A chain of hacked Starbucks app accounts drew great surprise from the customers looking to enjoy their coffee.
This week a number of cases were reported where hackers managed to use the re-loadable gift cards purchased via the Starbucks mobile payment app to gain access to Starbucks accounts linked to users’ credit cards.
Great was the surprise when customers across the U.S. saw their accounts drained, although Starbucks denied allegations that the mobile app had been hacked, adding that the company is constantly monitoring for fraudulent activity. At the same time, Starbucks announced that customers who suffered the hacking attack are not held responsible for charges or transfers not made by them.
What are the possible scenarios under which the hackers operated?
Firstly, they made use of the low-security passwords. Starbucks reward cards are linked to the coffee-payment app which in turn is linked to bank accounts, credit cards, PayPal accounts. Hacking into someone’s Starbucks app, especially protected by ridiculously low-level security passwords paves the way for hacking into all other accounts.
The auto-reload function is the easiest means of draining hundreds of dollars in only minutes. It is recommendable that the function is disabled by the customers on both the Starbucks app and for gift cards.
Last year alone, Starbucks received 2 billion dollars in mobile payments so the potential of escalation of this crime is quite high. One in six transactions is made via the Starbucks app.
The method is not new. Hackers are known to obtain bundles of username and password combinations as they easily obtain card account numbers. By forcing the often re-used credentials on the Starbucks website, it is only a matter of time until at least a number of them will prove successful in unlocking accounts.
Another way that credentials can be stolen is email phishing or key logging programs. For users to protect themselves from drained accounts it is vital that such information is not shared in any way or kept on online media. At the same time it is important to know that any links via third parties is potentially vulnerable.
Fraud is shifting to big eCommerce exactly on vulnerability and third party grounds. They are easier to hack than banks and provide more user information and pathways into the system.
Therefore, keep safe, disable auto-reload, master password composition and never share credentials if you want your accounts to be protected.
Image Source: altaviawatch.com