Starbucks shifts data protection responsibility onto customers

The Starbucks saga continues…

Customers of Starbucks have been struck by multiple counts of fraudulent activity in recent weeks. Like many modern businesses, Starbucks was not prepared to be left behind in the digital world. So, they created an app where customers can easily purchase drinks and snacks on their phones. Around a third of all purchases are reportedly now made through this popular and easy to use app, and whilst the app is responsible for $1 billion worth of purchases, Starbucks have arguably overlooked key security measures.

On the convenient app, customers can make up all sorts of combinations for their complicated drinks without a barista struggling to keep note. Linked to the customers’ personal credit and debit cards, they can pay directly through the app and keep on top of their purchases. However, as we always warn, when a company wants to improve convenience and speed of services by digitalising, it is essential that up-to-date security measures are implemented alongside.

Starbucks – unhappy customers

In the last few weeks, customers started noticing unauthorised activity on their apps. Ms Vanessa Wong, a reporter for media company BuzzFeed, was horrified to see that someone hundreds of miles away had accessed her Starbucks account. The fraudsters loaded $100 onto the app and then proceeded to spend it on various drinks and snacks in the coffee shop. Since a log in is all that’s required, any number of purchases can be made – all the while linked to the users’ registered bank card.

Ms Wong believes that log-ins were stolen from 2015 hacks, and cyber-criminals have been trying to use them to log into various apps; hoping owners would use the same username and password for multiple apps.

Starbucks – a disappointing reaction?

So what should be done? Should Starbucks step in and clamp down on security? Perhaps investigate the complaints of fraudulent activity and then implement extra security measures to make sure each purchase is authorised by the user with an extra passcode? This is exactly what customers expected from the well-established company in the aftermath of the attack. ..

Instead, Starbucks took a different route. The multi-billion dollar company assured customers that “a team of engineers dedicated to advancing security and fraud prevention” have been instructed to look into the activity. Starbucks also reassured users that only “a tiny fraction of one percent” of account holders were affected, but even 1% of users amounts to $1 million stolen from users’ accounts.

That is not such a tiny fraction!

Starbucks later suggested that their customers should change their passwords. Their reaction caused outrage amongst customers who have lost real money through the app. Even if passwords are changed, there are questions about the robustness of the app’s security.

Improvements must be made

Customers are calling for a two-factor authentication to be added to the app. As with online banking, it’s usual to see such steps to be taken before one can even have a look at their finances.

Multiple passwords ensure hackers will need all passcodes in the same order to get into an account, which can make it more difficult. When an app is linked to a bank account – like the Starbucks app – log in details are not always enough; especially if it can be saved so the user only taps the app to access their account.

Some argue that Starbucks need to implement at least one extra step like a separate password (maybe a 4 digit PIN?) or a security question at the payment stage – not just blame customers for having bad passwords.

The rise of machine learning and how it can impact cyber-security

Third Party companies may be your biggest security risk