EXCLUSIVE: Hackers continue stealing from Starbucks app users, nearly a year later; linked credit, debit cards at risk
Screen shot of Bruno Navarro's Starbucks app shows a fraudulent reload and subsequent rapid-fire purchases.
Hackers are still stealing money from Starbucks customers using a simple attack on the coffee giants' app users, BobSullivan.net has learned. Nearly a year after my initial story exposed widespread attacks on app users' bank accounts, the security problems plaguing Starbucks' auto-reload and linked bank account features persist.
Starbucks did not immediately respond to a request for comment in this story. (UPDATE 3/4/16: Starbucks has not yet responded to me, but it did give a statement to Seattle-KOMO reporter Herb Weisbaum, posted in its entirety below. Essentially the firm claims the problem has never been "widespread.")
While the attacks do not seem as widespread as they were last May, plenty of consumers are still being victimized. In fact, I've interviewed several consumers who were hit during the long Presidents Day weekend -- at a time when fraud controls at banks and Starbucks might have been dialed back.
Dawn Euer, a lawyer in Rhode Island, said her account was hit Saturday at 4 p.m. Her Starbucks card was drained of value, then reloaded twice with $100 transactions from her linked debit card. That value was also drained off to another card the hackers controlled.
"It was such an odd transaction that I would think they could set up some security checks," Euer told me. "Thankfully I signed up to receive email alerts from Starbucks when I replenished the card. Other than that alert I didn't receive any notice about the transaction or fraud scheme. I was surprised when I saw the old article that this has been known about for some time."
Euer will get her money back, but Starbucks told her it would take 7-10 days. She is now disputing the transactions with her bank.
I'll get to more examples in a moment, but I'd like to reiterate my warning to the 13 million or so Starbucks app users: It's *still* not safe to link a credit or debit card to your Starbucks account; if I were you, I'd delete my payment information immediately from the app and manually reload the app.
As I described last year, criminals who manage to obtain Starbucks consumers' login credentials have a relatively easy time transferring gift card / app balances onto cards they control; worse yet, they can initiate new transactions from a victims' debit or credit card onto the consumers' card, and then move the money onto their own cards. That lets them steal from consumers' bank accounts without even knowing the victims' bank account information.
(Let me get some nomenclature out of the way: Starbucks has always maintained its systems have not been hacked, and I have no reason to believe that's untrue. Criminals are instead finding their way into consumers' online accounts allowing them to take control of their apps and gift cards. I call these hacked accounts; one could quibble with that description, but I think it's the clearest way to express what's happening.)
It’s unclear how hackers are getting Starbucks login credentials, but there are many ways: phishing emails, stolens lists from other websites, brute force attacks. Many consumers might use *less* secure passwords on their Starbucks accounts because they log in infrequently; I’d suggest making your Starbucks password as complex as possible.
Last year's widespread incident suggested that Starbucks' bank-end account fraud detection tools were less effective than bank tools; transactions that should have been easily recognized as suspicious sailed through. Euer's story shows that problem still seems to persist.
Bruno Navarro, from New York, contacted me on Friday to say his account was hit Thursday evening.
"I caught it minutes after it happened and between reloads," Navarro said. Hackers used his app to attack his Discover Card. In his case, someone bought $85 worth of merchandise at a store in York, Pa., after adding value to his gift card / app balance. "Discover told me that three transactions, each for $100, were processed."
In Navarro's case, hackers didn't bother to move money onto a second card before trying to spend it. Someone initiated an $85 purchase in York, Pa., using his fraudulently-reloaded card -- showing hackers are using a variety of tactics to move cash onto and off of hacked Starbucks accounts.
Another consumer who requested anonymity told me her Starbucks card was used to load three new gift cards with $100 with money from her Chase account. Her Starbucks account password was changed using the password reset tool, and then the transaction initiated, she said.
"It was Sunday on a three-day weekend," the victim said. "Fortunately I have text alerts set up."
When she called Chase, she says the operator told her it was "a common scam."
She said she then spent hours feeling frustrated and examining all other online transactions. She wishes Starbucks would add additional security measures, she said.
"If they knew about this and they haven't ... that's really irresponsible," she said. "This could have been prevented. How can you put your customers in danger like this? ... I am furious and am spending today closing accounts and changing all my passwords."
There's plenty more recent victims complaining about being hacked on this Facebook page:
Such as: "I had $300 stolen on November 23, 2015. It's still happening. I am relying on PayPal to resolve the issue. After this, no more Starbucks! Never!"
and
"Mine was done on the (Jan. 3). They used my Discover card and bought $95 in reloads with 2 transactions. I caught it (because) I was returning a jacket online and wanted to see if I used that card due to Christmas (credit card) confusion. I'm pissed! My whole cc account is shut down and have to wait on new card."
RED TAPE WRESTLING TIPS
Navarro and the anonymous victims said they hadn't used their Starbucks card/app in at least a year; and Euer said her account was protected by an old password. If you reject my advice on disconnecting payment account information from the app, at least do so if you are an infrequent app user.
At a bare minimum, follow Starbucks' advice to frequently change your password frequently. Since the firm's back-end controls seem weaker than many bank fraud-fighting tools, you should use even greater care with your Starbucks account than you do with your checking or savings account.
Meanwhile, don't assume Starbucks or your bank will spot suspicious transactions. Scan your app and your bill for suspicious transaction frequently.
UPDATE 3/4/16: Here is what Starbucks' is telling other journalists, courtesy Weisbaum and KOMO: Click on that link to listen to Herb's report.
Occasionally, we find unauthorized activity connected to a customer’s online account. This type of activity is not caused by a breach or hack of our website or apps or card, but rather when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.
This is an industry wide challenge, though is not and has never been a widespread or systemic situation for Starbucks.
Over the last year, our security and fraud prevention improvements have reduced fraudulent activity in our business to a level significantly below industry average; a number that continues to decline as we implement additional measures.
In fact, we see only a tiny fraction of one percent of our account holders impacted. In any case, customers are not responsible for charges or transfers they did not make.
Don't miss a post! My email list is free