EXCLUSIVE: Hackers target Starbucks mobile users, steal from linked credit cards without knowing account number

BOBSULLIVAN.NET EXCLUSIVE: Credit card hackers are targeting Starbucks gift card and mobile payment users around the country – and stealing from consumers’ credit cards — with a new scam so ingenious they don’t even need to know the account number of the card they are hacking.

Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.

The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.

Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0.  Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes.

“I don’t know why Starbucks would recommend people do auto-reload when this crime is so easy,” she said.

UPDATES TO THIS STORY:
(1) Victim: I had to bed and plead to get my money back. Also, new security questions
(2)Starbucks blaming passwords doesn’t fix the problem, and other burning questions

The trouble started at 7:11 a.m. on Wednesday when she received an automated email saying her username and password had been changed, and if she hadn’t authorized the change, she should call customer service.  She tried, but the number she called notified her an operator couldn’t answer until 8 a.m.

“Whoever did this knew the right time to do it,” she said.

Next, she picked up her phone and launched the Starbucks app.  By then, there was a “debit” notice showing her $34 was gone. As she watched in real-time, trying to figure out what was happening, thieves stole $25 and another $75 in quick succession.

“It was crazy. I was like, what in the world?” Nistri said. “I was lucky I happened to check my email when I did, otherwise who knows how much they would have gotten.”

In effect, the hackers stole from her credit card, through her gift card loaded onto her Starbucks app, without having to touch her phone or even know what her credit card number was. And Nistri is not alone.  It’s easy to find consumers are complaining about similar app/gift card/ credit card hacks all over the Internet.

“I got an email this morning that my username and password got changed,” writes one victim on a Facebook page devoted to the issue. The post is dated May 6, the same day as Nistri’s incident, “I hacked my balance and $27.41 got wiped out.”

“I just got hacked! $163 in gift cards removed from my account,” complained another from earlier this month.

“My account was hacked this morning,” said another on April 24. “They got my balance and tried to reload the card with the saved credit card but the bank stopped it. Had all the hassle of canceling the credit card, and also because my address and email and phone number was on there, put in a fraud alert to the credit report companies as well just in case. While the lady who did customer service on the phone for Starbucks was great, this is RUBBISH from Starbucks. Has to be a vulnerable app.”

Because Starbucks isn’t answering specific questions about the fraud, I cannot confirm precisely how it works, but I have informed speculation, based on conversations with an anonymous source who is familiar with the crime. The source said Starbucks was known to be wrestling with the problem earlier this year. Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card.

Hackers often manage to steal hordes of username and password combinations, the way they steal databases of credit card account numbers. Because consumers often re-use credentials, hackers take them and “brute force” thousands of potential logins at the website. Because Starbucks’ mobile payment app is so popular, any large set of stolen credentials is bound to have at least a few combinations that unlock Starbucks accounts.

Criminals could also be stealing credentials in other ways — through phishing emails, or keylogging programs.

Once logged in, criminals have several options for draining card values and helping themselves to victims’ debit or credit cards.

Starbucks allows consumers to transfer balances from one gift card to another, or to combine balances from multiple cards onto a single card. A criminal who controls a Starbucks card can move a balance from a victim’s card to a card they control. The hackers’ cards — or the electronic codes behind them — can then be sold on the black market for cash.

Victim accounts with auto-load enabled can turn theft of a seemingly innocuous $10 or $20 account into a much more serious crime.

Transferring the balance from the consumers’ card to the hackers’ card requires one additional authentication step: Users at Starbucks.com/card are sent a verification code to their email address which they must enter before the transfer is complete. That means a would-be card hacker must control the email account associated with the Starbucks card.  But that step is trivial, because a hacker with control of the Starbucks account can simply change the email address used for the verification code. I was able to change my associated email address to a second email and transfer my balance to a new card within a few moments.

The victim consumer gets notice that their email address has changed, but as Nistri’s story shows, even instant response to such an email isn’t always good enough to stop a fraud.

In another variation on the crime, hackers use a hijacked account to order themselves gift cards which can be emailed to accounts they control. Consumers complained about that on Facebook, also.

“Yesterday, April 22, I received emails that I had sent $200 worth of e gift cards to some dirt bag,” said one victim. “My Paypal account is linked to my Android app for Starbucks. I called SB and the rep apologized, deactivated the gift cards, and transferred me to Paypal. Paypal is working to reverse the charges. Really awful what people will get up to. Hopefully Starbucks will defend against this better in the future.”

Criminals have begun training their attention away from financial institutions and on third-party firms because they are easier to hack than banks, said Avivah Litan, a fraud analyst at consultancy Gartner.

“Fraud is moving away from banks into big ecommerce companies,” she said. “Criminals are learning how to turn rewards programs, points, and prepaid cards into cash.”

Starbucks said it could not discuss individual accounts, but offered this response.

“While I’m not able to comment on an individual customer’s account, what you’re describing is not connected to mobile payment – linking the two is inaccurate,” said spokeswoman Maggie Jantzen in a statement. “We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers. For obvious reasons, we are unable to discuss specific security measures. Our customers’ security is incredibly important to us and we take all these concerns seriously.”

“If a customer believes their account may be subject to fraudulent activity, we encourage them to contact us and their financial institution immediately. Our Customer Care hotline hours are Mon-Fri 5 AM – 8 PM (PST) and Sat –Sun 6 AM – 4 PM (PST), however customers can access their online accounts 24 hours a day to make any updates. Additionally, customers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks. As soon as we were contacted by the customer of this activity, we worked quickly to resolve her concerns,” she added.

“We also encourage our customers to follow several best practices to help ensure their information is as protected as possible, such as using different user name/passwords for different sites and changing their passwords often.”

Starbucks says consumers won’t be responsible for charges in situations like these, but it’s unclear what level of consumer protection consumers would be legally entitled to. Because their credit card accounts aren’t actually compromised and their cards not stolen, it’s unclear that standard “Regulation E” credit card liability protections would apply.  Prepaid card users don’t enjoy the same level of consumer protection.

While Nistri said Starbucks was quick to give her a new gift card with $37.44 on it, she was disappointed to learn on Friday that the $25 and $75 charges had gone through on her American Express card, and it would be up to her to dispute them – even though she reported them almost immediately to Starbucks.

“It is harmless outside of inconvenience,” Nistri said. “But the potential of this crime is ridiculous. I’ll never have auto -reload on anything again.”

RED TAPE WRESTLING TIPS

Protect your Starbucks account the way you protect your bank account.  If the convenience of auto-reload is just too irresistible for you – and admittedly, it is convenient – then you must use very strong passwords on your Starbucks account.  Your Starbucks account is your credit card when you link the two.  So use a strong password and be on the lookout for fraudulent transactions related to your account.

Copyright Bob Sullivan 2015