Possible PC Hack? Any explanation appreciated...

General Questions
#1

So my gf and I have just moved to an apartment complex downtown. We ordered lunch today from a nearby restauraunt - to protect the guilty, let’s call it “Arizona Taco Kitchen” - and being slightly technologically advanced, we decided to place the pick-up order online. After going to the restaurant’s website, we were directed to a 3rd-party website that actually handled the order. We unfortunately used a debit card to pay for it.

So we get to ATK, and imagine our surprise when the cashier told us that our order had already been picked up! She said that a man named “Sean” came in and asked for the order by name, and even signed his name on the receipt. We were flabbergasted, especially because the website specifically stated that the debit card used to pay would be required to pick up the order. The other thing that was off-putting was the cashier’s attitude towards the whole ordeal, which was “this kind of thing happens all the time”. They made us another order (“free of charge”, she says!), we get the 800 number to headquarters, and we leave the place in a daze.

Once home, my gf cancels her debit card, and we check our wireless access, which still appears to password-protected. But I am stumped as to how it happened, and almost as much, why? If someone hacked into our PC and somehow knew we placed an order w/a debit card, wouldn’t the card info be much more valuable than the $40 in food they scammed off of the restaurant? But how else could they have known to pick up the order by name if they didn’t somehow see me place the order? And the cashier’s attitude was so cavalier, I considered the possibility that perhaps she just called in a friend to help him/herself to a free dish on the house, and then made up something when we came in to pick up the order.

So, what do you guys think? Any other explanations that I’m not seeing here?

#2

How common is your name? “Pick up order for Smith” could result in confusion without anybody getting hacked…Or maybe you actually ordered delivery through the third party website? Their guy “Sean” picked up the order, and you weren’t home for delivery?

#3

The last name is relatively common, but not of the Smith/Johnson/Brown variety, so I seriously doubt that there would be two order with the same name. And I’m 100% sure that it wasn’t a delivery order, because there was a $7 delivery charge that would have been added (this was why we decided to pick it up in the first place). Thanks for the suggestions though…

#4

Make sure your wireless security is set as WPA, using a strong cipher. The previous WEP protocol is trivial to circumvent. Was the third party website secured using SSL?

#5

I sometimes use the online order thing for my local pizza place because there’s a 20% discount and I will say that things like this do seem happen all the time. I’ve had a couple of times where they delivered a carryout order even though I didn’t get charged the delivery fee (or meet the minimum order) and it’s quite common that the orders just seem to disappear. They’ve been better about it lately, but when they first started doing the online orders I got in the habit of calling them to make sure they got it and weren’t delivering it.

This situation seems a little fishy, but the scenario of someone hacking into your wireless network and intercepting your order and picking it up themselves seems pretty unlikely. If nothing else, wouldn’t it be much less risky to just use your CC information to place another order?

#6

How about this for the simplest solution I can think of:

“Hey Sean-- it’s Jim. I’m at work. Delivery order for $40 just came in, can you swing by in about 10 minutes and pick it up? Your last name is Mannish.”

All it takes is a dishonest employee who has a cell phone, and a willing accomplice who’s not known to the other employees. They wouldn’t have access to your debit card, the website wouldn’t need to be compromised-- not when the information can easily be read off a piece of paper at the restaurant.

#7

I think that sounds pretty likely - if there’s no CCTV and follow-up on these ‘happens all the time’ incidents, it’s not unlikely that a dishonest member of staff is sweethearting.

Otherwise, it migt just be a chancer - walking in and saying their friend/OH ordered earlier by debit card, but not sure what name it’s under - what have you got?

Or maybe one person sitting in the waiting area overhearing someone controlling the orders, shouting the names of the customer, passing this information to a friend who then walks in to collect it.

#8

Of course, if you were a victim of a hacker (much less likely than restaurant screw-up, IMHO) they would probably only be able to sniff the contact name and order items rather than the debit card details, which would probably be encrypted with SSL. This could explain why they might pick up the order rather than get your card details.

It is much, much more likely that it was one of the explanations already mentioned though.

#9

It’s doubtful that someone is hacking your computer connection and will risk exposing themselves for a pizza. Yes it could happen but unlikely.

It’s probably a form of “social engineering” where the clerk is so busy she/he is letting himself be talked out of a pizza.

The con comes in and uses vague language and the clerk allows himself to be talked into giving out the name.

The fact that “this happens all the time” to me, indicates that it is some kind of fraud.

It’s like the old call the restuarnt and complain. Let’s say you order Chinese food from. Cantonese Delight (CD)

CD) Hello
Customer) Yes, I just bought some sweet and sour pork and I got chop suey instead
CD) I’m so sorry, if you come back we’ll give you your order
Customer) We’ll I’m on my lunch hour from work, I can’t do that, I guess I’ll be forced to eat this
CD) Oh my apologies, I’ll tell you what next time you come in you can have a free sweet and sour pork order, give me your name.

OK this is a classic con, that usually works You ordered the chop suey and yet complain about it, knowin good and well, this way you’ll get free food next time.

Of course it’d only work once per resturant, but there are enough of them for you to get a lot of free meals.

#10

Do you have a smartphone and a one time use credit card? Make an order while waiting out front of the store. See if someone shows up to get your food!

#11

Thanks, I’ll definitely do this.

I went to the website, and it claims that all transactions are secured, but I couldn’t find the SSL banner. I’d find it hard to believe that they’d be able to work with some of the restaurants that they do without it, however…

#12

True, I think I have resolved it internally as an ‘inside job’. I was hesitant to come to that conclusion because of the chance that the culprit would be asked to show the debit card; but the cashier could have been the one to tip the person off, or maybe whoever the employee was knows that the cashier was lazy and never asks for a card…

Thanks to everyone for the input…

#13

I worked with a guy who pulled this as regularly as clockwork.

#14

The registration page on the site is secured with a high grade encryption. I do think it’s much more likely that the fraud didn’t involve hacking, and was something along the lines of a method suggested upthread. It’s still a good idea to change your wireless security protocol, however, and to use a more secure browser, such as Firefox with NoScript, when carrying out transactions. If you are really concerned you might consider utilising an Ubuntu live-CD, for online banking.

#15

Yeah, I think you are way overthinking this and cancelling the debit card was probably overkill. If someone had somehow hacked you and got all your info (let’s say they managed to install a keylogger and sniffed everything including your cc number and whatnot) – going to the restaurant to snag your food order before you is about the dumbest possible way they could use that info. Not only is there a good chance they would run into you there, it makes the restaurant workers literal eyewitnesses to identity theft/credit card fraud – crimes with the built-in advantage of relative anonymity. All for some takeout?

Forget about the whole online transaction thing. This could easily have happened if you phoned your order in and gave your cc number over the phone. A lot of times I’ll go into a restaurant and ask for my pickup order without even giving my name. The restaurant worker often asks me if my name is “so-and-so” and if I say yes, they just give it to me.

There’s really not much in the way of security at the restaurant. They don’t care enough about it. Ask for your debit card to prove the order is yours? Never happens, IME. The online transaction site just says that the restaurant is supposed to do that to make you feel better about using their system.