state that they paid with a $20 and it was a gift from their Grandma. Oh, and wait - it actually said that on the bill. The restaurant is in such a hurry to move people along, that while they may check that such a bill exists, they are likely not to do much more than that. Because they have to contact the other station (the pay station), and you are at the 'receive' station, there is enough of a disconnect to let this attack work.

And as Alex says - its success is also related to how much the minium wage earner cares...

CGomezSeptember 10, 2007 11:12 AM

@Ed:

"I think the major problem is that this is dishonest, unethical, immoral, and illegal.

Doesn't anyone care about that any more?"

***

Not from a security standpoint.

Bad guys dont care about honesty, ethics, morals, or laws. If they did, then we wouldn't need any security... or certainly at least a lot less.

When analyzing purely from a security standpoint, there is no need to think about these things.

Besides the fact I have no problem paying what I think is fair for a service or simply not utilizing the service at all, that doesn't factor into a security discussion.

When thinking about the security tradeoffs of even the barely significant token system Bruce mentioned to close this "hole", I feel it may not even be worth closing, and I explained why.

That doesn't mean Bruce is wrong, but it brings up a point he makes alot. Often he points out that when you put financial responsibility on a business for security problems, that business suddenly gets proactive and even often very good at rooting out fraud. Credit card companies having to eat fraudulent transactions has made them very proactive in rooting out fraud and educating their customers.

I think here the chance of fraud is so low and the overall cost of that fraud so insignificant that the security tradeoff was made decades ago: "If we get hoodwinked once every ... what... month, year, decade?... then it's not worth doing anything."

Heart WrenchingSeptember 10, 2007 11:35 AM

Re: Tokens

It's going to cost too much to implement and what happens when someone drops the token at the 2nd window? Or someone brings their own or steals them?

DaveSeptember 10, 2007 12:10 PM

I've got to say, I found this blog the other day and haven't yet read any of the posts, but finding an exploit in the operation of a fast food restaurant is not quite what I was expecting.

paulSeptember 10, 2007 12:10 PM

It seems like a fairly self-regulating security hole -- if it happens often enough, managers or line staff will start getting wise, and the cost of an arrest with (in some US jurisdictions at least) possible loss of the automobile used in the crime far outweighs the "winnings" in terms of food.

Oh, and you also have to pick a fairly high-traffic location, because those mindless minimum-wage flunkies we love to deride can often be smart people with good memories.

Values aren't importantSeptember 10, 2007 12:25 PM

@Ed:

"I think the major problem is that this is dishonest, unethical, immoral, and illegal.

Doesn't anyone care about that any more?"

You're all alone on that one, Ed. Right and wrong went out the window decades ago.

It's "grab everything you can!" now. Google 'Beer Looter Dude'. He's their icon.

crackSeptember 10, 2007 12:49 PM

Doesn't this only work in a queue where the car that can't pay can't leave the queue? Wouldn't the first window think something is up if a guy says he can't pay and then stays in line?

Pat CahalanSeptember 10, 2007 12:50 PM

@ MSK

That's an old dodge, and I've seen it run on a classic old cash register at the food service in college. The only reason why we caught it was the pair made the mistake of having a very memorable "seeder" - the guy was dressed uniquely and he overly marked the bill, so I noticed both the bill and who gave it to me, and when the second guy came back to pull off the con, I knew he wasn't the one that handed me the bill in the first place.

Jamie FlournoySeptember 10, 2007 1:14 PM

@sooth_sayer
>I keep saying .. Bruce .. get off this beat and let's talk SHA and MD5.

Every nation in the civilized world is loudly abandoning freedom in favor of police-state values, all the while failing to make us more secure against real threats. And you want to talk about MD5?

Let's keep talking about real-world security, even when it's simple stuff that is interesting only as an analogy. The people in power need more simple examples to refer to when thinking up new crowd-pleasing security theater... hopefully they'll get closer to implementing something useful if they have a clue about security.

burritoboySeptember 10, 2007 2:29 PM

I read of a similar hack a few years ago that goes like this:

3 attackers get in line, the first two order the same thing, we'll call it order A, the third orders something different, order B. When the first attacker gets to the window they receive and pay for order A. When the second arrives, they receive order A (which they had ordered) but they look at it and claim that they ordered B. The employee assumes they forgot to delete the first order A from the queue (or assumes it was double entered) and deletes the second A order and allows attacker 2 to pay for and take order B. When attacker 3 gets to the window they gladly pay for and take whatever they are given, which is actually the order of the person behind them. This reinforces the employee's assumption of the glitch, because now things are back to normal.

Now every customer will get the order of the person behind them until the employee figures out what happened.

tk.September 10, 2007 2:38 PM

Random related story: I once went through a single-window drive-thru where they just quickly opened the window and handed me the food, and never even asked me for any money. I was too confused to respond before they shut the window again.

ForRealSeptember 10, 2007 3:05 PM

@ed
Of course, you've identified the most important problem; even from a "security only - just the facts Mam" viewpoint.
Don't breed and encourge thieves, etc. and you have far less of a security problem and a healthier, far more productive society.

scosolSeptember 10, 2007 3:30 PM

i did this 15 years ago... bruce, i mean this with all respect, but this is not why i subscribe to your blog :)

CaffiendSeptember 10, 2007 4:46 PM

Starbucks has similar vulnerabilities in their most heavily trafficked stores. They will often have somebody standing near the entrance taking drink orders well in advance of the cashiers, and then there is also a disconnect between the cashier and the baristas. This leaves them open to several different attacks, the most brazen being to just waltz in and steal a random latte:

More than once I've seen somebody walk in off the street, bypass the line, and just walk over to the barista station and take off with a drink before the actual paying customer had a chance to pick it up. Part of the reason this happens is that they don't call off a name or an order number, just the Fritalian name of the drink, e.g. "tall half-caf soy latte"

Christoph ZurniedenSeptember 10, 2007 6:23 PM

@Caffiend
> the cashier and the baristas
That is Starbucks. There are no Baristas at Starbucks. A Barista is an honest profession with a training time of one year, not one day. I don't want to malign the hard working people at Starbucks but to call the minimum-wage mug-movers behind the counter Baristas is a serious insult to all the real Baristas.

CZ

potkettleblackSeptember 10, 2007 7:54 PM

@scosol: "i did this 15 years ago... bruce, i mean this with all respect, but this is not why i subscribe to your blog :)"

Bruce, you've upset a liar and a thief ;-)

oyunlarSeptember 10, 2007 8:57 PM

That is Starbucks. There are no Baristas at Starbucks. A Barista is an honest profession with a training time of one year, not one day

Thanks.

merkelcellcancerSeptember 10, 2007 9:37 PM

"At these McD's, when you order, your picture is taken and you are actually speaking to a person in a call center several states away."

OMFG call centers for food. This is the one thing I fear....

.... You can not pronounce my name but call me "John or Bob, or Jim" please repeat your order the line is not clear (all the way to near asia)....

..... you can not order that from here, you must reformat your hard drive...

.... oh sorry, wrong caller.

StephenSeptember 10, 2007 9:48 PM

It should be even more effective with a radio scanner in your car tuned to the intercom frequency - that way you'd know what the person behind you's order should be.

BOB!!September 10, 2007 9:50 PM

@CGomez
"I think the major problem is simply that you don't get what you want."

Which makes the two-car exploit mentioned by mlw an even more effective attack. The second car places an order for the occupants of the first and second cars. The first car picks up the order, then the second car asks for the money to be returned rather than waiting for the (large) order to be filled again.

Terry ClothSeptember 11, 2007 4:46 AM

@dave: [F]inding an exploit in the operation of a fast food restaurant is not quite what I was expecting.

The point is not the target or the payoff of the exploit, but the mechanism of the exploit. Such methods can apply to much more important situations (though nothing comes immediately to mind for this one :-).

For more obviously-important items, see, e.g., http://www.schneier.com/crypto-gram-0708.html#1, http://www.schneier.com/crypto-gram-0708.html#9, or http://www.schneier.com/crypto-gram-0708.html#12

Just remember to shut your eyes every Friday, when it's Squid Blogging Time.

MarkoSeptember 11, 2007 8:09 AM

Antibozo: There is a difference on pblishing an exploit and giving instructions how to receive a free lunch.
As the exploit discussed here has quite many flaws that actually makes it non-feasible (like getting what you want requires 2 cars etc.) there is someone who still used it even if it was unpublished. Now next time when someone offers you _wrong_ set of meals at your favourite drive-in you can publish your findings of the behaviour of the vehicle in front of you (as they drove off with your lunch - and are likely to do that again).
Ed & co: usually at 3-7 years people are in stage where right and wrong are not a matter for evaluation rather than compelling rules. Therefore it would be impossible to discuss any flaws in any system with my young boy - because he would say: ''But dad - using that exploit - it is wrong - isn't it?''
I -could- also use the exploits available to ''shop freely'' from most of the conveinience stores with minimal risk of getting caught - but still I do pay for my shopping now-a-days. Why?
Discussing and knowing exploit is not the way to use it. Discovering the first exploit by yourself (and making you feel superior to rest of the dumb-a****s) can well be.
If you know that most of the systems can be beaten with enough effort you can then evaluate the effort and the ethics and then see that usually there is no point.
If you do not know any way to beat the system - well - then you don't really have a choise - do you? And the freedom of choosing between right and wrong - I think - is what makes us human.

CGomezSeptember 11, 2007 8:58 AM

I still think these exploits wander into the realm of thought experiment.

I don't see articles discussing fast food theft as a major epidemic.

I think this is just one of those areas where the general honesty of people combined with the low value of the target work together to avoid the need for any further security.

However, there is a lesson to be learned. When 100% of your flying public is honest and just wants to get to a destination, it doesn't work to simply treat them all as potential terrorists. It certainly does not work to put names on a list or keep shampoo off a plane.

There must be a better and more secure way.

antibozoSeptember 11, 2007 11:45 AM

Marko> Antibozo: There is a difference on pblishing an exploit and giving instructions how to receive a free lunch.

I have no idea what in my comment you are responding to. Are you saying that this topic doesn't sound like something from "Steal This Book"? While I might more or less agree with much of what you say, I have no idea what you thought I wrote that made your comment seem sequitur.

Back in 1971, well-known yippie Abbie Hoffman self-published a number of tactics for getting free food from restaurants, as part of a general anti-establishment screed. In view of the echoic cultural devolution that brings us modern bell-bottoms and "That 70's Show", I find it interesting to see something so similar surface 36 years later on a self-publishing site (youtube) and then discussed on a site (here) that covers "underground" matters.

What did you think I was saying?

Marko> As the exploit discussed here has quite many flaws that actually makes it non-feasible (like getting what you want requires 2 cars etc.) there is someone who still used it even if it was unpublished.

I don't see it as non-feasible. And "what you want" is exactly what you will get, even with one car, if what you want is free food. What I find amusing about this tactic is that the thief is already in the "getaway" vehicle if something goes wrong. It wouldn't work in a similar order/pickup cafeteria setting largely because in this scenario, by the time the larceny is discovered, the thief is long gone, and also because cafeterias often employ tokens (numbered receipts, for example).

Marko> I -could- also use the exploits available to ''shop freely'' from most of the conveinience stores with minimal risk of getting caught - but still I do pay for my shopping now-a-days. Why?

Um, because you're ethical, like the rest of us?

Marko> And the freedom of choosing between right and wrong - I think - is what makes us human.

According to Genesis 3, it's actually what makes us divine.

antibozoSeptember 11, 2007 12:13 PM

Christoph Zurnieden> I don't want to malign the hard working people at Starbucks but to call the minimum-wage mug-movers behind the counter Baristas is a serious insult to all the real Baristas.

You got that right.

Not to mention that their coffee actually sucks. And the last time I complained that the espresso had no crema, I was told that the cream and sugar is "over there". Sigh.

JackSeptember 11, 2007 2:00 PM

I am pretty sure I saw that trick in a movie a few years ago.

Not that it would be the first time that Bruce is late on a totally lame story.

JackwhacksthackSeptember 11, 2007 5:13 PM

@Jack: Not that it would be the first time that Bruce is late on a totally lame story.

Isn't it a shame that we don't all become simultaneously aware, world wide, of every new thing? Good for you to be the definer of "late" and "lame". If something isn't news to you, really, it is best to speak up and point that out; those of us who did find it interesting are all desperate to know that you already knew ...

LeeSeptember 11, 2007 10:53 PM

This isn't about "free" it's about "stolen."

Don't have anything better to do? Well, maybe you don't, or won't. Do you want to hear the story about the poor dumb bastard who was bragging about his exploits in a corporate dining room where the people responsible for his (cancelled) promotion were in hearing range?

MarkoSeptember 12, 2007 1:15 AM

Antibozo> I have no idea what in my comment you Are you saying that this topic doesn't sound like something from "Steal This Book"?
- maybe unclear thinking on my side.


>Back in 1971..
>I find it interesting to see something so similar surface 36 years later ...

- It truly is interesting when you put it into such context.


Antibozo> I don't see it as non-feasible. And "what you want" is exactly what you will get, even with one car, if what you want is free food. What I find amusing about this tactic is that the thief is already in the "getaway" vehicle if something goes wrong. It wouldn't work in a similar order/pickup cafeteria setting largely because in this scenario, by the time the larceny is discovered, the thief is long gone, and also because cafeterias often employ tokens (numbered receipts, for example).

But is it worth it? I say it would not for me (even ethics aside). Too much hassle - like downloading "free" movies instead of buying cheap dvd's. I may have strange misconception of the value of my time. Still I see self servicing my car mostly worth it. I truly wonder why.

Antibozo> Marko> I -could- also use the exploits available to ''shop freely'' from most of the conveinience stores with minimal risk of getting caught - but still I do pay for my shopping now-a-days. Why?

Antibozo>Um, because you're ethical, like the rest of us?

That & the hassle. Usually the items that actually were worth it are protected so that it's much more hassle than the low value items.

Antibozo> Marko> And the freedom of choosing between right and wrong - I think - is what makes us human.

Antibozo> According to Genesis 3, it's actually what makes us divine.

Have to revisit that book sometime.

Bruno RodriguesSeptember 12, 2007 2:04 AM

I think you are seeing a "security" issue when there's only a stupidity issue on those French McDonalds.

Back in my land, Portugal, several years ago when I still visited drive-through McDonalds, the second person always asks your receipt to confirm what you asked and the amount of each thing.
You see, the first person will only yell to the second one "three mcnuggets and four whatevers", and then the second person puts everything in a "pool" and delivers each piece to each buyer according to the receipt.

This "just works". No need for "automatic licence readers" or "customer photos" or anything else. Not even a numbered ticket, as the receipt is the ticket itself!

BaptisteSeptember 12, 2007 8:10 AM

I confirm that the person speaks in French, and is probably driving a Renault (French) car (based on the noise), but we don't care :)

Tom ClancySeptember 12, 2007 12:57 PM

The variation we used as kids was to order a "McWater". They have to provide you with a cup of tapwater for free, so you skip the first window anyway.

John L. GaltSeptember 12, 2007 4:38 PM

Apparently many readers (and responders) missed the obvious analogy that Bruce used here - the McDonald attack is likened a sync attack on modern day networks:

"It's a clever exploit. Basically, it's a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue."

So, it would seem that Bruce's point is that many synchronization attacks are easy to fix and/or prevent, with better communication between nodes, adding tokens to packets, etc, but clearly most enterprises don't take the time to implement any of these fixes / preventive measures, and thus synchronization attacks are more successful than they ought be.

MarvinKSeptember 13, 2007 11:27 AM

The risk/reward balance for getting free fast food seems horribly wrong. Someone who hands you the stolen food may be able to identify you and possibly your car, and might recognize the 'intrusion' within several seconds (you may not even be out of the parking lot) when the next car pulls up and starts wondering why they are getting the wrong drinks (at least in some cases).

Who would risk going to jail just to steal fast food!? It seems like even shoplifting would be lower risk and in some places higher reward.

This seems like the type of example where security can go overboard. Why re-design drive-thru when all you really need to do is report the theft. This isn't something you should be able to repeatedly get away with, without finding new targets frequently.

Risk/Reward.

Kadin2048September 13, 2007 10:55 PM

I thought it was fairly interesting, if only as a real-world example of a synchronization attack. Maybe Bruce should have elaborated more in that direction, but I thought the implications were obvious: by analyzing physical security in the same way that we're used to looking at IT problems, exploits can be found (and hopefully, fixed) that would otherwise remain open only to criminals.

This is admittedly a trivial example, but there are probably lots of non-trivial examples you could find by looking for similarities.

ace00September 14, 2007 11:02 AM

Security analysis:
The business partner feels that the risk (combination of threat and vulnerability) does not justify the cost of said authentication/authorization token and process. Therefore, they have chosen to rely on defense in depth to compensate for any gap in security. In this case, probably auditing (security camera that catches your license plate). In any case, this problem will most likely be handled through the capitalistic thought process: "Is the problem costing me enough money to care about fixing it? Maybe I can just factor the losses into my next price adjustment and pass the problem on to the average stand-in-line customer."

hrsSeptember 15, 2007 7:40 AM

This is quite similar to one of the outcomes of the "HTTP response splitting" attack (http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf), especially pp 22-23, where it discusses "Hijacking a Page (HTTP response) with User Sensitive
Information". It's interesting to see the same concept works both for the physical world and the Internet.

AnonymousSeptember 24, 2007 1:38 AM

i did this one day, i didnt plan it from the start but i got halfway through and realised i didnt have my wallet so i kept driving and then in a stroke of genious realised the possibilty so i slowed down waited for the woman behind me to order and then grabbd her food and fanged it out down the street and laughed the whole time i ate her meal.. i will do it next time im desperately poor.. another one i have done which is less fun is calling mcdonalds after you get your meal and telling them it was shit.. keep your docket and they will give you another free meal next time you want one... dont use the same name twice though coz they write it down in a book

justmeOctober 19, 2007 10:12 AM

just thought i'd tell you, i had a friend (honestly lol as lame as it sounds) that would call pizza places or other fast food places and make complaints such as "my order got all messed up when i went through the drive thru last night." works really well if you put a lot of details into it. and really seem upset. and they tend to really work with you if you say the employee got an attitude when you called to complain and so you just said "forget it, i'll call the manager tomorrow." usually these complaints would result in free food even if you didn't have a receipt. call at lunch hour and they are really eager to help cause they're busy. the best way to get pizza is to say you called and placed an order the night before and waited an hour and it still didn't show up. when you called to check on your order they said they never received one. say you ordered again and waited another 45 minutes or so and still no delivery. when you called again the employee became very rude and said that it was too late for them to put this order in because they were already cleaning up and they should have called earlier. usually you get your order free and delivered at no charge.

AnonymousOctober 24, 2007 5:03 PM

I went two years without paying for food relying on them replacing something they was always making wrong.

AnonymousOctober 24, 2007 5:06 PM

Now that I am reading the last post, that is exactly what I did, McDs, Burger king, Kfc, pizza places. Fortuneately for me I do not like onions. So when I did order something half of the time it was wrong anyhow. So they really didn't know whether or not they really screwed up. After a while they started asking for receipts, but It really to a long time.

KZNovember 19, 2007 6:50 AM

So you want to deny a hungry person food THEY paid for? I'm a more than a little concerned here. You won't think this is so great if it happens to you.

APNovember 21, 2007 6:16 PM

These minum wage earners loose their jobs for cash shortages, or have to pay it back...now that is really cruel for your dishonest scam

KyleNovember 25, 2007 8:07 PM

Good to note security flaws, for purpose of thought. It is fun and all... But, please.... Are you really going to do this? Back in the day, when I was a kid we did crap like this and got a kick out of it... laughed for hours... but common folks, it is not only morally wrong but lame.

Just pay the couple bucks for a heart attack in a bag. It costs less in time (and therefore money) to simply buy your own food than to concoct a grandiose scheme to steal (of all things) fast food.

:P

sjr381December 26, 2007 8:34 PM

If your that hungry then go to a free soup kitchen. This whole page makes me really ashamed of the world we live in that people have nothing better to do with their time then to plot how to steal food.

Karen LawesDecember 30, 2007 11:09 PM

your disgusting to show people how to steal food. your trying to make a living showing people how to cheat the system instead of trying to make one yourself. Grow up and write about something that is moral for once. I'll come back someday and get you for this. Promise. Loser

ulyaJanuary 5, 2008 1:01 PM

umm well it won't work that well cuz there has to be a car in bahind you, and uhh sometimes there just isn't..

Bruce SchneierJanuary 5, 2008 3:26 PM

"...it won't work that well cuz there has to be a car in bahind you, and uhh sometimes there just isn't."

Yes. You have to do the attack when there is a line at the drive-through window. Either go at peak times; or idle near the drive-through lane until you see someone pull in and then scoot in front of him. It takes some thought, but it's not very hard.

slamma jammaFebruary 22, 2008 1:35 PM

Mcdonald's? Common Ladies and Gentlemen!
I worked with a video producer to document a theif who used to ri off shopping cart loads of food (sometimes 2 or three) He said the single most important thing is confidance. If you eliminate the doubt and falsely make yourself believe in your justification, you are more likely to pull off the job.
Anyway, this guy would go into the supermarket, grab a cart at the front, do all his regular shopping, and then walk right out. Big items that don't fit in shopping bags look less obvious as your walking out the door.
He got away with it for more than 15 years!
...and with all of the money corporations make, it's a small drop in the bucket.
If 1% of the population grabbed $200 worth of food and didn't pay, the only scratch it would make on the surface would be the stock. The profit margins are still there...

Sami SanchezFebruary 25, 2008 11:52 AM

i need to find coupons fro fast food restaurants!!! Every web site i get they have absolutley nothing. So can you please help me out

Sami SanchezFebruary 25, 2008 11:52 AM

i need to find coupons for fast food restaurants!!! Every web site i get they have absolutley nothing. So can you please help me out

JonathanMarch 9, 2008 7:00 AM

Don't know if this has been suggested, but surely a stupidly easy fix is to give the "ordering" window the ability to register a zero-value order as a marker for the car in this queue position?

Maybe I'm missing something here ... :-\

DownWithBigBusinessJuly 14, 2008 2:58 PM

I say that it is obvious that we are being taken advantage of every time we go out to eat anywhere, they are making such a HUGE profit, they pay pennies and make millions.
I live by the pirates code because of this, they take advantage of us all, including there low-paid employees that they usually treat like slaves.
If you want a bunch of free stuff just write emails to the companies you want it from and state you are a loyal long time customer and you were dissatisfied with a recent visit or purchase, they will send you hundreds of dollars in free merchandise and gift certificates, so so so easy.
Anarchy over government.

Anarchy+Peace=FreedomJuly 14, 2008 3:35 PM

To add to that you get the people posting here saying they are ashamed and disgusted by people getting free food.

These people have never been through hard times, though they tend to swear they have been through them a million times, yuppy's, the enemy, the SUV driving, world polluting, republican voting pieces of waste that have contributed to the way the world is now, and the very REASON some people have to do these sorts of things.

Me personally I do it to get back at establishment, big business, you know they could sell you a big mac for 50 cents and still make a 35 cent profit, but instead they see how far they can push the price before the purchases start to decline, then they leave it there till the next time they can ratchet it up some more.

This is what makes me feel ashamed and disgusted to live in this capitalist idiot-driven machine we call the land of the free, what freedom, land of the free to apply for a job and not get it for one reason or another, or freedom to get yourself so far into debt you have to work till old age and die unhappy.

I say screw you people who say stupid things such as being disgusted about other peoples business, go drive your luxury automobile, enjoy it while it lasts, and i'll look forward to seeing you all at the Revolution frontlines, under the anarchists boots.

'We are a country of sheep, ran by pigs, owned by wolves.'

OyunSeptember 1, 2008 5:53 AM

I went two years without paying for food relying on them replacing something they was always making wrong....

RogerSeptember 1, 2008 8:39 AM

@slamma jamma:
@slamma jamma:
> If 1% of the population grabbed $200 worth of food and didn't pay, the only scratch it would make on the surface would be the stock. The profit margins are still there...

No doubt this makes you feel better whilst stealing stuff, but it isn't remotely true. If the profit margin on some item is p, i.e.
p = (s - c) / s
where s is selling price and c is costs, then the loss of $200 worth of the item (whether by theft, or in-store damage, or whatever) will absorb the entirety of the profits from (1-p)/p x $200 of sales.
What is a typical value for p? It depends on the industry, but for example, Walmart's typical nett profit margin is 3.4%, so (1-p)/p = 0.966/0.034 = 28.41
Thus stealing $200 (selling price) of goods from Walmart absorbs *all* their profits from $5682 in sales. If 1% of the population stole all or most of the stuff they took, it would cut Walmart's profits by 1% (or actually, 1/99th) of 28.41, i.e. a 28% reduction in their nett income. Suppose you made $500/week after taxes, and the local hoods started stealing $140 from you, every week! That's not exactly scratching the surface of the stock price; it's more like mass lay-offs!

It is true that some industries and products have much higher profit margins than 3.4%. However in most cases

RogerSeptember 1, 2008 8:41 AM

...However in most cases, these are expensive articles with low turnovers and the margin is needed to cover high overheads. Gross profit margin may be high, but nett will be a lot lower.

BrianSeptember 5, 2008 10:07 PM

Here is a way to get free mcdonals that is PERFECTLY LEGAL!!, however, this is mostly only convenient for drunken college students and only works if you use a credit card to pay. Go to Mcdonals at around 2:15 - 2:30am, you may have to actually pay for a few meals before this really works. Around this time, All McDonalds branches must "Send all their credit card info for the day to their central processing center". Hand them the card when it is time to pay and they will look at you with a helpless look and say "We cant process any credit cards, our system is down for 30 minutes while we send all of our credit card transactions out for the day" The proper response is "oh....... I dont have any other way to pay you" It doesnt take alot, they will give you the food free of charge. I found out about this by mistake, and every time I have a late night, it works, 100% of the time. This theory assumes that all McDonalds send out their transactions at the same time, Like I said, you may have to fine tune this method and pay for a few meals before you find the sweet spot. I recomend 30 minute increments to attempt to find out when you must strike. Good luck

MirandaDecember 16, 2008 12:12 PM

I have worked enough fast food in my life to know how much food ALOT of them just throw away because of mistakes...if they would HAVE to save the food and give it away to starving or broke people at closing time or at two half points in the day then maybe people who are broke and starving woldn't have to steal anything, they could just stand in line to get the free food or fight over it lol if its just thrown into a bin or whatever but the point is they should give all the mistakes away instead of throwin them away there are people all over this country starving to death and we throw away SO MUCH food...lets just give it to them or donate them to food banks (A lot of them do already) but f someone is BROKE and starving or have kids to feed then by all means you gotta do what you gotta do to get by sometimes and until you are in their situation you have no place to sit back in your nice house with all your money and nice paying job who can afford food to judge people's actions who are starving to death. And before anyone even says a word about it if yo dont have kids at least in OH and your single they only give you about $40 a month in food stamps and want you to work40 hours a week for them...thats bull shit if I worked 40 hours a week Id buy my own food and WAY more than 40 dollars worth, this isnt Mexico Im not working for $10 a week for 40 hrs and food banks ae so overloaded they only give 2 people about enough food to last a week and you can only go once a month usually...what are people supposed to do??? Most people dont make enough money to pay rent and bills and car payments and insurance and get gas to even get to work (not all places have taxi' and busses) not even everyone can afford a car...let alone be able to buy enough food for themselves or their family...food is a necessity not a priveledge lets start treating it as such!

MirandaDecember 16, 2008 12:45 PM

Though I do agree don't do the money one because the poor employees do have to pay for that and they don't amke shit or money and a lot of them are younger people with children to support or old people and thats not right, the idea is to get the food at the cost of the company not the employee and not only that even though I totally see why stealing is sometimes what u gotts do in the end it really hurts everyone because eventually after so much theft it will make the prices of EVERYTHING go up and then everybody looses.

think about itDecember 28, 2008 6:08 PM

The thing none of you are considering is the economy today. I have gotten free food from a few different places. I have done the pizza thing where you call and claim that you never received your order and that the order taker was a complete smart ass and gotten free pizza. I have also went to mcdonalds and told them my order from the night before was completely messed up and gotten free food. But I dont think this should be done just for fun. and at the same time I see some of you on here judging everyone for doing it. Here is the thing first of all these places throw more food away in a shift than is getting stolen and when I did it it was needed badly. We have a family of 9- 6 adults and 3 kids. We were all working making fairly good money one day and the next our company shut down 4 out of six of the adults worked at this company in various positions. We all had to move in together in order to make ends meet with just 2 pay checks still coming in. Then one of those pay checks was cut out due to medical reasons. That member of the family is a disabled iraqi war vet and was doing a physical labor job and could no longer do it anymore as it made his disability worse. Then the other one of the paychecks was garnished due to the fact that we had to break a lease on one of the homes in order to keep a roof over our heads. So now we are down to one partial paycheck. Two of the cars got repod so we are down to one of those as well. We have went job hunting only to be told that we are over qualified for the jobs that are hiring and the jobs we are qualified for they are not hiring for in our area. We do not have a soup kitchen and the food pantries are all out of food as the economy is so bad at this time so yes after about a week of feeding the kids biscuits and gravy cause water, flour and lard were the cheapest things we could stock up on we were out of that and were getting a paycheck the following day so i did "steal" food from mcdonalds. Don't be so judgemental you do what you have to do to survive when our country would rather help the rich people at the banks than to just cut the average person a check. Do you realize we would not have to do any of this if the government thought out their decisions. All that money they gave to the banks to supposedly better our economy if they sent every family in the us a check for 1 million dollars they could have still spent less than they gave to the banks. So yes I have morals and standards but when my kids are hungry i dont care who gets in my way i will feed them

suicideiconApril 6, 2009 8:24 AM

im afraid this one is based on luck, i worked at a mcdonalds when i was 19 and they had a method where the person working the back window would call a "drive through" the front window would then make sure the drive through car went around rather than stop

TimmahMay 11, 2009 11:31 AM

another way to get free food is to take something out of the food bag and tell the people at the window they forgot something.

Dmobile215May 13, 2009 11:58 PM

Well I am from Philadelphia and we say get in where you fit in, if thats what you have to do to survive its better then someone coming at gun point or hurting someone for a few bucks, you never know what mistakes people made in there lives that they can not get a job working at mcdonalds, I can not get a fu*kin job now.

And I am on probation damn right if I can get away with taking a few 99cent chesseburgers then so be it. I do not feel bad I have had my ups and I am living on the edge now. This is how the game goes what can we do about it. If they are not aware then do what you have to do for a meal as long as your not hurting anyone then I say live it up.

medyumAugust 3, 2009 2:15 AM

I went thru all of college and never heard of this. And I know a lot of guys who dumpster dive and whatnot. I think the benefit (getting random food and having to time the attack just right) far out weight just digging thru your cushions for 99 cents.

I did work with a guy who hit us (his co workers) up for money to get the 99 cents and came back with food for 4 because of a mistake made by a two window system. But, what makes that a cool story is how rare it is.

Even in the 1960's McD's was tracking sales vs stock to make sure there was no theft going on. My father was almost fired for a discrepancy but it turned out his co-worker couldn't do math and was coming with the wrong totals on orders. I have to assume they haven't gotten worse at tracking errors

MedyumlarMay 6, 2010 5:48 AM

Even in the 1960's McD's was tracking sales vs stock to make sure there was no theft going on. My father was almost fired for a discrepancy but it turned out his co-worker couldn't do math and was coming with the wrong totals on orders. I have to assume they haven't gotten worse at tracking errors

estetikMay 23, 2010 4:09 PM

Now that I am reading the last post, that is exactly what I did, McDs, Burger king, Kfc, pizza places. Fortuneately for me I do not like onions. So when I did order something half of the time it was wrong anyhow. So they really didn't know whether or not they really screwed up. After a while they started asking for receipts, but It really to a long time.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..