Hi, I'm Ryan Levy.

Welcome to Cyber reasons Malicious Life. If you live in the Minneapolis St Paul area and you're hungry you might order in from Tono, pizzeria and cheese sticks.

Get a pepperoni pie maybe, or if you don't mind the diabetes, a cheese steak with bacon on top over a bed of fries.

Tono has four locations in the city and there on Door Dash, which is where the problem began.

The way DoorDash works for merchants is that you're given access to an administrative portal.

Shaz Khan is the co-founder and owner of Tano.

And you're able to log in alongside any authorized users that you have on there

in order to see the metrics of your business.

And so what had happened was I went in there once and I noticed that there was an

obscure email address that I didn't know and I noticed that my role in the

organization had been switched from business owner to you know, account manager or something of a lesser access and this rogue email

was the one that had been given kind of the business admin access.

Shaz contacted customer service.

And after a series of painstaking phone calls with Dordash, come to find out that this is kind of a

known threat and known attack where I you know I'll say an attacker for lack of a

better term attempts to convince somebody on the

support team at Dordash that they are indeed an authorized administrator of

that particular merchant and to be given access to the account.

Customer service failed to suss out the unauthorized user,

but the app itself has measures to prevent the worst-case scenario.

Even as an admin in Tono's DoorDash account, the unauthorized user had no means of initiating transfer of money from the business to themselves.

However, access was given, visibility was given, and so in this case, you know, some, the couple digits of a bank account, the name of a bank,

...