This is a well-known scam. It wasn’t necessarily an inside job – more likely an organized ring of identity thieves – but they do bypass the hotel switchboard.
It doesn’t take any particular skill set to sniff unsecured wireless networks. There are lots of people driving around neighborhoods slowly, looking for open networks to sniff every day. Anyone can download and install a free firefox addon for example that instantly begins displaying people’s facebook logins in a sidebar if the machine is connected to a public network. Facebook encrypts the login but not the cookie information that gets transmitted back and forth. Programs like Etherpeek and the like have been available for many years and they are useful network diagnostic tools but they can also be used to steal information with no skill or computer knowledge at all.
The only skill set it takes is the ability to install a program on your laptop and double-click its icon to begin seeing all the information that passes through a router the computer is connected to. At a busy place like an airport internet cafe or free wireless hotspot provided to an entire neighborhood, this could yield hundreds of stolen identities in minutes.
In this case it’s hard to say how possible this was without an answer from the OP about the way they connected to the internet to make the pizza order. Let’s say they were at a public internet cafe and used a Facebook login to make the order - very possible. If they were at home, and perhaps have a wireless router with no password, or using a neighbors open network, less likely but still very possible. If they were on a wired connection that doesn’t have any other customers, i.e. a home DSL connection, not very likely but it could be someone sniffing an unprotected system at the pizza place.
An inside job at the pizza place is certainly possible too, it just isn’t very probable due to the careful records the pizza place obviously keeps about orders, phone numbers, and pickups including video records and caller ID logs. The employee could get away with it once or twice and maybe this was a one shot thing. Prisons are full of stupid people that actually thought they could get away with something so obvious so anything is possible.
I don’t see why so many people might think this isn’t easily doable. You could probably pull this off as one person, but a lot easier with two people. One person at the store just watches out for orders coming in that will take credit on delivery and tells someone else who can then take the pizza and “deliver” it. This covers a lot of tracks because this person could actually call the store and change the order, so the books are covered and the inside employee isn’t caught. And, sure, the number probably matches the one that the OP got, but if they have even half a brain, they’re using a cheap pre-paid phone so it isn’t traceable to a specific person. Then, by picking it up, everything seems legit to the pizza store. And by delivering the pizza to the customer, they’re only investing the $10 for the pizza and maybe $30 for a phone for a guaranteed working card and, other than you noticing that the transaction is a little odd, you got your pizza so you’re less likely think that anything is amiss. Even if you do, you’ll probably eat your pizza first and not file a report and not immediately call your bank or you wouldn’t have swiped the card to begin with. So they’ve got a good window of no less than 30-60 minutes to use that known good card to withdraw some cash. Even if they got nothing that time, they’ll probably try a few more times.
So while I could see this working, it seems a little labor intensive with a low profit margin and not too repeatable so as to be worth it by any but those who probably aren’t bright enough to pull it off properly anyway. It is odd to me that the police and the pizza chain aren’t really all that interested in doing anything about it. If they get a few reports, they could probably narrow down the inside employee pretty quickly just based on who is working when. Simililarly if they reuse the same phone.
To this end, whenever I do delivery, it’s always payment online or cash. Even if I’ve never gotten false charges, having to get a new number because my wallet was stolen, or once when someone’s database was hacked, it’s still a pain in the ass to set up all my auto-payments to work again, so I’ll take those precautions.
Because
Yeah, but that requires management to give a damn.
And if management’s in on it, what’s gonna happen? Nothing.