You may want to think twice about ordering a cup of coffee with your phone. The Starbucks app has been hacked as users discover their credit cards are being drained by thieves.
How do you keep your information safe?
How the Starbucks app thieves are stealing money:
- credit card hackers use a method of hacking called “brute force” to try hundreds of existing stolen username and passwords
- since most people use the same username and password, the hackers try hundreds of these stolen credentials found from other accounts and attempts them on the Starbucks app repeatedly until it succeeds
- the hacker then uses your balance on the Starbucks app to purchase a gift card for themselves
- it awaits for the account to be reloaded, and then repeats the theft again and again stealing sometimes hundreds of dollars from a hacked customer
- Starbucks says its app has not been hacked, but instead customers familiar credentials often sold on the underground online market are to blame. In the event that the app is ever hacked in the future, Starbucks would do well to conduct some pentesting on it before the fact in order to locate its vulnerabilities.
How to protect yourself:
- consumers can protect themselves by using different user name and password for Starbucks app and other similar 3rd party payment systems
- turn off the reload future inside your account can help limit the loss
- dispute any missing funds with the retailer and with your credit card company.
- while Starbucks has been quick to replace/replenish its attacked customers losses, there are little true protections except for the laws governing credit card fraud
- be especially cautious of monitoring your credit card statements for cards associated with apps that allow you to charge thru a retail app
Other apps that have been hacked include Uber.
Starbucks could and probably should strengthen its own payment system by limiting the number of false attempts that are made before a hacker could be locked out. As it stands now, Starbucks fails to offer that level of protection allowing a thief to try to get into your account again and again without any resistance.