It is a common prank to order pizza for someone else by forging their id. All you have to do is give the other guy's name and address and only imagine his surprise when he opens the door to find the delivery guy holding 5 extra-large pizzas. Of course pizzerias use caller-id to avoid taking orders from third-party numbers. So far so good.
But here comes the Internet to spice things up! The greek branch of Dominos, located at dominos.gr, let's you place online orders using a pretty lame authentication system. All the users have to enter, is their phone number and street number (just the number not the street name). The first time you order, you have to do it by the phone so that you provide all your details. The second time though, by entering your phone number in the website form, they pull your record and carry out the order. In fact the online accounts use the same database as the dial-in customers.
Do you see the problem here?
If I know a guy who orders from dominos (he doesn't even have to order online) I can easily lookup his phone number (courtesy of the national, public phone records) and his address. So I can bill him with a dozen or so pizzas. The advantage against the original phone prank is that in this case I cannot be traced! Whether I am using a dynamic ISP IP (the records are classified and no warrant will ever be granted for that purpose), a public hot-spot or Internet cafe or even Tor, I pretty much stay under the radar.
I don't get these guys. The information they need to log you in is public domain! Anyone, anywhere, at any time may access it, copy it and use it freely. How about that? LOL!
But here comes the Internet to spice things up! The greek branch of Dominos, located at dominos.gr, let's you place online orders using a pretty lame authentication system. All the users have to enter, is their phone number and street number (just the number not the street name). The first time you order, you have to do it by the phone so that you provide all your details. The second time though, by entering your phone number in the website form, they pull your record and carry out the order. In fact the online accounts use the same database as the dial-in customers.
Do you see the problem here?
If I know a guy who orders from dominos (he doesn't even have to order online) I can easily lookup his phone number (courtesy of the national, public phone records) and his address. So I can bill him with a dozen or so pizzas. The advantage against the original phone prank is that in this case I cannot be traced! Whether I am using a dynamic ISP IP (the records are classified and no warrant will ever be granted for that purpose), a public hot-spot or Internet cafe or even Tor, I pretty much stay under the radar.
I don't get these guys. The information they need to log you in is public domain! Anyone, anywhere, at any time may access it, copy it and use it freely. How about that? LOL!
No comments:
Post a Comment