Tim Hortons fixes security flaw for nationwide mobile payments rollout

Canada’s favourite coffee and donuts shop is rolling out its mobile payments app across the country and has fixed a security gap previously identified by ITBusiness.ca.

The TimmyMe app is available for Apple’s iOS, Google’s Android, and BlackBerry 10 platforms. Along with identifying your closest Tim Hortons (or 10 of them) and organizing a coffee run with a digital list tool that lets you invite your friends to place their order with you, the app also now allows you to pay for your order. Users can either register the physical gift cards they buy at Tim Hortons on the app or just add a digital card to their app.

After a pilot phase in St. Catherine’s and a soft rollout across Ontario, Tim Hortons is now publicly announcing that participating restaurants across Canada are accepting mobile payments, according to Gordon Phillips, vice-president restaurant technologies at Tim Hortons.

“The demographics are moving towards mobile phone adoption and the numbers get higher every year,” he says. “Canadians are comfortable paying with their phones.”

During the pilot phase in February, ITBusiness.ca followed up on a tip from reader and independent security consultant Darryl Burke, who identified a security flaw in the TimmyMe app at that time.

The app transacts payments by displaying a bar code on the screen that’s scanned by cashiers. But the PDF417 bar code generated by the app could be easily replicated using freely available online tools and other mobile apps. So it’d be possible to walk into a Tim Hortons and write down a 16-digit number from a gift card on display by the cash, generate a bar code for it and then wait for someone else to load money on the card. ITBusiness.ca conducted a test of the flaw by using a bar code generated by a third-party app from a gift card it purchased and was successful in making a purchase at a Tim Hortons participating in the pilot.

Tim Hortons updated the way its bar codes are encrypted for its mobile app.
Tim Hortons updated the way its bar codes are encrypted for its mobile app.

Since then, Tim Hortons has worked with app developer IBM Corp. to fix the flaw, Phillips says.

“I don’t want to get into too much detail,” he says. “Basically it’s encryption of the bar code number and then representation of that encrypted bar code number.”

Tim Hortons didn’t hear about anyone losing money as a result of the flaw, he adds.

“We had it on the roadmap, we identified it as something that should be part of the solution,” he says. “It wasn’t more technically challenging that any other developing we had to do.”

Using the bar code is just one method of mobile payments offered by the TimmyMe app on BlackBerry10. Users of those devices also have the option to tap-to-pay using the near field communications (NFC) chip. Tim Hortons is also looking to allow Android users to pay via NFC chip on devices that support it (such as the Samsung Galaxy series) soon, Philips says. Other technology for allowing mobile payments hasn’t been ruled out either.

“We see NFC and bar code as the two that have momentum in the market right now,” he says. “We want to be well positioned for both technologies and make those available for our customers.”

Also new in the updated version of TimmyMe is integration into Apple’s PassBook feature.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Brian Jackson
Brian Jacksonhttp://www.itbusiness.ca
Editorial director of IT World Canada. Covering technology as it applies to business users. Multiple COPA award winner and now judge. Paddles a canoe as much as possible.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs