This has not been widely covered yet, but there are reports that credit card hackers are targeting Starbucks gift card and mobile payment users around the country – and stealing from consumers’ credit cards — with a new scam so ingenious they don’t even need to know the account number of the card they are hacking. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. The crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear.
Experts from Lancope, STEALTHbits Technologies and HP Security Voltage provided the following comments.
Gavin Reid, VP of threat intelligence, Lancope (www.lancope.com):
“Nothing too new here – if you guess the username and password for an account that is backed by you bank bad things can and will follow. This highlights problems with using consumer cards & accounts that are backed up with either a high limit credit card or even worse the current checking account. Ideally vendors would make this form of compromise harder by using multi factor authentication and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss. This type of small amount theft can be automated reusing already exposed credentials. Consumers can protect themselves by setting hard to guess unique passwords.”
Jonathan Sander, strategy & research officer, STEALTHbits Technologies (www.stealthbits.com):
“If password hacks were a song, we would all not only be able to hum it but also sing the words. No one knows how the bad guys are stealing the Starbucks cards cash, but all guesses point to a bunch of weak passwords that are allowing hackers to game the auto-refill system. What can you do about it? Let’s all sing along now: change your Starbucks password, make sure the new password is unique and complex, and for goodness sake don’t use that same password on another site or service. Of course, we can’t all maintain awesome passwords everywhere. A word to the wise is that anywhere you have your credit card saved you should treat it like it’s a locker where you keep your wallet. What sort of combination would you put on your wallet locker lock?”
Brendan Rizzo, technical director, HP Security Voltage (www.voltage.com):
“This hack underscores the need for companies to protect all of the sensitive information they hold on their customers. Criminals are always looking for a way to exploit a system in a way that they can then turn into cold, hard cash. In this case there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address. Criminals could then use this information or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks. Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.”