Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

Fraudsters Drain Starbucks Accounts

Report: Attackers Target Loyalty Card, Mobile App Users
Fraudsters Drain Starbucks Accounts

When it comes to getting a coffee fix, beware automatic refills.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

That's one takeaway from warnings that fraudsters have been successfully exploiting some U.S. and Canadian consumers who use a Starbucks card or the Starbucks mobile payments app to successfully drain hundreds of dollars from their Starbucks accounts. That abuse appears to be enabled, in part, by users who have chosen weak passwords for their accounts, and who also have enabled the auto-refill feature that allows a linked credit card to automatically add funds to their Starbucks account when the balance drops below a preset level.

Investigative reporter Bob Sullivan was the first to break the story of the scam targeting people with Starbucks loyalty accounts who use a Starbucks card or mobile app that's tied to that account to pay at the point of sale.

Security experts say that attackers appear to be guessing weak passwords associated with Starbucks accounts (see Why Are We So Stupid About Passwords?). From there, according to attack reports, fraudsters can change the email addresses and passwords for those accounts and transfer funds to another account.

As Sullivan reports, before funds can be transferred from a Starbucks card, a verification code gets sent to the email associated with the account for the user to approve the transfer. Hence by changing the email address associated with the account, attackers can authorize these transfers.

To date, it's not clear what happens to the balances that end up in attacker-controlled accounts, although numerous victims have reported in online forums that attackers appear to be using the funds to load up physical gift cards, as well as to fund digital-only electronic gift cards. Security experts say attackers can likely thus monetize their Starbucks account-hacking attacks and related fraud by then selling these gift cards for a fraction of their value via black-market forums.

Widespread Fraud Reports

Reports of related attacks are widespread on the Starbucks Facebook page, and date back for months. "Same thing just happened to us today!!!! - ios account for rewards card - account id and email changed, automatic payment set up, $100 charged to card. spam emails sent to hide the notifications from starbucks," one customer posted in December 2014.

Starbucks did not immediately respond to a request for comment. But the company has disputed that this attack centers on its mobile app. "What you're describing is not connected to mobile payment - linking the two is inaccurate," spokeswoman Maggie Jantzen told Sullivan in a statement. "We take the obligation to protect customers' information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers. For obvious reasons, we are unable to discuss specific security measures. Our customers' security is incredibly important to us and we take all these concerns seriously."

Jantzen also said that customers would not be responsible for any "charges or transfers they didn't make," and encouraged customers to follow information security best practices, "such as using different user name/passwords for different sites and changing their passwords often."

Timely Attacks

Numerous customers have reported that many related attacks have been launched when the Starbucks customer-service center is not staffed, to make it more difficult for customers to shut down related attacks. "My account just got hacked an hour ago. Saturday evening," one customer reported in March. "My app is still accessible but the email associated with my card is now - don't know how to change it or my password. Starbucks call center is closed till tomorrow."

Some customers have also claimed that Starbucks would not reimburse the drained accounts - or gift cards - and said they were told to file fraud reports with their card issuers instead.

Criminal Interest

That fraudsters are gunning for the Starbucks card and mobile app users should surprise no one, given the amount of money that it now handles. Indeed, by all estimates, the Starbucks mobile app - which ties into the caffeine-selling juggernaut's loyalty program - has been wildly successful. Starbucks reports that in 2014, $2 billion in payments had been handled via its mobile app.

On an earnings call in October 2014, Starbuck's chief digital officer Adam Brotman said that 12 million people were using its mobile app. On the same call, CEO Howard Schultz reported that "16 percent of all transactions conducted in U.S. Starbucks stores occur via customers use of a mobile device" - a figure that was growing 50 percent annually - and that nearly 7 million transactions per week were happening via a mobile device.

Based on iTunes reviews, the app - which also works with Apple Watch - appears to be quite popular, rating on average four out of five stars, with many users reporting that they have enabled auto top-ups.

"This is one of my favorite apps," a customer with the handle "PDXJavaJunkie" says in a review. "My favorite features are the integration with Passbook which allows your payment card to appear on your lock screen whenever you arrive at Starbucks, the Starbucks card management and auto-reload option, and as of recently the ability to place your order for store pickup."

But as related attacks show, some types of payment convenience may carry security risks.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.