Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
Starbucks

Starbucks customers' mobile accounts breached by thieves

Elizabeth Weise
USA TODAY
Starbucks logo is seen at one of the company's coffee shops in downtown Chicago.

SAN FRANCISCO -- Some Starbucks customers have had money siphoned out of their Starbucks mobile app by thieves using a clever new attack, but Starbucks itself hasn't been hacked, the company said Friday.

The attack, which first appeared this week, takes advantage of three things: consumers who use the same ID and password across multiple accounts, the Starbucks' app auto-load function, and the fact that Starbucks doesn't appear to have a limit on the number of password attempts before it locks a customer out.

Any threat to its app could add up to big numbers. In 2014 Starbucks processed $2 billion in mobile payment transactions. Currently about 18% of its transactions are done on the company's app, Starbucks says.

'BRUTE FORCE'

It works like this: First, the thieves buy stolen passwords and IDs on the underground market.

They then use an automated program to try the stolen combinations one after another on the Starbucks mobile app until one works, according to application security firm Checkmarx. This is what's called a "brute force" attack. These programs can "process" hundreds of ID-password combinations a second.

Some sites limit the number of password attempts before locking the would-be user out, but Starbucks doesn't appear to do so on its app.

Next, when the criminals get into a victim's account, they add a new gift card.

They then transfer whatever money the victim had loaded onto their account onto the gift card, which the thieves control.

Using this technique, the thieves quickly steal all the money on a user's app by putting it onto the gift card.

If the user has it set the app up to automatically reload from their credit card or PayPal account, the thieves can immediately steal again as soon as the app has more money in it, according to application security firm Checkmarx.

The thieves can use the cards to buy a nice iced caffè latte, or, more likely, resell them on the Internet "for face value or less, eventually turning those Starbucks dollars into real dollars," said Kevin Mahaffey, CTO of security firm Lookout.

Because they control the account, the thieves can also increase the auto-reload amount so they can steal more. The silver lining is that when a change is made, Starbucks sends an email or text note to the customer which can alert them to the attack.

The brute force method of attack is a common one because consumers so often use the same login name and password across multiple accounts--giving hackers a shot at multiple accounts with one theft, say experts.

Stealing a password, and then using it to steal money from an account, is different than the type of wide hacks other major retailers have suffered. In cases like Target and Home Depot, attackers actually breached the retailers networks and stole consumer information.

That information is collected, packaged and sold on underground, online markets to the kinds of people who then monetize it by pulling money out of a Starbucks app.

Consumers not charged

Consumers whose Starbucks app accounts have been breached won't be charged.

"Customers are not responsible for charges or transfers they did not make and if a customer's card is registered, their account balance is protected. If a customer sees unauthorized activity on their account, we encourage them to contact us immediately," Starbucks said in an email to USA TODAY.

Online safety is only as strong as a user's choice of password, say experts.

"Nothing too new here – if you guess the username and password for an account that is backed by your bank, bad things can and will follow," said Gavin Reid, vice president of threat intelligence with the security company Lancope.

The moral for users?

"Change your Starbucks password, make sure the new password is unique and complex, and for goodness sake don't use that same password on another site or service," Jonathan Sander, strategy and research officer, STEALTHbits Technologies.

Starbucks concurs. In its statement, the company said, "to protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information."

Similar attacks have been reported on other apps, including Uber, said Ken Westin, a security analyst with Tripwire.

"Hopefully this incident will push applications to reevaluate their payment systems security and add two-factor authentication and stronger security measures," Westin said.

Featured Weekly Ad