Coffee giant Dunkin Donuts announced a security incident involving its mobile app yesterday, but I am afraid the firm isn’t telling quite the whole story. I’m hard at work trying to figure that out right now. The incident reminds me of what happened to Starbucks consumers, when criminals armed with login information managed to use the app to attack customers’ bank accounts.
In its announcement, Dunkin said consumers’ emails, names and loyalty account numbers might have been viewed by criminals armed with login credentials stolen from *other* places. Not a big deal. Were Dunkin Donuts app merely a loyalty card tool there wouldn’t be much to attack.
But, like the Starbucks app, and many others now, the Dunkin app can also be used to pay at retail outlets — it’s a “stored value” app. A mobile phone gift card, and more. That means compromised credentials open the door for various fraud schemes. A criminal who logged into a Dunkin account could use the stored value to buy coffee, for example, or more important, sell the value on a criminal exchange. Theft of $10 or $20 worth of coffee isn’t much to worry about. The real issue arises because users can load their credit, debit or Google Pay account information onto the app, and some chose to auto-reload value. That creates a big opportunity for criminals. In the Starbucks situations, hackers managed to steal hundreds of dollars from consumers, one $100 auto-reload after another.
Dunkin’s announcement (PDF) makes no mention of fraud.
“We also have taken steps to replace any DD Perks stored value cards with a new account number, but
retaining the same value that was previously present on those cards,” it said. The firm also says “our
security vendor was successful in stopping most of these attempts,” but says criminals were successful in some cases. How many? There’s no information.
When the Starbucks incident occured, Twitter was flooded with complaints from consumers, and Starbucks’ customer service center was bombarded with complaints. I don’t see that level of complaints about Dunkin fraud, but there are some. Like this one three days ago:
“@ I discovered fraud on my app today. I called. I sent an email. You’re closed for the holiday. How is this helpful? I have to contact you 3 times for fraud. #. Happy Thanksgiving. Loyalty gets me ???”
It’s not uncommon for fraud rings like this to spring to action during holiday weekends, when fraud staff gets thin and consumers are less likely to notice.
About a year ago, there was a larger flurry of fraud complaints lodged against Dunkin Donuts.
“Three cards have been purchased and set to auto reload for $99 before being flagged by my banking establishment,” wrote one victim on Reddit, generating plenty of “me too” responses. Here’s one: “Same thing with me I had a charge last night for $95 then a charge for $99 today I just went on the website change my password and took my bank card information off the website.”
Dunkin Donuts hasn’t responded to my questions about the incident yet; nor have any of the alleged victim consumers. I’ll update this story if and when that happens. Meanwhile, it’s important to know that someone with access to your stored value mobile phone app accounts– like Dunkin DD Rewards, or your Starbucks app — has a route to hack your bank accounts. So use bank-account-worthy passwords on them. Try to avoid re-using passwords, so hacks at other sites won’t let someone break into your stored value app accounts. And, as much as feasible, avoid loading your banking details onto apps like this. It’s convenient, but it can lead to unexpected risks. You can’t expect a coffee company to have security that’s as strong as a financial company.