A Nice, Hot, Socially Engineered Meal
by Gregory Porter (greg.e.porter@gmail.com)
There are a number of options in methods of obtaining food or, in my case, pizza.
One can dine in, pick it up, or call in the order to have it delivered - and you can also go online and order it. My recent first experience with Grubhub illustrates the power of assumptions on a situation.
I suppose the title is a little misleading.
Social engineering refers to the practice of manipulating someone to gain access to a system. Here, I refer to the manipulation of assumptions for personal gain.
This is, of course, for educational purposes only.
When making an order with Grubhub, one must first make a free account by providing a name, address, email address, and phone number. A credit card is not required. To confirm the order, a payment form must be chosen between PayPal, credit card, or cash. If one is paying by card, a tip amount can be specified. Special instructions for the items or delivery can also be specified (like "Knock on the door three times"). Easy, right?
I ordered a two topping, large pizza and jalapeno poppers. With tax and the delivery charge, the bill totaled about forty bucks. I like to minimize the use of my credit card online, so I opted for a cash payment. I also wanted to have to ability to modify the tip, depending on the delivery time. The order was quickly and easily confirmed with an email and, after an hour, the pizza arrived.
The delivery guy gave me the food and started to leave. I asked how much I owed him. He replied that I had already paid. I hesitated. I didn't remember putting my credit card online. I explained that on Grubhub, I chose to pay cash, not with my card.
He looked at my bill and said, "You used Grubhub, right?"
"Yep."
"Normally, when someone uses Grubhub, they just pay with, like, PayPal. But let me check."
He pulled out his phone and called the pizza place. "The order for two topping large pizza for [address redacted] is already paid for, right?"
He hung up the phone and said, "Yeah, it's all paid for."
He was a nice guy. He didn't want me to pay any more and I didn't want to pay for any less. I shrugged, thanked him, and went back inside.
As I ate, I looked at my receipt email. It read "Paid by cash." I suppose that means "I will have had paid with cash by the conclusion of the transaction."
Using a site like Grubhub, the pizza place assumed I would be paying with my card. It is, after all, more convenient to pay like that, so I suppose that's what most people do. This tendency, coupled with the slightly misleading future perfect tense, resulted in a free meal for me!
The moral of the story is that assumptions we make about a given situation, process, or system, whether it be a network or program or human interaction, can powerfully impact the final result.
So, be careful about what you assume (especially if you are a pizza guy).
Happy hacking!