Earlier in May, researcher Bob Sullivan reported that hackers were targeting Starbucks mobile users and using the Starbucks app to steal money through linked credit cards.
The Starbucks app links to a credit card so that the user can prepay for goods and purchase Starbucks gift cards for friends and family to spend in store.
Reports indicate that the gift cards are fundamental to the attacks.
After gaining access to the victim’s Starbucks account, attackers create a new gift card for the entire balance of the account and issue it to themselves. The problem is then compounded as the Starbucks app automatically tops up the user’s balance when it gets low. This means that the attacker can then strike again.
Within a few minutes, attackers could potentially siphon hundreds of dollars through gift cards without even needing the victim’s credit card details.
In a recent blog post, Starbucks recently defended the security of their app and said that “News reports that the Starbucks mobile app has been hacked are false.”
Instead, they say that it is reusing login details from other sites that is putting customers at risk:
Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.
This isn’t the first time that the Starbucks app has come under fire, after last year it emerged that it stores users’ passwords on the device in plain text.
How to help protect yourself from attacks such as these:
Pick a strong, unique password
It goes without saying that this attack would not be possible if hackers were shut out of Starbucks accounts. Therefore, keeping a strong and unique password (one that is not used on any other site) is one of the most important things you can do to help protect yourself from an attack like this. For help creating a strong password, check out this simple guide.
Turn off or limit auto-top up
One of the things that makes this attack so dangerous is the fact that the damage can escalate rapidly thanks to the auto top-up functionality used by the Starbucks app (and many others like it).
While automatically replenishing your account balance can be an incredibly convenient thing, if you are concerned about attacks like these, disable or set a deposit limit on your auto top-up.
Regularly check your accounts
Just like with online banking fraud, one of the best ways to protect yourself or recover from attacks such as this is to stay vigilant. Regularly check your bank statements and online account histories for suspicious activity and do not hesitate to get in touch with your bank or retailer should something unexpected appear.
For Starbucks users, if you see any suspicious activity on your Starbucks Card or mobile app, please immediately notify Starbucks customer service at 1-800-STARBUC.