Starbucks has denied reports that cyber-criminals are using the coffee chain’s mobile payments app to siphon money from its customers.
The announcement follows multiple media reports that intruders have hijacked the accounts of hundreds of the coffee chain’s customers, siphoned off the value stored on the smartphones, and then used the auto-reload function to steal debit and credit card information.
“Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false,” the company said in a statement on Wednesday.
Reports suggested that credit card hackers looking to evade increased bank security measures discovered a clever side door—the Starbucks mobile payment app and gift cards.
The reports from CNN
http://money.cnn.com/2015/05/13/technology/hackers-starbucks-app/
and others, suggest that criminals are hijacking consumers’ coffee accounts, draining the stored value of their cards, and then using Starbucks’ auto-reload function to hack consumers’ associated debit and credit cards.
This new scam means that cyber criminals don’t even need to know the account number of the card they are hacking.
By taking advantage of the Starbucks auto-reload feature, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, it can escalate quickly.
Industry comment:
Brendan Rizzo, technical director EMEA, HP Security Voltage:
“This hack underscores the need for companies to protect all of the sensitive information they hold on their customers. Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash. In this case, there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address. Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks. Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.”
Stephen Coty, chief security evangelist, Alert Logic:
“16 Million Starbucks customer who utilise their mobile payment service may have been compromised as part of a organised attack. There have been reports of the mobile app being manipulated to hijack funds once the mobile device is reloaded with funds from a credit or gift card. There has been conversations through Twitter about customers seeing fraud taking place with their Starbucks accounts. Starbucks has said that they process approximately $2 billion in mobile payments
The timing of this attack is very interesting since, just about a week ago, Starbucks had an issue in their stores with their payment system not allowing for the processing of credit cards. Makes you think what exactly happened to the payment system that shut down the service for a day and gave attackers an opportunity to compromise a part of their system.”
Gavin Reid, VP of threat intelligence, Lancope:
“Nothing too new here – if you guess the username and password for an account that is backed by you bank bad things can and will follow. This highlights problems with using consumer cards & accounts that are backed up with either a high limit credit card or even worse the current checking account. Ideally vendors would make this form of compromise harder by using multi factor authentication and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss. This type of small amount theft can be automated reusing already exposed credentials. Consumers can protect themselves by setting hard to guess unique passwords.”