A security researcher has warned that companies don't need to be victims of sophisticated hacks to lose money over the Internet. Low-tech scams could easily lead to financial loss said Jeremiah Grossman, CTO of White Hat Security.
In a presentation he is due to give at the Black Hat security conference, Grossman will give the examples of organisations that have fallen victims to unsophisticated hacks.
In his paper, Grossman has used the example of Domino's Pizza which lost about $77,000(£47,000) in free pizza due to a weak password on an online promotion, a type of security problem that is all too common. A hacker guessed a promotional coupon code that authorised a free medium one-topping pizza and publicised the code, which got used about 11,000 times in 48 hours, said Grossman.
Patrons ordering pizza online would put in their order then enter the code, essentially a password, into the "coupon" field on the site, he added. The person who guessed the Domono's password - BAILOUT - was never caught, Grossman said, and the promotion had been set up in the chain's system without getting the go-ahead. Many businesses authorise their marketing departments to set up such promotions without advice from their network security teams so they often lack anti-brute-force protections and lockouts, he said.
In another malicious guessing game, a man charged with scamming Apple out of 9,000 iPod Shuffles did so in part by guessing at legitimate Shuffle serial numbers, Grossman said.
He set up a phony web business called iPod Mechanic that supposedly took in broken iPods and returned them for new ones under Apple's advanced replacement programme. Apple required a legitimate iPod serial number and a credit card number to bill if Apple didn't receive the broken device, Grossman said.
The man used credit card numbers from Visa gift cards to satisfy pre-authentication for the replacement service, and using the known serial numbers of actual iPod Shuffle's, he guessed at others. When the new iPods arrived, he sold them on eBay for $49 each, said Grossman.
The scammer was only caught because Apple's trademark protection people flagged the unauthorised use of iPod in the business' name, iPod Mechanic.
Another example that Grossman offered was a British builder who located lead-tile roofs in London via Google Earth, then scaled the buildings - mostly museums and historic buildings - to steal the tiles. Police estimate that he made off with about £1 million in lead during his spree.