While consumer wallets may take a hit from daily doses of $3 coffee and $6 frappuccinos, the most costly thing currently on the Starbucks menu might just be weak passwords, now that reports emerged that hackers are racking up fraudulent charges on credit cards used by the coffee retailer's customers to re-load their Starbucks gift cards and mobile payment accounts.
It seems that attackers have taken advantage of the auto re-load function on the Starbucks app, which lets consumers quickly and easily load value into their accounts from a linked payment card or bank account once the balance dips below a certain threshold.
Calling the “new scam so ingenious [hackers] don't even need to know the account number of the card they are hacking,” Bob Sullivan, a consumer advocate, said in a blog post that thieves “can steal hundreds of dollars in a matter of minutes” by draining the card balance and then stealing additional dollars once the Starbucks account auto re-loads from the linked credit card or bank account.
Sullivan recounted the experience of one consumer whose $34.77 in value was stolen “then another $25 after it was auto-loaded into her card because her balance hit 0.” The hackers then “upped the ante,” he wrote, “changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes.”
While Starbucks has not released details of any type of recent hack, the company did post a security statement to its website stressing that it “has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions” to protect customer information.
The statement noted that from time to time its customers report fraudulent activity which “is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.”
Indeed, some reports have tried to pin the hack on information stolen from Target or another recently breached retailer, but for now specific details are not forthcoming.
“No one knows how the bad guys are stealing the Starbucks cards cash, but all guesses point to a bunch of weak passwords that are allowing hackers to game the auto-refill system,” according to comments emailed to SCMagazine.com from Jonathan Sander, strategy & research officer at STEALTHbits Technologies, who says the hack follows a decidedly familiar tune. “What can you do about it? Let's all sing along now: change your Starbucks password, make sure the new password is unique and complex, and for goodness sake don't use that same password on another site or service.”
The incident also casts a harsh light on the problems associated “with using consumer cards and accounts that are backed up with either a high limit credit card, or even worse, the current checking account,” said Lancope Vice President of Threat Intelligence Gavin Reid in comments emailed to SCMagazine.com. “Nothing too new here – if you guess the username and password for an account that is backed by your bank, bad things can and will follow.”
Brendan Rizzo, technical director, HP Security Voltage, in emailed comments to SCMagazine.com, said that there could be further ramifications from the Starbucks attack. “In this case there is a further risk in that the app stores and displays personal information about the user, such as their name, full address, phone number and email address,” he said. “Criminals could then use this information or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks.”
Starbucks in its security statement, noting that the balances on registered cards are protected, encouraged customers who notice fraudulent activity on their accounts to report it immediately to both their financial institutions and Starbucks.
The company also urged its customers to follow a set of best practices that includes “creating passwords made up of long phrases” and which contain a mix of upper and lowercase letters, numbers and symbols. The company also recommended “using different passwords for different sites” and changing passwords frequently.
Security experts, though, said companies need to do a better job of protecting customer information.
“Ideally vendors would make this form of compromise harder by using multifactor authentication, and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss, said Reid.
HP Security Voltage's Rizzo said, the hack “underscores the need for companies to protect all of the sensitive information they hold on their customers” and advocated for a data-centric approach to security as “the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.”