From Bruce Schneier’s “Getting Free Food at a Fast-Food Drive-In” (Crypto-Gram: 15 September 2007):
It’s easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won’t work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay and receive your food. The video demonstrates the attack at a McDonald’s in — I assume — France.
Wait until there is someone behind you and someone in front of you. Don’t order anything at the first window. Tell the clerk that you forgot your money and didn’t order anything. Then drive to the second window, and take the food that the person behind you ordered.
It’s a clever exploit. Basically, it’s a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.