About a week and a half ago I received two e-mails from both Paypal and Starbucks letting me know that I reloaded my Starbucks card with not one, but two $75 payments. That was a surprise to me as I did not reload my card. Upon accessing my account the card the money was put on was removed and I was out $150. I thought it was just a random isolated incident, but it looks like this is the latest way hackers have been stealing money from unsuspecting customers.
Journalist Bob Bullivan was the first to talk about this on his blog:
“Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.
The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.”
It looks like this is definitely not an isolated incident, as a quick Twitter search reveals many people have had money stolen.
By now Starbucks has been made aware of the problem, but actually denies that their App has been hacked:
“Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false.
Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously.
Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”
Paul Martini, CEO and co-founder of security firm iboss makes a very good point about the whole auto-reload system:
“This line of argument is so common now – it’s basically playing with words. Whether the app is literally hacked or not, it’s completely ridiculous. The design itself is flawed. Auto-reload should happen at the register. The second part issue is: why can people reload and drain a card within ten minutes?”
It seems that Starbucks should be able to flag this type of activity on your account and possibly hold the funds until they contact you? I mean why would you load a card up and then deactivate it from your account right away?
As with anything like this if you are affected be sure to change your username and password for your Starbucks account, after this happened to me it was the first thing that I did.
Luckily in my case I was able to work with both Starbucks and Paypal to get the $150 refunded.