Euro Security Watch with Mathew J. Schwartz

Starbucks: Coffee and a Fresh Password Caffeine Addicts Fall Prey to Their Own Weak Security
Starbucks: Coffee and a Fresh Password

Caffeine junkies are up in arms over fraud reports pertaining to criminals taking over and draining their Starbucks accounts (see Fraudsters Drain Starbucks Accounts).

See Also: How to Mitigate Credential Theft by Securing Active Directory

Such accounts can be linked to Starbucks cards that can be swiped at the point of sale, as well as to a Starbucks mobile app, to pay for purchases. But the coffee chain says that some people who have picked weak passwords are seeing attackers guess those passwords, then take control of their account. Based on online postings made by victims, attackers appear to be using their account balances to buy Starbucks gift cards.

It's not clear if these types of attacks scale, or if it's just pocket change for small-time fraudsters. 

Beyond the possibility that caffeine-deprived hackers are simple seeking a free fix, why bother taking over Starbucks accounts? Because fraudsters, at the point of sale, can use the compromised accounts to buy gift cards, which they can then sell on eBay, some security experts say. Based on recent auction results, in fact, for-sale Starbucks gift cards - of course it's impossible to tell if they have been procured via legitimate means - appear to be fetching almost their full face value.

Still, it's not clear if these types of attacks scale, or if it's just pocket change for small-time fraudsters.

Starbucks: It's Not 'Hacking'

Regardless, Starbucks has been careful to deny reports that its mobile app has been hacked, and claims in a statement issued this week that attackers are gaining access to accounts by guessing people's passwords. "Starbucks takes the obligation to protect customers' information seriously. News reports that the Starbucks mobile app has been hacked are false," it says.

If Starbucks is taking information security seriously, however, why isn't it using multi-factor authentication to secure access to Starbucks accounts? Adding SMS codes or tapping smartphone-based two-step-authentication software such as Google Authenticator would likely eliminate these types of takeover attacks. And on online forums such as Starbucks' Facebook page, customers report that such attacks have been taking place since at least January 2014.

Starbucks accounts are big business for the coffeehouse chain, which has devoted significant effort to designing related loyalty programs that entice customers to keep coming back. Thus, the coffee chain has a vested interest in ensuring that people continue to use Starbucks cards and the mobile app to pay for their coffee. Last year, mobile app payments amounted to $2 billion, Starbucks says.

"Hacking" reports threaten that cash flow. In the wake of account-takeover warnings, some customers have said they deleted their Starbucks mobile app and have switched back to using cash. Still, it's likely that few of the caffeine-addled masses will go that far.

Passwords: Don't Be Stupid

Furthermore, it's arguably not necessary - although there are some steps that Starbucks account users should take. First, many consumer analysts have recommended that customers immediately deactivate "auto-refill" on their accounts, if it's currently activated, so that attackers can't abuse it. Attackers who hacked their way into people's accounts were reportedly stealing hundreds of dollars by draining the account balance to fill gift cards, waiting for the balance to auto-refill via a linked payment card, and then repeating the process.

Second, customers need to pick strong passwords, and never reuse them on different sites. We, as a society, remain all too stupid about passwords. The easiest and quickest way to get smart about passwords is to use password management software, which will pick and "remember" passwords for you.

"Pretty much anything that can be remembered can be cracked," warns security expert Bruce Schneier. Hence his recommendation: "Use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager ... to create and store them."

In the wake of the Starbucks account takeover warnings, the coffee retailer - in its statement - urged customers to create passwords "made up of long phrases or sentences that mix capital and lowercase letters, numbers, and symbols," as well as to always use "different passwords for different sites, especially those that keep financial information." It also recommends users change their passwords often, though Schneier says that aside from corporate log-ins, that is rarely necessary.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network