Search the Community
Showing results for tags 'sullivan'.
Found 2 results
The 16 million Starbucks customers who use the company’s mobile payment service may want to strengthen their log-in credentials and reconsider using the auto-load feature. Independent journalist and best-selling author Bob Sullivan reported on Monday that hackers recently stole money from several Starbucks customers by gaining access to their credit card information through the Starbucks app and using the auto-load function. Sullivan described how one Starbucks customer had $34.77 stolen from her account last week, another $25 after it was auto-loaded, and another $75 after the hackers changed her auto-load amount. All of this took place in less than ten minutes. Sullivan cites three other Starbucks customers who had their accounts hacked within the past month. This Reddit thread shows a handful of others who had similar issues. Some hackers even used stolen accounts to email gift cards to themselves. “Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card,” Sullivan noted. Sullivan added that hackers who gain access to a Starbucks card can move balances to a card or account they control by changing a victim’s email address used for a transfer verification code. “Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards,” Sullivan wrote. Starbucks spokeswoman Maggie Jantzen told GeekWire that these recent incidents are “not widespread” and noted that “customer security is incredibly important to us.” “We have safeguards in place to constantly monitor for fraudulent activity and, like all major retailers, work closely with financial institutions to make sure our customers are protected,” she said. Jantzen also said that Starbucks encourages customers to “use several best practices to ensure their information is as protected as possible,” like strong passwords. “Customers are not responsible for charges or transfers they did not make and if a customer’s Card is registered, their account balance is protected,” she added. “If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.” This is not the first time hackers have taken advantage of Starbucks’ auto-load feature, with customers noticing similar issues dating back to 2013. Starbucks has placed a big emphasis on mobile transactions over the past few years, with CEO Howard Schultz noting late last year that 16 percent of its U.S. sales came from a smartphone. Starbucks also recently suffered a massive point-of-sale computer outage that struck stores in the U.S. and Canada last month. Source
After rolling out free SSL for its users last fall, CloudFlare has deployed a new level of encryption on its service that hardens and speeds up the user experience, especially when accessing domains via mobile browsers. The form of encryption, a relatively new transport layer cipher suite known as ChaCha20-Poly1305, has largely been used by Google until now. But as of yesterday, it is being used on 10 percent of CloudFlare’s HTTPS connections with more to follow. CloudFlare’s Nick Sullivan, who described the move on the company’s blog yesterday, called the cipher fast, useful and its security level “more than sufficient” for HTTPS. The algorithm is based on a combination of two other ciphers, ChaCha20 and Poly1305 MAC, both crafted by cryptographer Daniel Bernstein in 2008 and 2005 respectively. After being batted around for a bit, it surfaced in Chrome 31 in November 2013. Sullivan points out that the cipher, when paired with TLS, should excel at bridging the gap between having secure encryption on mobile browsers and APIs. While the cipher will fill that void, it also improves upon two other alternatives, RC4, which of course has its many foibles, and AES-GCM, which can cost a fortune depending on the way its implemented. It also helps that ChaCha20-Poly1305 is three times faster than AES-128-GCM on mobile services – the cipher provides 256 bits of security over GCM’s 128 – something that should reduce the strain of batteries on mobile devices. “Spending less time on decryption means faster page rendering and better battery life,” Sullivan wrote. The content delivery network explains that the change is partly fueled by the rest of the web’s fervent push towards HTTPS but that the move could also be seen as a foreshadowing of the cipher’s future widespread adoption. Sullivan acknowledges that Mozilla is planning on adding support for it in Firefox and that at the very least, using the cipher is a good fallback in case someone digs up a bug in AES-GCM, the algorithm primarily being used right now, in the near future. Source