More and more purchases are being made through non-traditional methods, like mobile apps. However, concerns remain about the security of these methods as we continue to see data breaches hit the news on an almost daily basis.
Large numbers of Starbucks’ customers have reported their accounts being hacked, which was reportedly from an attack dating back to 2015. Some say they’ve had money tapped from their accounts on the mobile app, and according to USA TODAY, the cyber-hackers used a ‘clever new attack’ without actually hacking Starbucks itself.
The attack which first appeared in May 2015 takes advantage of:
- Customers who use the same login and password across multiple platforms – hackers are using stolen data from other platforms to try them on the Starbucks app.
- Starbucks’ app auto-load function, where customers can load money onto their Starbucks card using saved debit and credit cards.
- Starbucks doesn’t have a limit on the number of password attempts before it locks a customer out of their account.
How many people does this affect?
As many customers use the Starbucks app to process the payment for their daily coffee fixes, any threat to the app could be disastrous. The company notes that nearly 1/3 of its transactions are done via the app. In 2014, Starbucks processed $2 billion (£1.5 billion) in mobile payment transactions, so you can see how a data breach can really endanger the company.
“Brute force” attack
According to one cyber-security firm, Checkmarx, this is one way hackers can profit from stolen information. First, cyber-criminals can purchase stolen login details and passwords from the black market. Secondly, they can use an automated programme that’ll try the stolen combinations on the Starbucks mobile app until one works. This kind of attack on stolen information is known as a “brute force” attack. It’s lethal as the programme can process hundreds of login-password combinations per second.
This shows that the stolen information can generate fraudulent activity in no time.
How the attack works
Checkmarx continues to say that, once the cyber-criminals have access to the account, they can add a new gift card and transfer whatever balance the account holder has onto the gift card – which they have full control over. If the account holder has set up a reoccurring payment from their credit card, this could effectively give the cyber-criminals a never-ending supply of money until the app user realises.
Chief technology officer of Lookout, Kevin Mahaffey, says that cybercriminals are:
“…likely [to] resell them on the internet for face value or less, eventually turning those Starbucks dollars into real dollars.”
The brute force attack is possibly one of the most successful and common methods of cyber-attacks. As customers use the same login and password combinations across several of their online accounts, it doesn’t leave much to the imagination – hackers can access multiple accounts with one theft.
Case study
Buzzfeed News reporter Venessa Wong reported that her account was compromised back in March 2017. Ms Wong received an email alert from Starbucks containing a receipt for reloading $100 (£77) onto her mobile app, using the saved credit card. She noted that, by the time she logged into her account, the cyber-hacker had made 3 purchases in the San Diego store: $48.32 (£37), $49.75 (£38) and $15.83 (£12). By the time that she got on the phone to the customer service department, she noted that her account was emptied.
What has Starbucks done in the past 2 years?
Two years on from the first reports of the cyber-hack and Starbucks are still reportedly none the wiser and haven’t really done much about the hack. The Starbucks app still appears to be vulnerable to the same weaknesses from two years ago.
Starbucks confirmed that it doesn’t support a two-factor authentication as of yet. Many companies like Apple and Facebook support this cyber-security method which sends a code via text message or email when you/someone else is trying to login to the account from a new device.
Chief Executive of US Cyber Vault, Rob LaMear, notes his disappointments:
“I was surprised that in two years, Starbucks hasn’t gotten more aggressive.”
More customers are venting their frustration at Starbucks on Twitter, but their only response seems to be that they have “a team of engineers dedicated to advancing security and fraud prevention” and they also said, “We strongly encourage our customers to follow best practices to protect their accounts.”
What does that even mean?!
Shouldn’t Starbucks introduce the two-factor authentication to minimise the risk of fraudulent activity?
The simple answer is yes, in our view.
Shockingly, Starbucks doesn’t seem to see the urgency in the issue when they emailed BuzzFeed News:
“…while account takeover (ATO) activity is an industry wide challenge, we see only a tiny fraction of one percent of our account holders impacted.”
I mean, with Starbucks having over 500 customers per day per store (in 2013), isn’t that a large enough figure for them to take their cyber-security more seriously?