the_cynja_comic 002_firehost

What is this?  Learn about the Cynja comic series here


Igor Homakov's receipt allegedly showing his value creation hack worked.Click for his website.

Igor Homakov’s receipt allegedly showing his value creation hack worked.Click for his website.

A computer security researcher says he recently found a way to hack Starbucks’ gift card system and add value to a gift card essentially for free.  Starbucks has not yet responded to my questions about the attack, but the researcher says the bug he exploited has been fixed.

Computer security consultant Egor Homakov, who conducts penetration tests under the brand name, said on his website he was able to turn $15 worth of Starbucks cards into $20 during a proof of concept experiment. That kind of value creation is the holy grail for criminals who attack money systems, with the implied potential of creating infinite value out of thin air. Practically speaking, that’s not possible, but you can imagine the value of such a hack to a computer criminal with evil intentions. Fortunately, theft wasn’t Homakov’s motivation.  (Unlike the credit card criminals I wrote about recently who target Starbucks accounts with linked credit or debit cards. )

Homakov says he was able to exploit a common bug knows as “race conditions” to trick Starbucks system into letting him transfer the same $5 in value onto a second card twice, leaving him with a $15 card and a $5 card.  He did it by initiating transfers from separate web browsers at essentially the same time, confusing Starbucks’ systems.

Race condition attacks rely on a failure of computers to properly handle instructions that occur in very close time sequence.  If instructions are not handled in the right order, serious problems can occur. For example: if funds are credited to a new account before they are deleted from an old account, it can be possible to transfer the same funds twice.

Homakov, who is from Russia but is now based in San Francisco, then purchased several items from Starbucks to prove his technique worked.

“$15 in, $16.70 out. The concept is proven and now let’s deposit $10 from our credit card to make sure the US justice system will not put us in jail over $1.70,” he wrote on his blog. 

Then he set about trying to “responsibly” disclose the problem to Starbucks. Homakov found dealing with the firm challenging, however.  It took weeks to get the company’s attention, and when he did, he did not receive the kind of gratitude that security researchers often get when they point out technical flaws for free.

“Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way,” he wrote. “Emailing on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days. The unpleasant part is a guy from Starbucks calling me with nothing like ‘thanks’ but mentioning “fraud” and “malicious actions” instead.”

In a email brief interview with me, Homakov described his interactions with Starbucks.

“E-mails from them are usually ‘call me.’ It was a phone call where that guy mentioned ‘fraud word. It wasn’t a threat, I guess, but it was definitely unexpected and unpleasant,” he said.

(Homakov also explained to me that he rounded out the values in his explanation on his website; he was actually able to create a roughly $7 “double spend,” leaving him with cards equaling $22.40 in value. He changed the numbers to simplify the explanation.)

The rapid success of Starbucks mobile pay and gift card system has helped make it a target, as my recent report on credit card hackers and their successful attacks showed. And last year, a researcher discovered that the Starbucks app was storing passwords in plain text.

While Starbucks did not answer my questions about the hack, it issued a statement to the BBC.

“After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication,” the firm said, according to the BBC.

It’s important to note that Starbucks said last year that it didn’t know of a single customer who had been a victim of the password issue; and we don’t know of anyone who’s been victimized by this value creation attack.  The risk to consumers here is probably very, very low. The news does suggest Starbucks is struggling with security issues and growing pains as it creates what might be considered an alternative money system.   The massive point of sale outage last month — which led to Starbucks handing out free coffees around the country for several hours — also paints a picture of a firm struggling with technical issues.

The real risk for consumers, however, comes from trusting Starbucks with your credit or debit card. Those who link their payment accounts to their Starbucks app — a behavior Starbucks encourages with rewards and free drinks — should realize their bank accounts are now only protected by their Starbucks username and passwords. And by Starbucks security.

Sign up for Bob Sullivan’s free email newsletter. 


The website's mobile home page

The website’s mobile home page

One of the Internet’s largest adult dating websites has suffered a major data breach, with up to 4 million members impacted, according to U.K. news station Channel 4, which broke the story today. Victims face potential embarrassment or other serious repercussions in addition to the usual potential for identity theft.’s parent firm FriendFinder Networks Inc. confirmed to the BBC that it had been hacked and said it is working with law enforcement agencies and computer security forensics firm Mandiant. The firm said it would be unable to confirm other details at the moment.

Leaked data includes sexual preferences; users share sensitive sexual information when they sign up, and whether or not they are open to an extramarital affair, Channel 4 said. Even consumers who’d closed their accounts were caught up in the leak. So were at least some British government officials and members of the British Army, though the site did not elaborate.

AdultFriendFinder advertises itself aggressively online. Its Google search results promise users can “Find a F### buddy for online sex, adult dating, and one night stands.”

Channel 4 said it found the data — contained in 15 spreadsheets — as part of broader research into the “dark web,” where stolen data is bought and sold.

Sign up for Bob Sullivan’s free email newsletter.


Wikimedia Commons (click for original)

Wikimedia Commons (click for original)

Rents are increasing in most parts of the country. That normally nudges apartment dwellers into the housing market — as rents rise, so do reasons to buy a home — but that doesn’t seem to be happening in today’s topsy-turvy housing market.

Instead, many renters are swallowing the increases and staying put, suggests new research by Freddie Mac.

“We’ve found that rising rents do not appear to be playing a significant role in motivating renters to buy a home,” said David Brickman, EVP of Freddie Mac Multifamily. “This contradicts what some in the housing market think as they expect more renters ought to be actively looking to purchase a home. We believe rising rents are primarily a sign of increased demand rather than a signal that home purchases will be increasing.”

There’s a simple answer, of course. House prices are rising in many areas, too, tilting the rent / buy equation back towards renting.  According to Zillow, the break-even point at which buying saves money over renting has actually stretched from 1.5 years to 1.9 years in the future, on average.  In places like California, it can take five years to profit from buying over renting.

But since all housing is local, the “should I buy?” question is complex right now.

Rents rose 3.6 percent in 2014 and are expected to rise 3.4 percent above inflation this year. Rents are up even more in cities like Seattle, Charlotte, Portland, and Denver. It’s clear landlords have the upper hand in many places, creating tremendous future cost uncertainty for renters.

Some 38 percent of renters said they’d experienced an increase in the past two years.  Many in this rent-raised group would like to buy a home, but 70 percent told Freddie Mac they can’t afford it, and 51 percent said they’d put off plans to buy a home. In fact, a substantial number of renters are headed the other direction: 28 percent said they were considering or had already begun living with a roommate; the same number said they “need” to move into a smaller rental.

Since Freddie Mac did a similar survey last August, positive attitudes towards renting have even ticked upwards, despite the rent increases.  In the most recent poll, 72 percent agreed with the statement that renting provides “protection against declines in home prices,” compared to 66 percent last year.  And 80 percent like that renting offered “flexibility over where you live,” compared to 68 percent last year. That’s important for young people — anyone, really — who sees very little long-term security in their job.

Renting continues to be an appealing choice to young adults who might otherwise be entering the housing market, which tells part of the story about the up-and-down housing recovery.  The mixed bag of data reports continued this week. New housing starts surged in April to their highest level in seven years, a hopeful sign for those cheering on higher housing prices. Meanwhile, existing home sales sank — in part because of rising prices and shrinking inventories. Stories of renewed local bidding wars and prices selling above list price can be spotted from Boston to Seattle.

High prices, of course, are bad for renters and other first-time homebuyers. More than one-third of U.S. households now rent their homes, and renters account for all net new household growth over the last several years, says Freddie Mac.

“From a purely affordability standpoint, renters who have saved enough to make a 10% down payment are better off buying in the majority of markets across the country,” said Daren Blomquist, vice president at RealtyTrac. “(But) keep in mind that in some markets buying may be more affordable than renting, but that doesn’t mean buying is truly affordable by traditional standards… In those markets renters are stuck behind a rock and hard place when it comes to deciding whether to try to buy or continue renting.”

The chief thing keeping renters in their apartments? That obvious, says mortgage broker and housing expert Logan Mohtashami.

“Main street America simply doesn’t have the income,” he says.

Keep your eye on the rent / buy issue as we move forward in the recovery.  Last year, the National Association of Realtors said first-time buyers represented only 33 percent of the market, a three-decades-long low. It’s possible we’re seeing some kind of fundamental shift in the way young adults set up households.

For more on why renters do or don’t become buyers, here’s an interesting paper on the New York Fed’s website.

Sign up for Bob Sullivan’s free email newsletter. 





pew privacyThe disparity is as dramatic as any you’re likely to see in a public opinion survey.  Nine out of 10 Americans say it’s important to control the information collected about them and who can see it, but fewer than 1 in 10 Americans are confident that either the government or corporations can provide that control.  And in fact, consumers seem to feel there isn’t much they can do for themselves, either: 91 percent had not made any changes to their internet or cell phone use to avoid having their activities tracked or noticed.

The results, published in a new Pew Research Center report this week, create a “cloud of personal data insecurity,” Pew says.

“In the almost two years that have passed since the initial Snowden revelations, the public has been awash in news stories detailing security breaches at major retailers, health insurance companies and financial institutions. These events and the doubts they have inspired have contributed to a cloud of personal ‘data insecurity’ that now looms over many Americans’ daily decisions and activities,” said Mary Madden, a senior researcher at Pew Research Center. “Many find these developments deeply troubling and want limits put in place, while some do not feel these issues affect them personally.”

Other findings from the study:

  • Only 9% of Americans say they feel they have “a lot” of control over how much information is collected about them and how it is used, while 38% say they have “some control.”
  •  Just 6% of adults say they are “very confident” that government agencies can keep their records private and secure, while another 25% say they are “somewhat confident.” Only 6% of respondents say they are “very confident” that landline telephone companies will be able to protect their data and 25% say they are “somewhat confident” that the records of their activities will remain private and secure.  Credit card companies appear to instill a marginally higher level of confidence; 9% say they are “very confident” and 29% say they are “somewhat confident” that their data will stay private and secure.
  • Those who are more aware of the government surveillance efforts are considerably more likely to believe there are not adequate safeguards in place; 74% of those who have heard “a lot” about the programs say that there are not adequate limits, compared with 62% who have heard only “a little” about the monitoring programs.
  • More than half — 55% Americans — support the idea of online anonymity for certain activities, but many are undecided on the issue. Another 16% do not think people should be able to remain anonymous when they are online, and 27% said they “don’t know.   Education is a predictor of desire for anonymity, however.  Adults with at least some college education are significantly more likely than those who have not attended college to believe that people should have the ability to use the internet anonymously (66% vs. 40%).
  • Consumers want limits on how long data that’s collected can be retained: 50% of adults think that online advertisers who place ads on the websites they visit should not save records or archives of their activity for any length of time ;   44% feel that the online video sites they use shouldn’t retain records of their activity;  40% think that their search engine providers shouldn’t retain information about their activity.


Sign up for Bob Sullivan’s free email newsletter. 



Take a break. A real break.

Take a break. A real break. (Bob Sullivan)

The summer vacation season begins this weekend — by tradition, anyway — as millions of you head out for Memorial Day fun.  Regular readers of this space know that I think the classic American vacation season is under assault, thanks to a dastardly combination of a tough economy and always-on gadgets.  (Americans get less vacation than workers in almost any developed nation, yet they don’t even use the paltry vacation allowances they receive).

Now there’s fresh evidence that the notion of getting away from it all is in serious trouble. It arrived in my inbox this week in the form of a survey conducted by Citi for its credit cards.  About half of those surveyed said they are more likely to choose weekend trips over long holidays than they were five years ago.  So: Long trips out, weekend trips in. (“Frequent” weekend trips, Citi stressed to me.)

A recipe for the restlessness I’m writing about in The Restless Project. 

There can  plenty of reasons for this, some good, some bad.  One could argue that a summer full of three-day weekends is better than a two-week trip to Wherever National Park.  I suspect that’s not what’s happening here, however.  I suspect many workers feel they couldn’t possibly leave their cubicles for more than 7 days at a time. Heck, it’s easy to find workers asking each other online, “Does your boss allow you to take more than one week’s vacation at a time?”

Other factors contribute, too.  Now that dual income households are standard, scheduling vacations can be a nightmare.  Getting two bosses to a agree to two weeks — and having those weeks line up with summer camp or travel team schedules — can seem almost an impossibility.

Shorter trips can be cheaper, of course — let’s just assume folks don’t travel as far away when going away for the weekend.  I also imagine folks who don’t really disconnect from office technology (nearly everyone) also somehow feel better knowing they aren’t that far from home, in case they are summoned back by some pseudo crisis.

There is more data to suggest vacations are shrinking. The U.S. Travel Association told Crain’s Chicago not long ago that back in  1975, the average vacation lasted more than a week. By 1985, the average vacation had shrunk to 5.4 days, and by 2010, according to the group’s latest data, the average stood at 3.8 days. (Crane’s Chicago)

Eh, who cares about data? There’s plenty of data showing how important real breaks are to the mind and body, but many people (and companies) are pretty much just ignoring it.

But you don’t have to! Make this the summer you finally plan a real getaway. There’s still time! And as you’ll see in a story I’ll post later, this summer will be a great year to take a road trip, thanks to lower gas prices.  I’m already planning mine. Don’t settle for weekend trips where you don’t even bother to unpack your luggage.  It’s Memorial Day, for heck’s sake. Take a real break.

Sign up for Bob Sullivan’s free email newsletter. 


FTC infographic explains how it worked. Click for more detail at

FTC infographic explains how it worked. Click for more detail at

Whenever a story like this pops up, I think about how these things make life so much harder for folks trying to raise money for legitimate charities. Stealing money is bad enough, but hurting cancer research and the work of other charities is a special kind of evil.

The Federal Trade Commission and all 50 state attorneys general filed one of the largest charity fraud cases ever on Tuesday.  The law enforcement agencies allege that four “sham” cancer charities — Cancer Fund of America, Inc., Cancer Support Services Inc., Children’s Cancer Fund of America Inc., and Breast Cancer Society Inc. —  bilked more than $187 million from consumers.  Fundraisers kept up to 85 cents on the dollar from the funds raised, the FTC alleges.

The defendants told donors their money would help cancer patients, including children and women suffering from breast cancer, but the overwhelming majority of donations benefited only the perpetrators, their families and friends, and fundraisers, the FTC alleges.

For a lot more perspective on the allegations, visit the Tampa Bay Tribune, which has an amazing ongoing series called “America’s Worst Charities.  Cancer Fund of America ranked #2 on the paper’s worst 50 list.

Under proposed settlement orders, Children’s Cancer Fund of America Inc. and Breast Cancer Society Inc. will be dissolved.  Litigation will continue against the other two firms and executive James Reynolds Sr.

“At every turn, the individuals behind this scheme put themselves and their money ahead of the cancer patients they claimed to help,” Attorney General DeWine said. “Using cancer patients as a stepping stone to build a personal fortune is just terrible. It’s also a reminder that just because a charity sounds well-meaning doesn’t mean that it is.”

Here’s a bit more from the FTC:

“According to the complaint, the defendants used telemarketing calls, direct mail, websites, and materials distributed by the Combined Federal Campaign, which raises money from federal employees for non-profit organizations, to portray themselves as legitimate charities with substantial programs that provided direct support to cancer patients in the United States, such as providing patients with pain medication, transportation to chemotherapy, and hospice care. In fact, the complaint alleges that these claims were deceptive and that the charities “operated as personal fiefdoms characterized by rampant nepotism, flagrant conflicts of interest, and excessive insider compensation, with none of the financial and governance controls that any bona fide charity would have adopted,” the FTC said.

“According to the complaint, the defendants used the organizations for lucrative employment for family members and friends, and spent consumer donations on cars, trips, luxury cruises, college tuition, gym memberships, jet ski outings, sporting event and concert tickets, and dating site memberships. They hired professional fundraisers who often received 85 percent or more of every donation.”

Sign up for Bob Sullivan’s free email newsletter. 



These two questions popped up on my account today when I tried to change the email address on a Starbucks account (composite image)

These two questions popped up when I tried to change the email address on a Starbucks account today. The firm didn’t answer questions about them (composite image).

Ryan Benharris had $200 stolen from his debit card after his Starbucks account was hijacked recently, but that’s not why he was furious at the firm.  He was angry about what happened next.

Ryan Benharris is angry at Starbucks

Ryan Benharris is angry at Starbucks

“I had to beg and plead to get my money back,” he said. “They lied to me…I’m an attorney, and it took me four hours on the phone and six weeks to get a refund.”

As Benharris and a pile of other victims have contacted me with stories of frustration, it appears Starbucks has made a change to its website in light of disclosures last week that criminals were attacking customers and stealing money from their Starbucks-linked bank accounts. More on the change in a moment.

Benharris’ tale of frustration is typical of victims who contacted me after the initial story detailing the attack on Starbucks mobile app and gift card users. His account, with $14 in stored value, was hijacked in January and hackers sucked two $100 payments from his checking account debit card onto his Starbucks app, and then off the app to a gift card they controlled.  He called Starbucks within minutes of the crime, yet he feels he didn’t get satisfaction from the firm until after he sent a letter detailing that the firm was in violation of Massachusetts’ unfair and deceptive business practices law.  Starbucks had initially sent him a new $14 gift card without incident, but getting the $200 back was another matter.

“I called four times and had four different conversations.  The first time, they told me that (the refund) was uploaded to my card. That was a lie. The second time, they told me a check was in the mail. That was a lie. The third time they said they had no record of my calling them,” he said.  “There is definitely a problem of record-keeping there.”

Starbucks did not respond to questions about Benharris’ situation.

Read the original Starbucks attack report 

Ultimately, Benharris said Starbucks deposited $200 into his checking account and sent him a $100 gift card for his trouble, but he vowed never to set foot in the coffee shop chain again.

“I was pretty shocked when it became clear to me that they were just lying to me on the phone about checks being mailed and money being re-loaded back into my bank account. It’s just stupid,” he said.

Roberts’ refund was no doubt complicated because his bank had canceled and re-issued his debit card. Issuing refunds during a fraud outbreak can be complex. Another victim, Shelly Gupta, shared records with me showing that Starbucks had refunded the $100 stolen from her credit card, but her credit card bank had also issued a $100 credit. The bank then reversed its credit.

“I was able to get through to Starbucks, and the (customer service agent) didn’t seem too bothered or surprised,” Gupta said.

It’s an oft-repeated myth that victims of traditional credit card hacks aren’t really victims at all.  While it’s true that consumers who notice fraudulent charges almost never up paying for them, there can be hassles aplenty.  Stopping and restarting automatic payments can take an hour or two, and the potential to forget a payment leading to a late fee is high.

What makes the Starbucks attack a bit more perilous for consumers is it can involve two payment entities — the coffee giant, and a card-issuing bank.  Were consumers merely losing the value of a gift card in the attack, that would hardly be alarming. After all, losing unregistered gift cards – and thereby losing their value – seems a bigger problem than gift card hacking.  The real issue here is an attack on a $9 gift card can lead to several hundred-dollar thefts from consumers’ credit or debit cards.

Some consumers report they have been bounced between Starbucks and their bank, with each entity telling consumers to ask for refunds from the other. Banks’ response to the incident has been mixed. Some force consumers to close their accounts and send re-issued cards.  But because hackers can steal from Starbucks-linked accounts without knowing the credit or debit card number, it appears the payment account isn’t actually compromised, and that step probably isn’t necessary.

It’s also unclear which federal protections apply to hacked Starbucks transactions.  Starbucks gift cards and its app are considered stored value cards, which do not have the same strong federal protections as credit cards.  But when a credit card is hacked via a Starbucks account, which rule applies?

Because Starbucks says it is issuing refunds to all impacted consumers, that distinction might prove to be purely academic.  It’s important to note that Starbucks users must report the theft in order to get a refund, however.  Frequent Starbucks app users might miss small fraudulent charges and fail to request a refund.  Or, they may decide not to bother with the hassle, fears Benharris.

“I’d like to see the amount of money they’ve made off of thefts that they were successfully able to frustrate the victim into not bothering to ask for his money back again. I’d bet it’s fairly alarming,” he said.

Merchants don’t usually profit from incidents like this: they usually lose money. Not only are they forced to issue refunds, but banks hit firms with “chargeback” fees that can range up to $100 per incident, though it’s normally less.

Starbucks has responded to the incident by asserting that its mobile app has not been hacked, and blamed the problem on poor passwords. During the weekend, I wrote a piece arguing that blaming the victim is both unfair and not a sound security practice, as is fighting over the definition of the work “hack.”  A few victims I’ve spoken to say they use strong passwords.  One victim who said his card had been hit for four $50 refills said their password randomly generated 15 characters. As I mention in the weekend piece, consumers are often mistaken about their password management skills, but corporations aren’t always transparent about their security practices, either.

Starbucks recently suffered a nationwide outage to its point of sale systems, requiring many stores to give out free coffee while the problem was being fixed. Starbucks issued a statement blaming the outage on “internal failure during a daily system refresh,” and said explicitly it had not been hacked.  Starbucks is in the middle of a major upgrade to its point of sale terminals, and such mistakes do happen.

Last week, Starbucks asserted that the mobile app / gift card attack had no connection to the system outage.  It’s easy to imagine Starbucks customer service operators have been overwhelmed recently, as one person who claimed to be a Starbucks employee told me in a private email.

That person recommended, as I do, that consumers de-link their credit/debit cards from their Starbucks app, and manually reload their accounts.  He or she also said Starbucks’ systems sometimes have trouble identifying hacked consumers when they call – as Benharris experienced — and recommended concerned users write down their Starbucks gift card number manually, since that number can most readily identify consumers in Starbucks’ system.  That sounds like a reasonable step to take.

Meanwhile, users who attempted to change their login information at were presented with two questions on Monday that appeared to be new.  First: “Can you still access email at your previous address?” and second, “Why are you changing your email address today? To stay organized/to avoid spam/for security reasons/other.”

Starbucks didn’t respond to questions about the change. One possible reason for it: Starbucks is considering an added layer of security that wouldn’t allow users to change their email address to a new one without receiving and confirming a verification code sent to the old address. That would thwart one of the attack paths hackers are currently exploiting, preventing them from updating a user’s email address and intercepting verification codes for balance transfers.   Before making that change, it’s possible Starbucks wants to know how many legitimate users would be frustrated by the added step because they couldn’t access the old email, a common verification headache.

Sign up for Bob Sullivan’s free email newsletter. 

{ 1 comment }

VIDEO: Click to watch my appearance on Monday's TODAY

VIDEO: Click to watch my appearance on Monday’s TODAY

Headlines during the weekend screamed that a hacker had taken control of a commercial airliner and been able to make it move “sideways” in flight.  There’s a lot to unpack about this story, but let me get out a few points quickly.

1) There is no evidence that a hacker altered the flight of a plane. Instead, the FBI says a hacker told them he was able to briefly take control of a plane.  These things are very, very different. What we have is a single sentence in an affidavit filed in support of a search warrant in which the FBI claims a well-known avionics security researcher named Chris Roberts claims he was able to issue a command to an airplane engine and make a plane move sideways.  We don’t have the flight date or number; we don’t have any other evidence to support the assertion.  We don’t even know what it means to make a plane “move sideways.” It’s important to note: the burden of proof for assertions in an affidavit to obtain a search warrant is quite low. The FBI had already seized Roberts’ computer and a series of flash drives that were encrypted, and it wanted the right to keep the equipment and examine it for evidence.  An agent asking a judge to sign such an order will throw the whole kitchen sink into the affidavit.

2) This might be hacker-speak. There is a long history of hackers — or for that matter, anyone trying to call attention to a serious problem that’s not getting the attention it deserves — engaging in hyperbole or puffery.  If you read the FBI affidavit, you get the sense that Roberts’ conversation with the agents interviewing him might have gone something like this:  “Yes, I’ve managed to break into the in-flight entertainment system and from there, jump networks and eventually access avionics controls. Why don’t you folks listen?  I’ve done it 15 or 20 times!  Heck, I once issued a command to an engine!  I’m not going to say I was flying the plane, but did I make the thing move sideways a bit?  Well, I proved my point, anyway.” Roberts isn’t giving interviews, but before he stopped talking, he did tell Wired’s Kim Zetter that his comments to the FBI were taken out of context. 

“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said.

3) He’s not crazy, though. The energy being used to investigate Roberts might be better used researching the attacks he’s calling attention to.  The GAO issued a report to Congress just a few weeks ago ringing the alarm bell about increased interconnectivity of airplane avionics systems and the risks that poses. Let’s be clear: Roberts has been very public about his research, and he volunteered all this information to the FBI during discussions in February and March. He was stopped for questioning, and his computers seized, after a flight to a security conference in April. The timeline is important. The claim of moving a plane sideways (and what does that mean, anyway? Planes don’t go sideways), is months old, and references a flight that is perhaps much older than that.  If he really altered the flight of a plane, there’d probably be other evidence of that by now.

4) Not to be overlooked, hacking an airplane full of people is flat-out wrong, even with the best of intentions. Back to the timeline.  The FBI says Roberts spoke to them, shared all this information about his ability to hack airplanes, and then a month later Tweeted about possibly hacking into an airplane before a flight in April to a security conference.  When he landed, the FBI says, agents found evidence that the in-flight entertainment computer (“seat electronic box”) located under his seat showed evidence of physical tampering.  If that’s true,  Roberts better have a good lawyer. (He does: The Electronic Frontier Foundation is representing him now).  Nobody I know would support that kind of research.  But please remember: these are merely allegations made in an FBI affidavit. They aren’t even allegations made in an indictment.  Roberts told Zetter the Tweets, which might have been an ill-advised poke at airline security, were a joke. And he had told Zetter in the past that he had only attacked avionics using a simulator.  So let’s not jump to any conclusions. (Really, to best understand this story, read her entire Wired piece.)

Unless you are a security researcher, the bottom line for you, dear airline passenger: You need not be afraid that someone can hack the movie screen on the seat next to you and take control of the aircraft. That is, as Carl Sagan might have said, an extraordinary claim that requires extraordinary evidence, and we don’t even have basic evidence. So don’t worry about your flight today.  Some day, there will be something to worry about.  Is that 10 years in the future or next month?  I cannot say.

What do you do have to worry about today?  If I were getting on an airline during the next week or so, I’d be pretty careful about stray cables hanging needlessly out of my carry-on bag; and I’d make sure I didn’t do anything that might look like I was trying to fiddle with the “seat electronic box”  under your seat.   And I might worry about in-flight entertainment systems being disabled some day soon so FAA and airline researchers can examine Roberts’ research more carefully.

Sign up for Bob Sullivan’s free email newsletter. 


I appeared on the TODAY show to talk about the Starbucks issue. Click to watch

VIDEO: I appeared on the TODAY show to talk about the Starbucks issue. Click to watch

Since I broke news of the Starbucks mobile pay / gift card /credit card attack last Monday, there has been some confusion about what the real risk is, who is to blame, and how to fix the problem. This is not unusual when a security issue arises with a large company that’s not offering a lot of detail about what’s going on.  I’ve been talking to victims of the Starbucks fraud all week, and I’ll have a lot more detail on what’s really happening soon, but for now, I want to clarify a few important issues that keep cropping up: Bad passwords, what “hacked” means, what does mobile have to do with it, and why victims are “sharing” accounts with criminals.

Starbucks told media outlets around the world all last week that it hadn’t been hacked and blamed the situation on consumers with bad passwords. The firm also repeated many times that the attack has nothing to do with its mobile app. In its first response to my initial inquires, Starbucks told me the attack is “not connected to mobile payment.” Later, when the firm issued a statement, the first paragraph of that statement read, “News reports that the Starbucks mobile app has been hacked are false.” (Note, I never wrote that Starbucks mobile app had been hacked, though as you’ll see in a moment, I’m not a fan of the semantics being deployed here.) 

Taken collectively, these positions are meant to create the impression that there’s nothing wrong with the way Starbucks is processing payments, and in fact, some journalists declared that to be the case. Fortune magazine wrote “Starbucks says its popular mobile app has not been hacked, contradicting multiple media reports that intruders have hijacked the accounts of hundreds of the coffee chain’s customers…” Starbucks actually never denied that intruders had hijacked consumers accounts, and anyone can find victims complaining about just that with a few moment’s work, but some journalists seemed eager to clear Starbucks of any culpability in the issue. That’s unfortunate, because my email this week makes it clear that plenty of Starbucks customers are pretty angry at the way this issue has been handled, and many of them don’t appreciate being blamed for having their money stolen after they placed their trust in Starbucks.

So let me try to clarify a few of these issues.

Blaming the victim (passwords)

It’s true that the attack begins with criminals managing to hijack consumers’ Starbucks accounts by somehow obtaining their username/password combination.  As every firm that uses this most rudimentary authentication tool knows, a large percentage of those accounts will always be pretty hackable.  People re-use passwords and they use common passwords.  They even respond to phishing attacks and divulge their login information.   But many years ago, financial institutions stopped blaming customers for this, since that doesn’t solve the problem.  

Also, federal law prevents it. The Federal Reserve has ruled that even if customers give a hacker their online banking passwords, financial institutions can’t hold them liable. Here’s the relevant opinion: “Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E,” a decade-old Fed opinion concludes. “Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers.”

Blaming the victim is bad form, anyway.

What do banks do instead of blame the victim? They take matters out of consumers’ hands and use back-end software to spot fraudulent transactions and stop them.  That’s why, even if you are tricked by a hacker into coughing up your Big Giant Bank login credentials, it’s unlikely that a $2,000 wire transfer to Romania will be approved.

Certainly, Starbucks has some back-end tools in place — I don’t know, because the firm isn’t answering questions about its security. But so many victims have come forward to show me repeated debits with obvious criminal patterns — changed login information followed by rapid-fire withdrawals — it’s obvious Starbucks isn’t doing a great job of spotting suspicious transactions and stopping them in progress.  Why would that be?  One obvious guess: Dialing up the fraud-spotting software would also lead to false positives, which would inconvenience some consumers as they tried to add value to their Starbucks cards. It’s a tough balancing act, but consumers who see their credit or debit cards hacked via their Starbucks account don’t want to hear about balancing acts.

There’s also this troubling element: I’ve spoken to consumers who swear they didn’t reuse their Starbucks login information, and that their Starbucks passwords were complex, and they’ve been hacked, too. Of course, consumers often “misremember” such things, and are notoriously unreliable when making claims about their security choices. But then, so are corporations under scrutiny.

Maria Nistri and several other consumers I’ve spoken with haven’t been happy that A) Starbucks hasn’t been able to stop fraudulent transactions even when they are reported within a few minutes and B) Starbucks toll-free fraud hotline doesn’t open for business until 8 a.m. east coast time.  It seems unfair to blame consumers for bad passwords and then not answer the phone when they call to report fraud.

Has Starbucks been hacked? Wrong question

The word “hack” is always problematic in any news report involving a computer crime.  Security folks hate its use, because to them, hacking merely means tinkering. Using a computer as an aid when stealing money is another thing entirely. Unfortunately, hacking is a really convenient shorthand term that readers have come to understand, and it’s fallen into common use.

So we arrive at the confusion over Starbucks’ statement that its mobile app has not been hacked, which is not inaccurate.  To be precise: As far as I know, the crime I have described here doesn’t involve a criminal using some kind of advanced technique to intercept data from Starbucks mobile app, or any similar hacking technique that compromises the integrity of the Starbucks app itself (other researchers have discovered flaws in the app, but this is not that).   Instead, criminals have figured out a rather old-fashioned way to drain value off of Starbucks gift cards — loaded onto the Starbucks app or not — and onto to cards they control. This gives them the ability to steal from consumers’ debit and credit cards using a Starbucks account as a relay of sorts.  Consumers are very likely to experience this as their Starbucks app being “hacked.”  I used the word “attack” instead. But really, does it matter? Starbucks consumers are being hacked, after all, and that’s what matters.

Mobile pay vs. gift card

Starbucks’ rather ingenious and simple app is really just an electronic representation of its gift cards, and this simplicity is part of the reason the coffee giant now operates the most popular mobile wallet payment system in the U.S., dwarfing Apple Pay. That makes Starbucks mobile pay incredibly important to the firm.  Perhaps that’s why the main point Starbucks made to me in its initial statement was “what you’re describing is not connected to mobile payment – linking the two is inaccurate.”  You could argue that this attack really targets Starbucks gift cards and not the app, but I disagree.  The line between the Starbucks app and Starbucks gift cards is entirely blurry; they are basically one in the same.

Starbucks gift cards, and in particular the auto-reload function that is the source of some of this trouble — are so popular because the app is so popular.  It’s also important to note that Starbucks has gone to immense trouble to push gift card users onto the mobile app, offering all manner of loyalty incentives and so on.  I would argue that “de-linking” the two for the purposes of describing this attack would be inaccurate.

Hackers and consumers “sharing” accounts

Finally, one element of this story has confused me since I first spoke to Maria Nistri, and it’s been confirmed by many victims I’ve spoken to. Even after a criminal hijacked her account, Nistri was able to log in to her account on her smartphone. That means Starbucks is permitting simultaneous logins for the same account using different credentials.  The criminal is logged in using their new email address, while the victim is logged in with the old credentials — presumably because their mobile device never logs off. This turns out to be a good thing in some cases, because it has allowed many victims to hurriedly de-link their credit cards from the app in the middle of a fraud. But it’s also atypical security behavior. Why would old credentials ever allow someone to log in to an account? Clearly because the app isn’t verifying that it has up-to-date credentials very frequently. More than one consumer has rightly asked me: Once their account is restored,  can the criminal still log in?  Here’s what one consumer told me a Starbucks representative told her:

“I mentioned that when the hacker changed the login info, I was still logged in from my phone – so couldn’t the thief still have access to the account, too? The CSR said it should kick them off eventually’ because their login credentials will not be able to refresh. I asked for a specific timeframe and he had no idea. He said it should be a few hours…probably.”

More details on this and other questions to follow soon.

Sign up for Bob Sullivan’s free email newsletter.