Domino's Pizza lost about US$77,000 in free pizza due to a weak password on an online promotion that wasn't supposed to go live – a type of security problem that is all too common, according to a presentation at the Black Hat USA conference.
A hacker guessed a promotional coupon code that authorised a free, medium, one-topping pizza and publicised the code, which got used about 11,000 times in 48 hours, according to Jeremiah Grossman, founder and CTO of White Hat Security, who delivered the talk.
Patrons ordering pizza online would put in their order then enter the code, essentially a password, into the "coupon" field on the site, he said.
The Domino's incident is one of about a dozen examples of how people can make money – not necessarily legally – off the internet that Grossman said in his briefing, called "Mo' Money Mo' Problems: Making A LOT More Money on the Web the Black Hat Way".
The person who guessed the Domino's password – BAILOUT – was never caught, Grossman said, and the promotion had been set up in the chain's system without getting the go-ahead from the company's network security team. Many businesses authorise their marketing departments to set up such promotions without advice from their network security teams, so they often lack anti-brute-force protections and lockouts, he said.
In another malicious guessing game, a man charged with scamming Apple out of 9000 iPod Shuffles is alleged to have done so in part by guessing at legitimate Shuffle serial numbers, Grossman said.
It is claimed that the scammer set up a phony web business called iPod Mechanic that supposedly took in broken iPods and returned them for new ones under Apple's advanced replacement programme. Apple required a legitimate iPod serial number and a credit card number to bill if Apple didn't receive the broken device, he said.
The man is said to have used credit card numbers from Visa gift cards to satisfy pre-authentication for the replacement service, and using the known serial numbers of actual iPod Shuffles, he guessed at others. When the new iPods arrived, he sold them on eBay for US$49 each, Grossman said.
The scammer was charged because Apple's trademark protection people flagged the unauthorised use of iPod in the name of the business, iPod Mechanic. Police found $571,000 in cash at the perpetrator's house, Grossman says.
He also discussed how a British builder located lead-tile roofs in London via Google Earth, then scaled the buildings – mostly museums and historic buildings – to steal the tiles. Police estimate that he made off with about $1.64 million in lead during his spree.
Grossman talked about a scheme that netted perpetrators a nine-figure payday as well as the Gmail attack that compromised Twitter business plans. His talk was a follow-up to last year's presentation, "Get rich or die trying, making money on the web the Black Hat way."