How Slice Counters Dark Web-Based Credential Stuffing Attacks On Its Mobile Ordering App

Account takeovers and credential stuffing attacks are surging, with fraudsters buying stolen credentials from the dark web to target first-time digital consumers. In this month’s Digital Fraud Tracker, Slice’s Jason Ordway discusses its two-pronged approach for keeping orders secure for its 15,000 pizzerias across the U.S.

The pandemic has irrevocably affected countless sectors over the past year, but the restaurant industry has been hit particularly hard. Many eateries are just now opening their doors for indoor dining after more than a year of social distancing and stay-at-home orders, which largely forced them to make up the difference via mobile and online orders. More than 45 million U.S. consumers now use mobile ordering apps — a total that is expected to hit about 54 million by 2023.

This surge in digital activity has opened up new doors for fraud, however. ATOs, credential stuffing and other schemes relying on stolen customer information have surged over the past year, and they are especially dangerous to new digital consumers who are unaccustomed to online ordering. One mobile ordering industry player that is dealing with this pervasive fraud threat is Slice, a pizza ordering app that works with 15,000 pizzerias across the U.S.

“Credential stuffing, in particular, has been heightened in the past year because so many folks use the same credentials for multiple platforms,” said Jason Ordway, the company’s chief technology officer. “You’ve got bad actors that download [or] write scripts that take a [stolen] login and password and test a million of them [at once].”

Ordway gave PYMNTS an inside look at how fraudsters use the data harvested from dark web marketplaces to attack mobile ordering apps like Slice as well as how the company harnesses the principle of least privilege — limiting internal systems access to only the employees that absolutely need it — and off-site data storage to limit the effectiveness of their attacks.

How Fraudsters Leverage Dark Web Data

Stolen data must be listed for purchase on dark web marketplaces before fraudsters can leverage it for credential stuffing. Information posted on these sites largely stems from large-scale data breaches that spit millions of usernames, passwords and email addresses into cyberspace.

“It’s databases on top of databases on top of databases with, at a minimum, millions of records,” Ordway said. “When users recycle the same login passwords across every food tech website, [fraudsters] can either break in and create orders for themselves or go back to [the] dark web again and sell those credentials to other bad guys.”

Slice typically sees data sourced from dark web marketplaces used in credential stuffing schemes, wherein fraudsters test hundreds or thousands of stolen credentials at once as they attempt to break into users’ accounts. These attacks are especially dangerous for individuals who recycle passwords as one leaked credential can be used to hack into all of their accounts.

“If I [find] a user’s information on the dark web, I’m going to go to five different web properties and see if the stolen login and password works in one of these five places,” Ordway explained. “And then I may store it for later because I want some pizza on Friday night, or I may sell [the credentials]. The first step is usually checking it out to make sure the credentials are OK, and then the second step is actually buying a pizza.”

This means merchants and restaurants have to pull double duty in their fraud-prevention efforts. They must protect their users from having stolen data used against them while also keeping data from leaking onto the dark web in the first place.

How To Prevent Data Breaches And The Use Of Stolen Data

Ordway noted that the best defense against credential stuffing for app users is good password hygiene. It is important to ensure that passwords are unique to individual platforms, which can be easier to accomplish using password managers. He added that fighting credential stuffing attacks against Slice employees involves a concept called the principle of least privilege.

“We give our employees just the right amount of access that they need for their job and nothing more,” Ordway explained. “We add multistep approvals for sensitive areas and systems and are continuing to practice good password hygiene as well.”

Keeping Slice users and employees safe from data breaches within its own platform also requires ensuring hackers have nothing to find, he said. Slice does not store any usernames or passwords on its platforms, for example, instead relying on a more secure third party.

“We don’t store usernames, passwords or credit card data, but work with a third party to obviously keep that safe for our consumers and our restaurants,” Ordway said. “We are at [the] point of transaction but not touching [the data], is the is the easy way to explain it.”

An ounce of prevention is worth a pound of cure, and in few places does this proverb carry more weight than when it comes to data security. The costs involved in preventing data from landing on dark web marketplaces pale in comparison to the untold sums companies can lose to breaches and broken customer trust.