Search the Community

Starbucks has rebuffed claims that its mobile app has been hacked, in the wake of reports that scores of its US customers have suffered from credit card fraud. The coffee chain’s US customers have been reporting the theft of hundreds of dollars from their credit cards, in a series of scams seemingly linked to auto top-ups on the Starbucks mobile app. Victims commonly receive emails saying the passwords and login details for Starbucks’ mobile app had been reset before receiving notice of fraudulent transactions. However, Starbucks denies its app has been hacked. In a statement, the coffee chain suggested the isolated reports of fraudulent activity on customers’ online accounts are down to password re-use or other lax security practices by its clients. Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false. Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously. Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information. Reports that hackers were targeting Starbucks mobile users – stealing from linked credit cards without knowing account numbers – first surfaced this week. Bob Sullivan, journalist and consumer advocate, was the the first to report on the scam. Sullivan recommends that all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards. Criminals who obtain username and password credentials for Starbucks.com first drain a consumer’s stored value before siphoning off funds from their linked credit card. Starbucks reportedly allows consumers to move balances from one gift card to another. Hackers can also cash out by using a hijacked account to buy gift cards. These can then be sent to an arbitrary email address which can be trivially registered – without secondary confirmation – from within hijacked Starbucks accounts. In its statement, Starbucks said “customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected”, so those who have been left out of pocket will hopefully get their money back. The apparent scam appears to be limited to the US. El Reg understands that Starbucks customers in Europe and elsewhere outside North America have not been affected. Roy Tobin, a threat researcher at security software firm Webroot, recommended that consumers and businesses alike should re-examine their security practices. "Credentials leaked in previous cyber-attacks are likely to have been used to allow hackers to siphon off money from Starbucks' customers," Tobin said. "The key security take-away from this incident is the fact that as a company, your customers’ security information often doesn’t exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly re-used by customers across separate online accounts. Consumers should take steps to regularly change their passwords and avoid using the same password across multiple online services," he said. For businesses, the use of two-factor authentication technology can help mitigate against this class of threat, according to Tobin. "Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts," he added. "Best practice for mitigating this is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location whenever financial details are accessed or used," he concluded. Source

The 16 million Starbucks customers who use the company’s mobile payment service may want to strengthen their log-in credentials and reconsider using the auto-load feature. Independent journalist and best-selling author Bob Sullivan reported on Monday that hackers recently stole money from several Starbucks customers by gaining access to their credit card information through the Starbucks app and using the auto-load function. Sullivan described how one Starbucks customer had $34.77 stolen from her account last week, another $25 after it was auto-loaded, and another $75 after the hackers changed her auto-load amount. All of this took place in less than ten minutes. Sullivan cites three other Starbucks customers who had their accounts hacked within the past month. This Reddit thread shows a handful of others who had similar issues. Some hackers even used stolen accounts to email gift cards to themselves. “Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card,” Sullivan noted. Sullivan added that hackers who gain access to a Starbucks card can move balances to a card or account they control by changing a victim’s email address used for a transfer verification code. “Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards,” Sullivan wrote. Starbucks spokeswoman Maggie Jantzen told GeekWire that these recent incidents are “not widespread” and noted that “customer security is incredibly important to us.” “We have safeguards in place to constantly monitor for fraudulent activity and, like all major retailers, work closely with financial institutions to make sure our customers are protected,” she said. Jantzen also said that Starbucks encourages customers to “use several best practices to ensure their information is as protected as possible,” like strong passwords. “Customers are not responsible for charges or transfers they did not make and if a customer’s Card is registered, their account balance is protected,” she added. “If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.” This is not the first time hackers have taken advantage of Starbucks’ auto-load feature, with customers noticing similar issues dating back to 2013. Starbucks has placed a big emphasis on mobile transactions over the past few years, with CEO Howard Schultz noting late last year that 16 percent of its U.S. sales came from a smartphone. Starbucks also recently suffered a massive point-of-sale computer outage that struck stores in the U.S. and Canada last month. Source