The reports are (currently) vague as to how many stores and machines were affected, but it seems around 3,500 customers have lost a total of at least $4,000,000.

In one of the reports, Western Australia's top fraud officer Detective Senior Sergeant Don Heise said the McDonald's scam occurred when legitimate eftpos PIN pads were replaced by bogus ones that transmitted PINs to criminals.

"It does not take much time to switch one of these (PIN pads) over, perhaps 15 to 20 seconds.  "It's plug and play."

The most likely scenario in the scam had been that McDonald's workers had been distracted while providing services to customers.  The fake EFTPOS devices were then probably substituted.

Around the world, such systems are governed by the Payment Card Industry Data Security Standard (PCI DSS ) which mandates a far-reaching set of rules to control the use of such systems.  At the very least, McDonald's is in breach of Requirement 12: Maintain a policy that addresses information security, however, they are also almost certainly in breach of other requirements that address the validation of device connections.  After-all, surely there is a process to electronically confirm the identity of every device to be sure it hasn't been swapped.

Surely also there should be physical security – why was it so easy for someone to remove the real PIN pad device and replace it?

Police are suggesting that although new to Western Australia, this kind of attack is widespread around the world.  So, gone are the days of making sure the card never leaves your hand to avoid being 'skimmed.'

Currently, anyone who has used a card for payment in a McDonald's Perth-based store during the first half of October is strongly urged to watch their account for any fraudulent transactions and to urgently notify their card issuer if anything is seen.

There is no news as to whether McDonald's or your bank will be reimbursing missing funds.