Is Starbucks Under Siege from Hackers?

Press enter to search
Close search
Open Menu

Is Starbucks Under Siege from Hackers?

05/18/2015
Reports surfaced last week that Starbucks' customers have had their mobile payment accounts hacked by cyber criminals. The retailer currently denies the reports of a wide-spread hack and instead insists the responsibility for the thefts lies with the end users, not Starbucks.

The potential hack, first reported by NBC News, is a new simpler way for cyber thieves to access valuable customer financial information. Starbucks mobile payment system, along with many similar retailer offerings, is equipped with an auto-refill option. When an opted-in customer has used all of their allotted funds their payment account is instantly reloaded from their debit or credit card.
Sophisticated cyber criminals are reportedly hacking app holder accounts, emptying their available funds and when the auto refill solution kicks in capturing their payment data. Starbucks denies the existence of a hack into their system, and points to the lack of unique passwords chosen by the customer as the cause of the thefts.

"Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions," the retailer said in a released statement. "To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously.

"Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information."

Multiple online forums are dedicated to Starbucks customers who feel they have fallen victim to cyber thieves, and while Starbucks is denying the existence of the hack many in the cyber security industry are taking the reports of gift card and mobile payment app vulnerabilities very seriously.

"As retailers and emerging payment systems develop bank-like functionality (funds transfer, cards), they need to start thinking more like banks," J Wolfgang Goerlich, cyber security strategist at CBI says. "Anti-fraud techniques such as behavior monitoring for unusual activity is a prime example. Another is offering consumer protections such as reimbursements (at this point, Starbucks defers consumers to work with PayPal or their credit card company.) When transactions are into the billions, it is time for mobile payments to offer credit card equivalent security for consumers.
 
"The goal is to look at the functionality being developed and to identify ways it could be abused. With this in mind, security and privacy requirements can be defined. After Starbucks built their services, they could have performed scenario-based penetration tests to ensure the controls met the requirements, and the requirements prevent the threat. Given that gift card fraud is well known and that the controls in place are lacking, it is clear that Starbucks did not complete these steps as part of their development program."