SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
15 May 2015

Hackers target Starbucks gift cardholders

Credit card hackers looking for new ways to drain money from consumers' bank accounts and evade increased bank security measures have discovered a clever side door — the Starbucks mobile payment app and gift cards.

Criminals are hijacking consumers' coffee accounts, draining the stored value of their cards, and then using Starbucks' auto-reload function to hack consumers' associated debit and credit cards.

Maria Nistri, 48, said it happened to her last week. Early in the morning on May 6, criminals stole $34.77 in value that the Orlando, Fla., resident had loaded onto her Starbucks app by transferring it to a gift card they controlled. Immediately, her account was reloaded with $25 because her balance had hit zero. The criminals stole that, too. Then they upped the ante, changing her auto-reload amount to $75, and stealing the $75, all within seven minutes. Because an email had alerted her to a change in her account, she was able to see what was happening in real time, though unable to stop the transfers immediately.

"Fraud is moving away from banks into big e-commerce companies," she said. "Criminals are learning how to turn rewards programs, points and prepaid cards into cash." She pointed to underground forums where hackers swap and sell hotel and travel points for cash. Traditional bank and retailer fraud-fighting software typically detects unusual purchase patterns, such as an attempted purchase of jewelry in a foreign country. But unless the card hackers get greedy, auto-reload purchases at Starbucks don't trigger such warnings.

"It was crazy. I was like, 'What in the world?'" Nistri said. "I was lucky I happened to check my email when I did. Otherwise, who knows how much they would have gotten?" The scheme is part of a new fraud trend, said Gartner security analyst Avivah Litan: Credit card hackers are targeting third-party firms that create alternative payment systems and attacking them, finding they are often easier to hack than financial institutions.

The Starbucks mobile payment system is a raging success story with 16 million users. The company said it processed more than $2 billion in mobile transactions last year, and that 16 percent of purchases are made with phones. The app is important to Starbucks not just because it enhances customer loyalty. By moving consumers away from credit cards and onto mobile payments, the company also reduces its interchange transaction fees.

In a statement, Starbucks said it could not discuss an individual consumers' account, but did say it worked quickly to resolve Nistri's concerns. "We take the obligation to protect customers' information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers," said spokeswoman Maggie Jantzen. "Our customers' security is incredibly important to us and we take all these concerns seriously. … Customers are not responsible for charges or transfers they didn't make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks."

The company issued an additional statement on Wednesday, claiming that any reports that the mobile app itself has been hacked are "false." "Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account," the company said. "This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks." To protect their security, the company urged customers to use different user names and passwords for different sites, especially those that keep financial information.

A security expert familiar with the Starbucks attacks who requested anonymity said the company has been fighting off so-called brute-force attacks on its website. Such attacks are common at any large e-commerce site,and they work because many consumers unwisely use the same username and password across multiple sites. When hackers pilfer a large database of usernames and passwords from any site, they often run the list through large other sites, looking for "hits."

Starbucks victims could also be coughing up credentials to criminals through phishing attacks or other forms of social engineering. Essentially, once a criminal steals a Starbucks mobile or gift card user's login credential, stealing their account value is trivial. And if a debit or credit card is linked to the account, stealing from those cards is relatively easy, too.

Security experts say attacks like that on Nistri's account work because many Starbucks customers link their credit or debit cards to the gift cards that are loaded onto their mobile payment apps and because criminals who access victims' Starbucks.com accounts can easily move value from a consumer's gift card to a card they control.

It's unclear how common the attacks are—Starbucks has said they are not widespread—but complaints about lost Starbucks value and related credit-card fraud are easy to find on various forums devoted to the crime. Victims also report that criminals are hacking their accounts and sending themselves virtual gift cards that can be sold online in underground forums.

Auto reload is a convenient feature offered by many alternative payment systems, such as loyalty cards or mass transit cards used by commuters. Consumers worried about such hacks can choose to de-link their payment cards from their other loyalty or transit cards, and manually reload the cards with value. While generally consumers aren't liable for money stolen using the Starbucks method, stored value cards have weaker federal consumer protections than credit cards. And getting refunds isn't always easy. For example, some consumers report being bounced back and forth between Starbucks and their card-issuing bank.

Nistri said Starbucks was quick to give her a new gift card with $37.44 on it, but the $25 and $75 charges had been applied to her American Express card and it would be up to her to dispute them. "It is harmless outside of inconvenience," Nistri said. "But the potential of this crime is ridiculous. I'll never have auto-reload on anything again."

Such measures may seem extreme. But consumers who link credit cards to third-party firm apps, like the Starbucks mobile payment app, would be wise to treat their accounts with as much care as their online banking accounts, since criminals have discovered a direct route from one to the other.

Tags:
hackers fraud
Source:
CNBC
1978
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015