‘They were able to steal $600 from me in seconds’ — Another holiday, another flurry Starbucks mobile app ‘hack’ complaints (and a special prepaid cards warning)

January 4, 2017 Bob Sullivan Cybercrime / Privacy, Gotchas / Consumer, Red Tape Wire Service 1

Jenna Veeve Farag received this surprising email after her Starbucks account was hacked.

Angry Starbucks customers keep writing me to say their bank accounts are being drained via the coffee giant’s popular mobile app, more than a year after I first reported the disturbing problem.

Such a heist ruined Jenna Veeve Farag’s Christmas morning.

“They were able to wipe out my checking account,” she said.  “They were able to steal $600 from me within seconds. I just felt so violated. …I suppose I was just so shaken up, nothing like this has ever happened to me. It upset me when I found out there were so many other victims way before me. Yet there’s an obvious security breach with Starbucks and the issue still isn’t fixed.”

In a statement, Starbucks told me a tiny fraction of its customers suffer from these kinds of account takeovers, and denied there was any significant increase recently.  More from Starbucks in a moment.

To refresh your memory, criminals are taking control of Starbucks accounts, then using linked credit or debit cards to send themselves money by transferring funds to other Starbucks cards they control. Starbucks has always resisted calling this a hack, but I’d argue that’s semantics.  Criminals somehow obtain Starbucks account credentials — possibly re-using username/password combinations stolen from other places – and then log in and move money around.  It’s a small deal if a consumer only has a few dollars on their Starbucks card, but it’s a bigger deal if mobile app is linked to a bank account. That gives criminals the ability to repeatedly replenish the “hacked” app, and repeatedly siphon money out of the consumers’ linked bank account.

It appears that something is going on around holidays, which are always a popular time for hackers — as security thresholds are often lowered, high transaction volume helps disguise fraud, and many IT professionals take time off.   That means if you link your bank accounts to your Starbucks app, keep your eyes wide open during the upcoming MLK Day and Presidents’ Day holidays.

The last time I updated the story, there was a spike in fraud around Presidents Day 2016.

It wouldn’t be fair for me to characterize the scale of Starbucks fraud uptick around Christmas and New Year’s — In truth, I know about a dozen or so fresh cases, which could mean a lot of things.  But I hadn’t received any complaints for months, and then received a flurry of message in the past several days. Meanwhile, a nearly three-year-old Facebook group devoted to the fraud also saw several fresh complaints recently.

For its part, Starbucks rejects the notion that there was a recent uptick.

“While account takeover activity is an industry-wide challenge, we see only a tiny fraction of one percent of our account holders impacted, regardless of time of year. Therefore, if you choose to characterize this as widespread, that would be inaccurate,” the firm said in a statement emailed by spokesperson Linda Mills.  “Our security and fraud prevention improvements have significantly reduced fraudulent activity in our business to a level that is vastly better than industry average and we have a team of engineers dedicated to advancing our security and fraud prevention capabilities, some of which are visible to our customers, many of which are not.”

One reader wrote to me with a bit of a twist that the victim said cost him big bucks.

“I got hacked $1,200 Dec 2016 reloading Starbucks card!My Walmart money card was compromised,” the writer claimed.  I was unable to verify this claim, and Starbucks wouldn’t comment on it.  It’s worth noting that the rapid rise of prepaid cards  — which function a lot like checking account debit cards, but don’t have quite the same consumer protections and perhaps not the same back-end fraud protections — would lead to a rise in Starbucks account/prepaid card links.  Prepaid cards are popular among unbanked and underbanked consumers, and that group would have a harder time getting refunds after a fraud.  The Consumer Financial Protection Bureau issued a rule in October that pulls prepaid card consumer fraud protections in line with credit and debit cards, but the rule does not take effect until next October.

When asked about the Walmart money card complaint, Mills said: “While we do not share our Customer Care inquiries, we can assure you that if we are made aware of any unauthorized activity that we work with the customer directly, help them employ best practices and ensure that their account remains whole.”

My strong suggestion is that consumers never link a pre-paid card to the Starbucks app. If you must, buy smaller value cards and link those.

I would also never link debit card to the Starbucks mobile payment app , or any app. As Farag learned the hard way, you can be left with no access to your own cash within seconds. While victims generally get their money back, the days-long hassle can be a real problem. And I’d be really reluctant to link a credit card to the app, either, though that’s easier to recover from via a standard dispute.

Note, Starbucks isn’t the only firm which places consumers at this kind of risk for the sake of convenience: it has been joined by Dunkin Donuts, CVS, and others in the retailer-as-a-mobile-bank game.  Any app lets you spend money directly from your credit card can be subject to this kind of account takeover issue. Starbucks attracts a high volume of complaints mainly because it’s by far the most successful app, making it the biggest target for hackers.

Here’s a sample of emails I’ve received, and Facebook posts I’ve spotted:

“I had the same problem with the holiday timing as Jenna Veeve Farag. They were only able to charge $300 (and it took 10 attempts) but within 5 minutes they had transferred the balance to their own thieving Starbucks account. Why doesn’t Starbucks have internal controls in place to prevent this? I contacted my linked reloading credit card and cancelled it. No more Starbucks for me.”

“This happened to me January 2nd, 2017. Like others, I found out from email alerts I received of two reload transactions. $50 each. Then they unregistered my gift card from my account. Starbucks says they will issue a new gift card for the amount I had prior to the reloads and refund me the two fraudulent transactions. Of course it will take time.”

“Good morning Bob. I don’t know if you’ll find this interesting or not, but since you wrote a past article about the Starbucks hack I thought you might. As I am typing to you I am on hold with Starbucks because someone has drained my Starbucks account. Seems the Starbucks hacks continue. Merry Christmas to me… 🙁  All I got was a confirmation email this morning that the transfer of my balance had gone from my card to another one. When I called Starbucks they told me that they couldn’t see any history of the transfer on their screens but that an escalation team could see the transfer. I also couldn’t see the transfer on my phone app, but I could when I logged into the website. Also, the woman was very relieved that I didn’t have a credit card tied to the account; I guess that’s when the theft gets big.

“This has happened to me as well, transaction happened twice on Dec 12th using my Paypal account that was attached to my Starbucks app. I have deleted my app and my account with Starbucks. Paypal is helping me get my money back. Shame on Starbucks for knowing this for so many years and haven’t sent out any warnings to their Starbucks app users. They have lost my business and I’m going to tell as many people as I can.”

“This happened to me between 12/28 and 1/1. Balance stolen and account deleted. Spoke to call center rep who said this happened to many customers. No fix in sight.”

“My Starbucks Account was hacked last night! Of course, Starbucks was closed. I had to cancel my credit card! I am waiting for a refund. I think this is happening a lot! ☹”

“I got hacked just 2 days ago! 100 bucks from paypal and 200 from my bank account. I call paypal and they said that starbucks has to refind the money. Starbucks promise to refund the money since they had time to cancel the gift cards. But reading all this bring my hopes down that it will ever happen.”

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.


Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1632 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.
Website

1 Comment

  1. Thanks for reporting on this, Bob. I just logged in to Starbucks and deleted my debit card. I’ll just buy cards in-store from now on to load my account. Much lower-risk.

    Reply

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.