Credit card hackers looking for new ways to drain money from consumers' bank accounts and evade increased bank security measures have discovered a clever side door — the Starbucks mobile payment app and gift cards.
Criminals are hijacking consumers' coffee accounts, draining the stored value of their cards, and then using Starbucks' auto-reload function to hack consumers' associated debit and credit cards.
Maria Nistri, 48, said it happened to her last week. Early in the morning on May 6, criminals stole $34.77 in value that the Orlando, Fla., resident had loaded onto her Starbucks app by transferring it to a gift card they controlled. Immediately, her account was reloaded with $25 because her balance had hit zero. The criminals stole that, too. Then they upped the ante, changing her auto-reload amount to $75, and stealing the $75, all within seven minutes. Because an email had alerted her to a change in her account, she was able to see what was happening in real time, though unable to stop the transfers immediately.
"Fraud is moving away from banks into big e-commerce companies," she said. "Criminals are learning how to turn rewards programs, points and prepaid cards into cash." She pointed to underground forums where hackers swap and sell hotel and travel points for cash. Traditional bank and retailer fraud-fighting software typically detects unusual purchase patterns, such as an attempted purchase of jewelry in a foreign country. But unless the card hackers get greedy, auto-reload purchases at Starbucks don't trigger such warnings.
"It was crazy. I was like, 'What in the world?'" Nistri said. "I was lucky I happened to check my email when I did. Otherwise, who knows how much they would have gotten?" The scheme is part of a new fraud trend, said Gartner security analyst Avivah Litan: Credit card hackers are targeting third-party firms that create alternative payment systems and attacking them, finding they are often easier to hack than financial institutions.
The Starbucks mobile payment system is a raging success story with 16 million users. The company said it processed more than $2 billion in mobile transactions last year, and that 16 percent of purchases are made with phones. The app is important to Starbucks not just because it enhances customer loyalty. By moving consumers away from credit cards and onto mobile payments, the company also reduces its interchange transaction fees.
In a statement, Starbucks said it could not discuss an individual consumers' account, but did say it worked quickly to resolve Nistri's concerns. "We take the obligation to protect customers' information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers," said spokeswoman Maggie Jantzen. "Our customers' security is incredibly important to us and we take all these concerns seriously. … Customers are not responsible for charges or transfers they didn't make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks."
The company issued an additional statement on Wednesday, claiming that any reports that the mobile app itself has been hacked are "false." "Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account," the company said. "This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks." To protect their security, the company urged customers to use different user names and passwords for different sites, especially those that keep financial information.
A security expert familiar with the Starbucks attacks who requested anonymity said the company has been fighting off so-called brute-force attacks on its website. Such attacks are common at any large e-commerce site,and they work because many consumers unwisely use the same username and password across multiple sites. When hackers pilfer a large database of usernames and passwords from any site, they often run the list through large other sites, looking for "hits."
Starbucks victims could also be coughing up credentials to criminals through phishing attacks or other forms of social engineering. Essentially, once a criminal steals a Starbucks mobile or gift card user's login credential, stealing their account value is trivial. And if a debit or credit card is linked to the account, stealing from those cards is relatively easy, too.
Security experts say attacks like that on Nistri's account work because many Starbucks customers link their credit or debit cards to the gift cards that are loaded onto their mobile payment apps and because criminals who access victims' Starbucks.com accounts can easily move value from a consumer's gift card to a card they control.
It's unclear how common the attacks are—Starbucks has said they are not widespread—but complaints about lost Starbucks value and related credit-card fraud are easy to find on various forums devoted to the crime. Victims also report that criminals are hacking their accounts and sending themselves virtual gift cards that can be sold online in underground forums.
Auto reload is a convenient feature offered by many alternative payment systems, such as loyalty cards or mass transit cards used by commuters. Consumers worried about such hacks can choose to de-link their payment cards from their other loyalty or transit cards, and manually reload the cards with value. While generally consumers aren't liable for money stolen using the Starbucks method, stored value cards have weaker federal consumer protections than credit cards. And getting refunds isn't always easy. For example, some consumers report being bounced back and forth between Starbucks and their card-issuing bank.
Nistri said Starbucks was quick to give her a new gift card with $37.44 on it, but the $25 and $75 charges had been applied to her American Express card and it would be up to her to dispute them. "It is harmless outside of inconvenience," Nistri said. "But the potential of this crime is ridiculous. I'll never have auto-reload on anything again."
Such measures may seem extreme. But consumers who link credit cards to third-party firm apps, like the Starbucks mobile payment app, would be wise to treat their accounts with as much care as their online banking accounts, since criminals have discovered a direct route from one to the other.