The other day, I bought a pizza online from Pizza Hut. I paid with my credit card.
The guy came out to deliver it and muttered something about there being a problem with my credit card, and could I please speak to his manager. I was suspicious but hungry, so I played along. He placed a call on his mobile phone and handed it to me. The phone displayed “Pizza Hut”, and I spoke to his (purported) manager, giving my credit card details.
I took the pizza upstairs. As we ate it, I got thinking about how easily this situation could have been a scam. I called Pizza Hut to ask if that sort of thing was standard operating procedure when there is some kind (?) of screw-up with the card details. “All our operators are busy”. I left a message for them to call me back.
Time passed.
I got antsy – “these dodgy characters could be out there buying plasma TVs in my name as we speak” – and rang the bank to cancel my credit card.
Ten minutes later, Pizza Hut customer service rang me back. Discussion ensued, the upshot of which was that yes, it is standard operating procedure.
So, I’ve cancelled my credit card, which is also my ATM card, which is a mild pain in the arse., but no big deal. And yes, I should probably have suspended it rather than cancel it.
But the main point of this is that the Hut have a process that’s too easy to scam. Simply:
1. Get a job as a Pizza Hut delivery driver.
2. Put a friend’s number into my phone against the name “Pizza Hut”.
3. Get credit-card-paying customers to recite their card details to my friend, “Pizza Hut”, the “manager”.
4. Wait a suitable length of time to let customers forget my smiling face.
5. Buy plasma TVs on any credit cards that haven’t been cancelled.
Or maybe I’ve just been reading too much Schneier.