Hackers Stealing Money Through Starbucks Accounts

Hackers have been accessing Starbucks accounts, through the coffee seller’s mobile apps, to steal thousands of pounds from unsuspecting customers. The rouse was uncovered by US journalist Bob Sullivan, who wrote on his blog:

Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.

The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.

It is still unclear as to how criminals have been using hacked accounts to steal money, but one theory is that they are purchasing Starbucks gift cards, which are then sold on, either through legitimate platforms or the dark web, via Tor.

Starbucks has been made aware of the issue but, rather unhelpfully, denies that its apps have been hacked:

Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false.

Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously.

Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.

Though Starbucks passes the buck to the customer, it does at least acknowledge that any fraudulent activity is not the responsibility of the account holder.

Paul Martini, CEO of security firm iboss has certainly taken exception to Starbucks’ statement, accusing it of using semantic to absolve itself of responsibility:

This line of argument is so common now – it’s basically playing with words. Whether the app is literally hacked or not, it’s completely ridiculous. The design itself is flawed. Auto-reload should happen at the register. The second part issue is: why can people reload and drain a card within ten minutes?

If you are concerned about the security of your Starbucks account, simply turn off auto-reload on the Starbucks app, and make sure your username and password are distinct from one another.

Thank you The Next Web for providing us with this information.