Canada’s favourite coffee and donuts shop is rolling out its mobile payments app across the country and has fixed a security gap previously identified by

The TimmyMe app is available for Apple’s iOS, Google’s Android, and BlackBerry 10 platforms. Along with identifying your closest Tim Hortons (or 10 of them) and organizing a coffee run with a digital list tool that lets you invite your friends to place their order with you, the app also now allows you to pay for your order. Users can either register the physical gift cards they buy at Tim Hortons on the app or just add a digital card to their app.

After a pilot phase in St. Catherine’s and a soft rollout across Ontario, Tim Hortons is now publicly announcing that participating restaurants across Canada are accepting mobile payments, according to Gordon Phillips, vice-president restaurant technologies at Tim Hortons.

“The demographics are moving towards mobile phone adoption and the numbers get higher every year,” he says. “Canadians are comfortable paying with their phones.”

During the pilot phase in February, followed up on a tip from reader and independent security consultant Darryl Burke, who identified a security flaw in the TimmyMe app at that time.

The app transacts payments by displaying a bar code on the screen that’s scanned by cashiers. But the PDF417 bar code generated by the app could be easily replicated using freely available online tools and other mobile apps. So it’d be possible to walk into a Tim Hortons and write down a 16-digit number from a gift card on display by the cash, generate a bar code for it and then wait for someone else to load money on the card. conducted a test of the flaw by using a bar code generated by a third-party app from a gift card it purchased and was successful in making a purchase at a Tim Hortons participating in the pilot.

Tim Hortons updated the way its bar codes are encrypted for its mobile app.
Tim Hortons updated the way its bar codes are encrypted for its mobile app.

Since then, Tim Hortons has worked with app developer IBM Corp. to fix the flaw, Phillips says.

“I don’t want to get into too much detail,” he says. “Basically it’s encryption of the bar code number and then representation of that encrypted bar code number.”

Tim Hortons didn’t hear about anyone losing money as a result of the flaw, he adds.

“We had it on the roadmap, we identified it as something that should be part of the solution,” he says. “It wasn’t more technically challenging that any other developing we had to do.”

Using the bar code is just one method of mobile payments offered by the TimmyMe app on BlackBerry10. Users of those devices also have the option to tap-to-pay using the near field communications (NFC) chip. Tim Hortons is also looking to allow Android users to pay via NFC chip on devices that support it (such as the Samsung Galaxy series) soon, Philips says. Other technology for allowing mobile payments hasn’t been ruled out either.

“We see NFC and bar code as the two that have momentum in the market right now,” he says. “We want to be well positioned for both technologies and make those available for our customers.”

Also new in the updated version of TimmyMe is integration into Apple’s PassBook feature.

Share on LinkedIn Share with Google+