Tiger Food susceptible to ID fraud

Correction appended

Elaine Bigelow '10 was studying in her room in 1915 Hall at 10:30 on Monday night. A few hundred yards away in Cuyler Hall, a large cheese pizza from Iano's Rosticceria was delivered to a room where four sophomores scarfed it down. None of them paid for the pie; they just charged it to Bigelow.

With her permission, The Daily Princetonian used Bigelow's nine-digit student ID number to buy the pizza through the student-run Tiger Food Delivery Agency. Bigelow did not order the pizza and the address specified was not her dorm room, but the $13.45 bill was charged to her University account anyway.

But Bigelow didn't give the 'Prince' her ID number. Rather, by typing her name into the People Search function on the University homepage, a reporter was able to get Bigelow's ID number and charge the pizza to her.

"It's kind of ridiculous that someone can order a pizza in my name, and I don't even get a bite," Bigelow said after the pizza party in Cuyler concluded while she was still in 1915. It was unsettling, she said, to see how little security there is in the Tiger Foods system. "I hope no one else has discovered this already."

The agency boasts on its website that "all charges to student account are billed directly home to your parents."

When placing an order with one of eight local restaurants participating in Tiger Foods, callers give their phone numbers, names, delivery locations and payment methods, which can be cash, credit card or University account.

Anyone with access to the the Princeton network can retrieve the University ID number of any Princeton student, faculty or staff member from the University's website.

With the permission of his roommate Eric Macias '10, Henry Rounds '10 also tested the security of the Tiger Foods system for the 'Prince.' Rounds called the Tiger Foods agency and ordered a pizza, giving his own cell phone number, but Macias' University ID number and name. When the food arrived, the student delivering the pizza gave the pizza to Rounds without asking for any form of ID.

"It's really weird," Rounds said. "I mean, even if the person whose ID number you used noticed that the food had been charged to their account, Tiger Foods would have no way to trace the person who placed the order."

"And anyway," he added, "the only way you could even possibly get caught is if the person whose account you charged noticed the charge in the first place."

The Tiger Foods website advertises that its payment system is "just like Frist!" But buying food from Frist Campus Center's retail serveries and other Dining Services facilities requires the physical swipe of a University ID card.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

Tiger Foods, it seems, does not require customers to show a physical prox card or other form of identification. Agency representatives declined to comment on the security of its delivery system.

"If [Rounds] hadn't asked me first, I probably never would have known I'd paid for his pizza," Macias said.

"I don't even usually see the bills that are sent to my home from Princeton, and even if I did, I would never notice a $20 charge since I probably charge way more than that at Frist each month," Macias added. "I don't know why Princeton even puts the ID numbers online in the first place."

Rita Saltz, OIT senior policy advisor, said that though she herself was not involved in the decision to post publicly student ID numbers — also known as UAID — the intent was to protect students' privacy by assigning each student a number that was relevant only within the University community.

"I do believe that decision was made to avoid using social security numbers or other sensitive information, with the intent that the UAID, the chosen unique identifier, would be used only for identification and not for other purposes," Saltz said in an email.

"[S]ince the UAID is published specifically to allow proper identification within the University, the information is generally available within the community," she added.

Correction

The original version of this article stated that anyone with access to the internet could look up University ID numbers on the Princeton homepage. In fact, only those with access to the Princeton network can do so. The Daily Princetonian regrets the error.