Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Starbucks denies mobile app hack, blames careless customers

I like my online security prospects like my coffee: black and bitter

Starbucks has rebuffed claims that its mobile app has been hacked, in the wake of reports that scores of its US customers have suffered from credit card fraud.

The coffee chain’s US customers have been reporting the theft of hundreds of dollars from their credit cards, in a series of scams seemingly linked to auto top-ups on the Starbucks mobile app.

Victims commonly receive emails saying the passwords and login details for Starbucks’ mobile app had been reset before receiving notice of fraudulent transactions.

However, Starbucks denies its app has been hacked. In a statement, the coffee chain suggested the isolated reports of fraudulent activity on customers’ online accounts are down to password re-use or other lax security practices by its clients.

Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false.

Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions.

To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously.

Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.

To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.

Reports that hackers were targeting Starbucks mobile users – stealing from linked credit cards without knowing account numbers – first surfaced this week. Bob Sullivan, journalist and consumer advocate, was the the first to report on the scam.

Sullivan recommends that all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.

Criminals who obtain username and password credentials for Starbucks.com first drain a consumer’s stored value before siphoning off funds from their linked credit card.

Starbucks reportedly allows consumers to move balances from one gift card to another. Hackers can also cash out by using a hijacked account to buy gift cards. These can then be sent to an arbitrary email address which can be trivially registered – without secondary confirmation – from within hijacked Starbucks accounts.

In its statement, Starbucks said “customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected”, so those who have been left out of pocket will hopefully get their money back.

The apparent scam appears to be limited to the US. El Reg understands that Starbucks customers in Europe and elsewhere outside North America have not been affected.

Roy Tobin, a threat researcher at security software firm Webroot, recommended that consumers and businesses alike should re-examine their security practices.

"Credentials leaked in previous cyber-attacks are likely to have been used to allow hackers to siphon off money from Starbucks' customers," Tobin said.

"The key security take-away from this incident is the fact that as a company, your customers’ security information often doesn’t exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly re-used by customers across separate online accounts. Consumers should take steps to regularly change their passwords and avoid using the same password across multiple online services," he said.

For businesses, the use of two-factor authentication technology can help mitigate against this class of threat, according to Tobin.

"Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts," he added.

"Best practice for mitigating this is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location whenever financial details are accessed or used," he concluded. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like