Technology is a double-edged sword; if it is not used properly it may cause problems. The lives of Starbucks lovers were made easier by a mobile app that allows payment for coffee or food at the Starbucks checkout counter from a mobile device—but that app has also exposed customers to attacks that could cost a lot.
The Starbucks mobile app empowers its users to reload the virtual Starbucks card with funds from a bank account, credit card or PayPal account. It is here that the ever-looming threat of security on online transactions turned into a reality. According to reports hackers have managed to exploit the Starbucks mobile app to direct funds to their own accounts using the credit cards, bank accounts and PayPal accounts of Starbucks customers in the US.
How the Hackers Intervened
According to Checkmarx, The hackers carried out the fraudulent activity to invade the online accounts of a few Starbucks customers who pay at the checkout using the app. After gaining access to the Starbucks app account, the attackers add a new gift card and transfer funds to one of their own accounts.
This process is repeated for every new reload of the original card. Victims have confirmed receiving alert messages (from PayPal accounts) about their card being refilled with some amount of money.
Victims also claim to receive an email from Starbucks stating that a new gift card was added to their account. Everything happens so quickly that by the time the victim realizes something is wrong hundreds of dollars are already transferred to the hacker’s account.
No Security Measures from Starbucks
The hacking of Starbucks customer accounts and fraudulent usage of the gift card reload feature has been happening since December last year. It started with a few cases and now many people and Starbucks are aware of this threat.
Financial institutions like PayPal and banks have received many customer complaints that are linked to the Starbucks mobile app. No security measures have been adopted by Starbucks yet to resolve the problem. However, the company has been helping customers get stolen funds reimbursed and given assurance that they would be.
Starbucks has reported that this hacking issue has occurred as customers might be using weak passwords or passwords that they already use for their other online accounts. They have requested all customers to use unique strong passwords to avoid such security lapses. Another security precaution that customers can take on their own is to deactivate the auto-reload option for their Starbucks app account.
Need for Two-step Verification Process
The reported cases of Starbucks mobile app hacking have proved that the Seattle-based company doesn’t ask for enough verification from customers while directly withdrawing funds from their linked credit cards or bank accounts.
When someone logs into the app from a different device, there is no verification process in place. Starbucks needs to have a two-step verification process in place where customers receive a message on their mobile phone when a new device is used for logging into the Starbucks app.
Do you still trust the Starbucks mobile payment system? Perhaps Starbucks should allow iPhone users to pay directly from Apple Pay rather than only allowing Apple Pay as a source for refueling the funds in the Starbucks app?