Search the Community
Showing results for tags 'customers'.
-
Starbucks has rebuffed claims that its mobile app has been hacked, in the wake of reports that scores of its US customers have suffered from credit card fraud. The coffee chain’s US customers have been reporting the theft of hundreds of dollars from their credit cards, in a series of scams seemingly linked to auto top-ups on the Starbucks mobile app. Victims commonly receive emails saying the passwords and login details for Starbucks’ mobile app had been reset before receiving notice of fraudulent transactions. However, Starbucks denies its app has been hacked. In a statement, the coffee chain suggested the isolated reports of fraudulent activity on customers’ online accounts are down to password re-use or other lax security practices by its clients. Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false. Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously. Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information. Reports that hackers were targeting Starbucks mobile users – stealing from linked credit cards without knowing account numbers – first surfaced this week. Bob Sullivan, journalist and consumer advocate, was the the first to report on the scam. Sullivan recommends that all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards. Criminals who obtain username and password credentials for Starbucks.com first drain a consumer’s stored value before siphoning off funds from their linked credit card. Starbucks reportedly allows consumers to move balances from one gift card to another. Hackers can also cash out by using a hijacked account to buy gift cards. These can then be sent to an arbitrary email address which can be trivially registered – without secondary confirmation – from within hijacked Starbucks accounts. In its statement, Starbucks said “customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected”, so those who have been left out of pocket will hopefully get their money back. The apparent scam appears to be limited to the US. El Reg understands that Starbucks customers in Europe and elsewhere outside North America have not been affected. Roy Tobin, a threat researcher at security software firm Webroot, recommended that consumers and businesses alike should re-examine their security practices. "Credentials leaked in previous cyber-attacks are likely to have been used to allow hackers to siphon off money from Starbucks' customers," Tobin said. "The key security take-away from this incident is the fact that as a company, your customers’ security information often doesn’t exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly re-used by customers across separate online accounts. Consumers should take steps to regularly change their passwords and avoid using the same password across multiple online services," he said. For businesses, the use of two-factor authentication technology can help mitigate against this class of threat, according to Tobin. "Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts," he added. "Best practice for mitigating this is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location whenever financial details are accessed or used," he concluded. Source
-
The 16 million Starbucks customers who use the company’s mobile payment service may want to strengthen their log-in credentials and reconsider using the auto-load feature. Independent journalist and best-selling author Bob Sullivan reported on Monday that hackers recently stole money from several Starbucks customers by gaining access to their credit card information through the Starbucks app and using the auto-load function. Sullivan described how one Starbucks customer had $34.77 stolen from her account last week, another $25 after it was auto-loaded, and another $75 after the hackers changed her auto-load amount. All of this took place in less than ten minutes. Sullivan cites three other Starbucks customers who had their accounts hacked within the past month. This Reddit thread shows a handful of others who had similar issues. Some hackers even used stolen accounts to email gift cards to themselves. “Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card,” Sullivan noted. Sullivan added that hackers who gain access to a Starbucks card can move balances to a card or account they control by changing a victim’s email address used for a transfer verification code. “Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards,” Sullivan wrote. Starbucks spokeswoman Maggie Jantzen told GeekWire that these recent incidents are “not widespread” and noted that “customer security is incredibly important to us.” “We have safeguards in place to constantly monitor for fraudulent activity and, like all major retailers, work closely with financial institutions to make sure our customers are protected,” she said. Jantzen also said that Starbucks encourages customers to “use several best practices to ensure their information is as protected as possible,” like strong passwords. “Customers are not responsible for charges or transfers they did not make and if a customer’s Card is registered, their account balance is protected,” she added. “If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.” This is not the first time hackers have taken advantage of Starbucks’ auto-load feature, with customers noticing similar issues dating back to 2013. Starbucks has placed a big emphasis on mobile transactions over the past few years, with CEO Howard Schultz noting late last year that 16 percent of its U.S. sales came from a smartphone. Starbucks also recently suffered a massive point-of-sale computer outage that struck stores in the U.S. and Canada last month. Source
-
Seagate, over the weekend, confirmed the zero-day vulnerability in its Seagate Business Storage 2-Bay NAS boxes disclosed March 1. But in the same breath, told customers exposed to the vulnerability that a patch is still two months away. “For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May 2015,” said a statement emailed to Threatpost. Seagate said that after analyzing the vulnerability, it has determined the zero-day to be low risk because it affects only those customers to expose the NAS boxes to the Internet. “With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible,” Seagate said. Seagate has built a website for concerned customers with instructions on how to mitigate exposure, and encouraged users to put the NAS boxes behind a firewall when using them exclusively on internal networks. The vulnerability was publicly disclosed a week ago Sunday by Australian security consultancy Beyond Binary after five months of dialogue with Seagate that failed to produce a security update for the firmware issue in question, the researchers said. Beyond Binary said it used a Shodan scan to find 2,500 vulnerable devices exposed to the Internet. Beyond Binary said Seagate boxes running firmware version up to and including 2014.00319 are vulnerable and exploitable without authorization. The issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. The outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011; all of which have their own set of vulnerabilities that have been addressed in later versions of the respective components. Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said. The custom web app is not without its issues too as it stores information relevant to a user session inside a session cookie rather than on the webserver. Some of those values include the name of the user, whether they’re an admin and the language. “The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access,” the advisory said. “In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance.” Source
-
TalkTalk has admitted to a major breach of user information, which may have led to some customers handing over bank information to hackers. In an email to customers, the company said it first saw a big increase in malicious scammers claiming to be from TalkTalk at the end of last year. Following an investigation it said some of its customer information, such as names, addresses, phone and account numbers, could have been illegally accessed, with scammers quoting these details to customers. Consequently a small number may have revealed more in-depth information, such as bank details. In some of these cases we know they may be using the information they have illegally obtained, the telecoms and services provider said. In a statement it said: "At TalkTalk we take our customers' security very seriously and we take numerous measures to help keep our customers safe. Yet sadly in every sector, criminal organisations using phone and email scams are on the rise." "As part of our ongoing approach to security we continually test our systems and processes ... following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures." "We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," it continued. "We want to reassure customers that no sensitive information, such as bank account details, has been illegally accessed, and TalkTalk Business customers are not affected," it added. The company said it is liaising with the Information Commissioner's Office and is writing to all its customers to offer advice about the criminal activity. An ICO spokesperson said: “We are aware of a possible data breach involving TalkTalk and are making enquiries into the circumstances.” Source