Ryan Benharris had $200 stolen from his debit card after his Starbucks account was hijacked recently, but that’s not why he was furious at the firm. He was angry about what happened next.
“I had to beg and plead to get my money back,” he said. “They lied to me…I’m an attorney, and it took me four hours on the phone and six weeks to get a refund.”
As Benharris and a pile of other victims have contacted me with stories of frustration, it appears Starbucks has made a change to its website in light of disclosures last week that criminals were attacking customers and stealing money from their Starbucks-linked bank accounts. More on the change in a moment.
Benharris’ tale of frustration is typical of victims who contacted me after the initial story detailing the attack on Starbucks mobile app and gift card users. His account, with $14 in stored value, was hijacked in January and hackers sucked two $100 payments from his checking account debit card onto his Starbucks app, and then off the app to a gift card they controlled. He called Starbucks within minutes of the crime, yet he feels he didn’t get satisfaction from the firm until after he sent a letter detailing that the firm was in violation of Massachusetts’ unfair and deceptive business practices law. Starbucks had initially sent him a new $14 gift card without incident, but getting the $200 back was another matter.
“I called four times and had four different conversations. The first time, they told me that (the refund) was uploaded to my card. That was a lie. The second time, they told me a check was in the mail. That was a lie. The third time they said they had no record of my calling them,” he said. “There is definitely a problem of record-keeping there.”
Starbucks did not respond to questions about Benharris’ situation.
Ultimately, Benharris said Starbucks deposited $200 into his checking account and sent him a $100 gift card for his trouble, but he vowed never to set foot in the coffee shop chain again.
“I was pretty shocked when it became clear to me that they were just lying to me on the phone about checks being mailed and money being re-loaded back into my bank account. It’s just stupid,” he said.
Roberts’ refund was no doubt complicated because his bank had canceled and re-issued his debit card. Issuing refunds during a fraud outbreak can be complex. Another victim, Shelly Gupta, shared records with me showing that Starbucks had refunded the $100 stolen from her credit card, but her credit card bank had also issued a $100 credit. The bank then reversed its credit.
“I was able to get through to Starbucks, and the (customer service agent) didn’t seem too bothered or surprised,” Gupta said.
It’s an oft-repeated myth that victims of traditional credit card hacks aren’t really victims at all. While it’s true that consumers who notice fraudulent charges almost never up paying for them, there can be hassles aplenty. Stopping and restarting automatic payments can take an hour or two, and the potential to forget a payment leading to a late fee is high.
What makes the Starbucks attack a bit more perilous for consumers is it can involve two payment entities — the coffee giant, and a card-issuing bank. Were consumers merely losing the value of a gift card in the attack, that would hardly be alarming. After all, losing unregistered gift cards – and thereby losing their value – seems a bigger problem than gift card hacking. The real issue here is an attack on a $9 gift card can lead to several hundred-dollar thefts from consumers’ credit or debit cards.
Some consumers report they have been bounced between Starbucks and their bank, with each entity telling consumers to ask for refunds from the other. Banks’ response to the incident has been mixed. Some force consumers to close their accounts and send re-issued cards. But because hackers can steal from Starbucks-linked accounts without knowing the credit or debit card number, it appears the payment account isn’t actually compromised, and that step probably isn’t necessary.
It’s also unclear which federal protections apply to hacked Starbucks transactions. Starbucks gift cards and its app are considered stored value cards, which do not have the same strong federal protections as credit cards. But when a credit card is hacked via a Starbucks account, which rule applies?
Because Starbucks says it is issuing refunds to all impacted consumers, that distinction might prove to be purely academic. It’s important to note that Starbucks users must report the theft in order to get a refund, however. Frequent Starbucks app users might miss small fraudulent charges and fail to request a refund. Or, they may decide not to bother with the hassle, fears Benharris.
“I’d like to see the amount of money they’ve made off of thefts that they were successfully able to frustrate the victim into not bothering to ask for his money back again. I’d bet it’s fairly alarming,” he said.
Merchants don’t usually profit from incidents like this: they usually lose money. Not only are they forced to issue refunds, but banks hit firms with “chargeback” fees that can range up to $100 per incident, though it’s normally less.
Starbucks has responded to the incident by asserting that its mobile app has not been hacked, and blamed the problem on poor passwords. During the weekend, I wrote a piece arguing that blaming the victim is both unfair and not a sound security practice, as is fighting over the definition of the work “hack.” A few victims I’ve spoken to say they use strong passwords. One victim who said his card had been hit for four $50 refills said their password randomly generated 15 characters. As I mention in the weekend piece, consumers are often mistaken about their password management skills, but corporations aren’t always transparent about their security practices, either.
Starbucks recently suffered a nationwide outage to its point of sale systems, requiring many stores to give out free coffee while the problem was being fixed. Starbucks issued a statement blaming the outage on “internal failure during a daily system refresh,” and said explicitly it had not been hacked. Starbucks is in the middle of a major upgrade to its point of sale terminals, and such mistakes do happen.
Last week, Starbucks asserted that the mobile app / gift card attack had no connection to the system outage. It’s easy to imagine Starbucks customer service operators have been overwhelmed recently, as one person who claimed to be a Starbucks employee told me in a private email.
That person recommended, as I do, that consumers de-link their credit/debit cards from their Starbucks app, and manually reload their accounts. He or she also said Starbucks’ systems sometimes have trouble identifying hacked consumers when they call – as Benharris experienced — and recommended concerned users write down their Starbucks gift card number manually, since that number can most readily identify consumers in Starbucks’ system. That sounds like a reasonable step to take.
Meanwhile, users who attempted to change their login information at Starbucks.com were presented with two questions on Monday that appeared to be new. First: “Can you still access email at your previous address?” and second, “Why are you changing your email address today? To stay organized/to avoid spam/for security reasons/other.”
Starbucks didn’t respond to questions about the change. One possible reason for it: Starbucks is considering an added layer of security that wouldn’t allow users to change their email address to a new one without receiving and confirming a verification code sent to the old address. That would thwart one of the attack paths hackers are currently exploiting, preventing them from updating a user’s email address and intercepting verification codes for balance transfers. Before making that change, it’s possible Starbucks wants to know how many legitimate users would be frustrated by the added step because they couldn’t access the old email, a common verification headache.