It’s a convenience customers appreciate and business love – the ability to setup a service to auto-reload your account with money as soon as it gets too low ensuring you have enough to buy what you want. For many people who frequent Starbucks and use their app on their mobile device the auto-reload option is the fastest way to pay to keep that cup of coffee coming but this convenience has come as a consequence which has opened the door for hackers to take advantage of.
For the most part, it looks like 1 in 6 Starbucks users use mobile pay to purchase their cup of coffee and so many of those mobile users avail of an auto-reload option which is directly linked to their bank account. This auto-reload option automatically replenishes their Starbucks funds when it gets low without having to manually do it. It’s a convenience that looks like comes at a co st and can have serious consequences if you are not careful.
So it seems like this consequence means opening the door to hackers and is the basis for this breach. Starbucks did make a statement saying that their app has not been compromised and so it is now believed that hackers may have either figured out people’s Starbucks usernames and passwords using a common hacker technique called a brute-force attack by trying to guess their login credentials using software that will try random ones thousands of times against the Starbucks website login.
Or the other theory is that these hackers have access to usernames and passwords from a different compromised database and so if people are re-using the same username and password again then access will be as simple as typing in the compromised username and password.
And so in any of these possible and probable scenarios the hackers in question are then using the auto-reload feature multiple times during the middle of the night while the user is asleep so they won’t see any email notifications to drain, transfer , and reload funds off to another account, email address, or gift card under their control so as to sell that off to other unsuspected people.
Until Starbucks implements tighter security measures for creating and maintaining user accounts along with limiting the amount of times a user can incorrectly try a login, the safest thing is to do is to turn off auto-reload. I know that does remove the convenience of paying but it will increase your security.
With that in mind, a possible option, which would be more secure but not as convenient, would be to just do a manually reload via PayPal . You still have the convenience of reloading and paying with your mobile device however, in this instance, you tap on the reload button, it will then take you to the PayPal page where you have to login using “hopefully” a different username and password, accept the payment and almost instantly your Starbucks account is topped up. Again, this does require more steps but if you either have a password manager setup on your device or have one of the newer phones that will scan for your fingerprint, that second step to the PayPal website is almost seamless. It’s an extra step but an extra step for extra security.
Everyone using the Starbucks app must keep in mind that any third party app that is connected to your bank account that is set to auto-renew has to be treated with the same security you have for your online bank access. Some tips to stay more secure include: don’t’ reuse usernames and passwords for multiple online accounts or use non-dictionary passwords that have a combination of uppercase, lowercase, numbers and special characters. Better yet, use a password manager like 1password or LastPass to generate and save all of your passwords.
Everyone must also keep in mind that any third party auto-reload system can be vulnerable to this type of attack which would lead one to conclude that auto-reload systems might not be quite ready for prime time.
If you want further information on what Starbucks has to say about this latest security breach, visit news.starbucks.com
Starbucks App Hacked and It’s Your Fault: theDESK
