Credit-card hackers are reportedly targeting Starbucks gift card and mobile payment users around the country. Taking advantage of weak passwords and the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes—without even knowing the account number of the card they’re hacking.
The ramifications can be significant: Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about one in six transactions at Starbucks are conducted with the Starbucks app.
Several users have complained of hacking via Facebook. “My account was hacked this morning,” said one on a page devoted to the issue. “They got my balance and tried to reload the card with the saved credit card but the bank stopped it. Had all the hassle of canceling the credit card, and also because my address and email and phone number was on there, put in a fraud alert to the credit report companies as well just in case.”
According to security blogger Bob Sullivan, based on conversations with an anonymous source who is familiar with the crime, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card. And, this issue has been going on since the beginning of the year, the source told him.
The issue likely goes back to brute-force password attacks, he said in a blog. “Because Starbucks’ mobile payment app is so popular, any large set of stolen credentials is bound to have at least a few combinations that unlock Starbucks accounts,” he said. “Criminals could also be stealing credentials in other ways—through phishing emails, or keylogging programs.”
In any event, once logged in, criminals have several options for draining card values—and this is where Starbucks can come in to help remedy the issue. The most common: they can transfer balances from the gift card to another, or combine balances from multiple cards onto a single other card. It just takes a special, one-time emailed authentication code to do so, but the two-factor approach is fundamentally flawed. By using the settings in the Starbucks.com account, hackers can change the email address linked to the app to one that they control—and can thus have the code that Starbucks requires for transfers sent directly to them.
There is also a further risk in that the app also stores and displays personal information about the user, such as their name, full address, phone number and email address. Criminals could then use this information or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks.
As for Starbucks, a spokesperson issued the following statement, and noted that customers are not responsible for charges or transfers they didn’t make:
“While I’m not able to comment on an individual customer’s account, what you’re describing is not connected to mobile payment—linking the two is inaccurate. We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers. For obvious reasons, we are unable to discuss specific security measures. Our customers’ security is incredibly important to us and we take all these concerns seriously.”
But the problem is not that the mobile payments themselves are insecure. Rather, with auto-reload, accounts are automatically topped up from a linked bank account when the balance falls below a certain level, offering an endlessly replenishing pool of cash to steal. And according to Sullivan, those stolen, auto-funded Starbucks cards—or more specifically, the electronic codes behind them—can then be sold on the black market for cash. Consumers would be none the wiser until they notice the extra transactions coming out of their bank accounts.
“Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards,” Sullivan said.
Gavin Reid, VP of threat intelligence at Lancope, said that this highlights problems with using consumer cards and accounts that are backed up with either a high limit credit card, or even worse, a checking account.
“Ideally vendors would make this form of compromise harder by using multi-factor authentication, and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss,” he said via email. “This type of small amount theft can be automated reusing already exposed credentials.”
Jonathan Sander, strategy and research officer at STEALTHbits Technologies, offered some additional, traditional advice: “Change your Starbucks password, make sure the new password is unique and complex, and for goodness sake don’t use that same password on another site or service. Of course, we can’t all maintain awesome passwords everywhere. A word to the wise is that anywhere you have your credit card saved you should treat it like it’s a locker where you keep your wallet. What sort of combination would you put on your wallet locker lock?”