It’s long been common practice for cyberthieves to test stolen cards online, often with a tiny charge on a charity site, to quickly determine which have been shut down and which are still valid. But the latest tactic involves ordering pizzas from Domino’s—OK, so food connoisseurs they ain’t—and to then sell the pizzas on the street. Said one police chief: “There is a secondary market for pizza.”
The cheesy tactic—detailed in a New York Times story—was marked by the cyberthief codeword (I swear we’re not making this up): “Who wants pizza?”
“The seemingly harmless question raised suspicions among police officers in Brooklyn when they saw the query posed repeatedly on Facebook, by users whose profiles they were keeping an eye on because of suspected gang ties. The pizza question was sometimes accompanied by the red-and-blue Domino’s logo. Officers contacted Domino’s and a bigger story came into focus, a curious blend of high-tech fraud and street-level word of mouth. With pepperoni and extra cheese.”
Domino’s reported a record spike in sales, the story said, because thieves were verifying stolen card numbers through the chain’s mobile app. “When they found a number to be valid, authorities said, the thieves used it to order bigger-ticket items online — while people in pockets of Brownsville and East New York in Brooklyn ate the pizzas.”
From a payments security perspective, it seems that mobile apps—and E-Commerce sites as well—should have a cap on invalid transaction efforts before the order is shut down and the IP address and other details logged and routed to Loss Prevention. The story quoted Brooklyn Deputy Chief Kevin P. Harrington finding that some phones had a huge number of invalid attempts before stumbling on a valid card—and the Domino’s system never blocked or even noted it. Yes, shoppers can make typos, but there is a limit before suspicions should be raised.
“This account has tried 50 attempts,” Inspector Gulotta said of one phone. “Two thousand attempts in the last month.”