Domino’s Pizza lost about $77,000 in free pizza due to a weak password on an online promotion that wasn’t supposed to go live — a type of security problem that is all too common, according to a presentation slated for the Black Hat USA conference this week.
A hacker guessed a promotional coupon code that authorized a free medium one-topping pizza and publicized the code, which got used about 11,000 times in 48 hours, according to Jeremiah Grossman, founder and CTO of White Hat Security, who will deliver the talk.
Patrons ordering pizza online would put in their order then enter the code, essentially a password, into the “coupon” field on the site, he says.
The Domino’s incident is one of about a dozen examples of how people can make money — not necessarily legally — off the Internet that Grossman will discuss in his briefing, called “Mo’ Money Mo’ Problems: Making A LOT More Money on the Web the Black Hat Way”.
The person who guessed the Domono’s password — BAILOUT — was never caught, Grossman says, and the promotion had been set up in the chain’s system without getting the go-ahead.
Many businesses authorize their marketing departments to set up such promotions without advice from their network security teams so they often lack anti-brute-force protections and lockouts, he says.
In another malicious guessing game, a man charged with scamming Apple out of 9,000 iPod Shuffles did so in part by guessing at legitimate Shuffle serial numbers, Grossman says.
He set up a phony Web business called iPod Mechanic that supposedly took in broken iPods and returned them for new ones under Apple’s advanced replacement program.
Apple required a legitimate iPod serial number and a credit card number to bill if Apple didn’t receive the broken device, Grossman says.
The man used credit card numbers from Visa gift cards to satisfy pre-authentication for the replacement service, and using the known serial numbers of actual iPod Shuffle’s, he guessed at others.
When the new iPods arrived, he sold them on eBay for $49 each, Grossman says.
The scammer was caught because Apple’s trademark protection people flagged the unauthorized use of iPod in the business’ name, iPod Mechanic.
Police found $571,000 in cash at the perpetrator’s house, Grossman says.
He will also discuss how a British builder located lead-tile roofs in London via Google Earth, then scaled the buildings — mostly museums and historic buildings — to steal the tiles. Police estimate that he made off with about $1.64 million in lead during his spree.
Grossman says he plans to talk about a scheme that netted perpetrators a nine-figure payday as well as the Gmail attack that compromised Twitter business plans. His talk is a follow-up to last year’s talk, “Get rich or die trying, making money on the Web the black hat way.”