Hackers exploit Starbucks’ app to empty bank accounts
Starbucks has admitted that users of its app are having their bank accounts drained by hackers. Thieves have gained access to a number of users’ apps – and with it access to their bank accounts, PayPals and any other linked forms of payment – all without needing an account number or password.
How are they doing it?
After gaining access to Starbucks accounts, thieves are exploiting the auto-reload feature of the app. Designed to make buying Starbucks even more convenient, the app will helpfully use a linked bank account to top up your Starbuck balance when it’s low.
This has allowed thieves to send themselves gift cards, emptying the Starbucks balances of many unsuspecting customers. Once the balance is down to zero, the auto-reload feature will automatically take money from the customer’s linked payment method, draining money out of their main bank account too – without the need for any bank details.
Once the Starbucks balance hits zero again, thieves are simply waiting for the auto-reload feature to kick in once again, and then repeating the process. The final part of the scheme sees hackers then cash in, by selling the gift cards on. The process is so fast, that most customers have lost 100s of dollars before they’ve noticed anything unusual.
Starbucks claims that the breaches are the result of weak passwords, but it’s easy to see why hackers have identified the app as a potential source of income.
Mobile payments are big business
According to consumer reporter Bob Sullivan, Starbucks processed over $2 billion in mobile payments last year alone, with the method accounting for one in six payments. Because the accounts are linked, thieves don’t even need bank details to siphon money off – making it much easier route than traditional fraud. The relative ease and success of this hacking method has made it extremely popular, with Sullivan claiming “there are people who are trying 10, 20, 30,000 logins at Starbucks.com.”
Worryingly, this isn’t the first time Starbucks has been in hot water with customers details, with the multi-national admitting last year that it stored customer’s usernames, email address and the passwords unencrypted, in plain text.
Just how safe are mobile payments?
Incorporated into apps such as Uber, Santander’s Cycle App and countless others, mobile payments offer increased convenience but come with an increased risk. A security chain is only ever strong as its weakest link, and by linking our accounts to less than secure apps, we’re inviting thieves to dig into our details.
However, there are ways we can minimizing the risk. As well as encouraging customers to use stronger, alpha-numeric passwords, mobile apps developers are beginning to bolster their built-in security. A growing standard in mobile apps, two step-authentication and the biometric based payment service Apple Pay are also both adding a formidable line of defense to our all important details.
In response, Starbucks have quickly refunded the stolen funds to all affected customers, and released the following statement. “We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers.”
The company also claims that the app itself hasn’t been hacked – just the Starbucks accounts created when customers first use the app. Although it vindicates the security of the software itself, it doesn’t stop us questioning how Starbucks protects the information of its customers. Worse still, it means that even if users delete the app, their details will still be vulnerable to hackers. As of yet, there are also no plans for Starbucks to implement two-step authentication, like that used by Google and others.