Hackers have managed to find a new and clever way around increased bank security that allows them to drain a bank account through Starbucks gift cards and its mobile payment app. Hackers are able to gain access to customers’ Starbucks accounts and drain the value of their Starbucks cards, then use the auto-reload function to steal more money through credit and debit cards linked to the accounts.
Hackers are able to transfer funds stored on a Starbucks card to gift cards which they control. They are then able to change the amount that auto-reloads onto the original card once the balance hits zero and are able to steal money again and again.
In a new fraud trend, hackers are finding third-party payment system accounts and hacking them instead of directly going through bank accounts or credit cards. This is an easier way in for the attackers as they can use reward points and prepaid cards to their advantage rather than having to go through financial institutions. There are underground forums where hackers sell travel and hotel points for cash or swap them with others.
Bank security software is usually able to detect uncommon purchase patterns, but things like Starbucks auto-reload purchases don’t trigger the warnings. Your bank would likely be alerted to unusual activity if a large transaction in another country suddenly appeared on your account, but auto-reloading would only look suspicious if hackers took an unusually large sum of money.
There are around 16 million users of the Starbucks mobile payment system and the coffee retailer processed more than $2bn in transactions made with phones last year. Starbucks uses the app to increase customer loyalty as well as to reduce transaction fees on each order.
The attack on the Starbucks system works as customers link their credit and debit cards to gift cards on the payment app and hackers accessing the customer’s Starbucks account can move money easily to a gift card that the hacker controls. As well as moving value, hackers are sending themselves gift cards which can then be sold on in underground forums online.
A Starbucks spokeswoman has said “Our customers’ security is incredibly important to us and we take all these concerns seriously. Customers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks.” Although the chain has failed to reveal how widespread the attacks are.
According to an anonymous security expert, Starbucks has been trying to fight large attacks on its website in which hackers work on trying a customer’s password from another site to see if it also allows access to their Starbucks account. Hackers can gain access to a password through stolen databases or phishing attacks. Once an attacker accesses a Starbucks account then draining the account balance and also taking money from any linked cards is easy.
The auto-reload feature is offered by alternative payment systems in order to increase convenience for consumers. However, as hackers have found an easy and direct link from these accounts to consumers’ bank accounts, it would be wise to consider de-linking credit and debit cards from these accounts and manually reloading instead. Consumers usually aren’t reliable for cash that is stolen through hacking methods such as those being targeted at Starbucks customers, it can sometimes be difficult to claim money back. Some hacking victims have reported having to go between Starbucks and their bank several times in order to ascertain what has happened and receive a refund of their money, plus stored value cards have less consumer protections than credit cards.
In their statement, Starbucks also said “We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers.”
While the problem of hacking gift card accounts or using auto-reload features to steal money from customers isn’t confined to Starbucks, as their customers have been hit so hard, Starbucks may want to look into making their mobile payment system more secure against this type of attack. Even encouraging customers to frequently change the password to their accounts may prove inconvenient but will help to prevent easy access to the funds of those who use the same password on multiple sites.