Starbucks Victim 'Begged and Pleaded'

Starbucks has thrown the responsibility back on consumers for the mobile fraud campaign targeting its coffee app. But, it doesn’t want to be too heartless, so it has offered to reimburse victims. Only, there’s one issue: Apparently, some patience is required to get the funds back once victimized.

One consumer, Ryan Benharris, told blogger Bob Sullivan that he had $200 stolen from his debit card after his Starbucks account was hijacked. “I had to beg and plead to get my money back,” he said. “They lied to me…I’m an attorney, and it took me four hours on the phone and six weeks to get a refund.”

Starbucks has pledged to reimburse victims:

“If a customer believes their account has been subject to fraudulent activity, they are encouraged to contact both Starbucks and their financial institution immediately. Customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected.”

But it’s hardly a simple process. Benharris added, “I called four times and had four different conversations.  The first time, they told me that (the refund) was uploaded to my card. That was a lie. The second time, they told me a check was in the mail. That was a lie. The third time they said they had no record of my calling them,” he said.  “There is definitely a problem of record-keeping there.”

Some consumers report they have been bounced between Starbucks and their bank, with each entity telling consumers to ask for refunds from the other. Sometimes both are doing their job at the same time: Another victim, Shelly Gupta, shared records with Sullivan showing that Starbucks had refunded the $100 stolen from her credit card, but her credit card bank had also issued a $100 credit—which was later reversed.

Starbucks has placed the blame for the hijackings squarely on consumers and poor password practices:

“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”

And indeed, the initial vector for the attacks was probably brute-force password attacks; because Starbucks’ mobile payment app is so popular, any large set of stolen credentials is bound to have at least a few combinations that unlock Starbucks accounts. But, phishing emails or keylogging programs are effective too.

The issue is that once logged in, criminals have several options for draining card values—they can transfer balances from the gift card to another, or combine balances from multiple cards onto a single other card that they control. In this attack path, hackers can update a user’s email address in the app and intercept verification codes for balance transfers.

They can then top up the account from a linked card. And with the auto-reload function, accounts are automatically topped up from a linked bank account or credit card when the balance falls below a certain level, offering an endlessly replenishing pool of cash to steal. Consumers would be none the wiser until they notice the extra transactions coming out of their bank accounts or worse, on their monthly statements.

For instance, Benharris’ account had $14 in stored value, but hackers also sucked two $100 payments from his checking account debit card onto his Starbucks app, and then off the app to a gift card they controlled. 

Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about one in six transactions at Starbucks are conducted with the Starbucks app. So there’s a lot to lose. And Starbucks has plenty of options for instigating a step in the kill chain to address the issues with poor two-factor authentication safeguards for balance transfers or the auto-reload function.

But in its caffeine-drenched corporate hive-mind, apparently, if passwords are secure, then everything else will be too. You may buy Starbucks coffee. Do you buy that?

What’s Hot on Infosecurity Magazine?