What businesses can learn about cybersecurity from the Starbucks' gift card security incident
Blog Post
It is hard to recall a week that has gone by where a major brand name company has not been in the news for a cybersecurity hack. Recently, that major brand name company was Starbucks, but the news outlets might have been a little too quick on the draw to deem the incident a “hack”.
The incident manifested when multiple Starbucks customers saw the balances on their Starbucks cards emptied and then topped up again. All affected customers were similar in that: (1) they had all chosen to tie their debit card accounts to their Starbucks cards, i.e., were using the same ID and password across multiple accounts; and (2) they had used the Starbucks’ mobile app auto-load function. One theory that floated around was that all these customers re-used their Starbucks account password at another site that got hacked, and the hackers merely tried the account credentials at popular websites, including Starbucks, knowing that many account holders use the same log-in credentials among sites. This type of attack is what’s known as a brute force attack.
Brute force works like this: First, the potential intruders buy stolen passwords and IDs on the underground market. Then, they use an automated program to try the stolen combinations one after another on the app they are trying to penetrate – in this case the Starbucks’ mobile app –until one works. These programs can try hundreds of ID-password combinations a second. The brute force tactic was successful in this case because the Starbucks app did not limit the number of password attempts a customer could try before being locked out.
Once the intruders accessed a target account, they were able to add a new gift which they then transferred whatever money the victim had loaded onto their account onto the new gift card the intruders controlled. This technique allowed the thieves to quickly steal all the money on a user’s app by putting it onto the gift card they controlled.
Once the story was leaked, the news media outlets were quick to judge Starbucks and announce that Starbucks had been hacked. But had it? Starbucks immediately announced that the unauthorized activity was not the result of any hack or malicious intrusion of its mobile applications and servers.
According to Starbucks’ Newsroom:
News reports that the Starbucks mobile app has been hacked are false….Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.
That was the report on May 13, 2015. Since then, however, Starbucks has apparently changed its tune…a little. The company now claims the incident was the result of “fraudulent activity,” though it is not using the words “hack” or “breach.”
Is this all about the ability to buy espressos and lattes?
No. In most cases, the intruders will re-sell the cards on the Internet for face value or less, meaning they will eventually be paid in real money, not (coffee) beans.
What is different about this fraudulent activity via brute force and what happened in Target and Home Depot?
In the Starbucks incident, the intruders stole a password and then used it to steal money from an account. That information was collected, packaged and sold on underground, online markets to people who then monetized it by pulling money out of a Starbucks app. In the Target and Home Depot incidents, the attackers actually breached the retailers’ networks and stole consumer information.
What happens to the Starbucks consumers whose Starbucks app accounts were violated?
As Starbucks told USA TODAY in an email: “Customers are not responsible for charges or transfers they did not make and if a customer's card is registered, their account balance is protected. If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.”
Here are the additional security precautions Starbucks issued on its website:
Passwords
• Creating passwords made up of long phrases or sentences that mix capital and lowercase letters, numbers, and symbols.
• Using different passwords for different sites, especially those that keep financial information.
• Changing passwords often.
Lost or Stolen Device
• If a customer believes their device has been lost or stolen, immediately change passwords for financial and personal accounts to prevent any identity theft or fraud.
Stay Alert
• Regularly review bank statements for suspicious activity. If something is in error, immediately report that to your financial institution.
• If you see any suspicious activity on your Starbucks Card or mobile app, please immediately notify Starbucks customer service at 1-800-STARBUC.
We certainly agree that these measures are extremely important in protecting personal information, but we think that it also goes without saying that companies using mobile applications should also limit the number of times a user can attempt to log-in before the user is locked out.
Another helpful security measure lets users enable two-step authentication, which sends a text message to your phone whenever you sign in from a new device. This added layer of security would have protected Starbucks customers by informing them that changes were being made to their accounts. This would have allowed users time to get in front of the issue.
The incident manifested when multiple Starbucks customers saw the balances on their Starbucks cards emptied and then topped up again. All affected customers were similar in that: (1) they had all chosen to tie their debit card accounts to their Starbucks cards, i.e., were using the same ID and password across multiple accounts; and (2) they had used the Starbucks’ mobile app auto-load function. One theory that floated around was that all these customers re-used their Starbucks account password at another site that got hacked, and the hackers merely tried the account credentials at popular websites, including Starbucks, knowing that many account holders use the same log-in credentials among sites. This type of attack is what’s known as a brute force attack.
Brute force works like this: First, the potential intruders buy stolen passwords and IDs on the underground market. Then, they use an automated program to try the stolen combinations one after another on the app they are trying to penetrate – in this case the Starbucks’ mobile app –until one works. These programs can try hundreds of ID-password combinations a second. The brute force tactic was successful in this case because the Starbucks app did not limit the number of password attempts a customer could try before being locked out.
Once the intruders accessed a target account, they were able to add a new gift which they then transferred whatever money the victim had loaded onto their account onto the new gift card the intruders controlled. This technique allowed the thieves to quickly steal all the money on a user’s app by putting it onto the gift card they controlled.
Once the story was leaked, the news media outlets were quick to judge Starbucks and announce that Starbucks had been hacked. But had it? Starbucks immediately announced that the unauthorized activity was not the result of any hack or malicious intrusion of its mobile applications and servers.
According to Starbucks’ Newsroom:
News reports that the Starbucks mobile app has been hacked are false….Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.
That was the report on May 13, 2015. Since then, however, Starbucks has apparently changed its tune…a little. The company now claims the incident was the result of “fraudulent activity,” though it is not using the words “hack” or “breach.”
Is this all about the ability to buy espressos and lattes?
No. In most cases, the intruders will re-sell the cards on the Internet for face value or less, meaning they will eventually be paid in real money, not (coffee) beans.
What is different about this fraudulent activity via brute force and what happened in Target and Home Depot?
In the Starbucks incident, the intruders stole a password and then used it to steal money from an account. That information was collected, packaged and sold on underground, online markets to people who then monetized it by pulling money out of a Starbucks app. In the Target and Home Depot incidents, the attackers actually breached the retailers’ networks and stole consumer information.
What happens to the Starbucks consumers whose Starbucks app accounts were violated?
As Starbucks told USA TODAY in an email: “Customers are not responsible for charges or transfers they did not make and if a customer's card is registered, their account balance is protected. If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.”
Here are the additional security precautions Starbucks issued on its website:
Passwords
• Creating passwords made up of long phrases or sentences that mix capital and lowercase letters, numbers, and symbols.
• Using different passwords for different sites, especially those that keep financial information.
• Changing passwords often.
Lost or Stolen Device
• If a customer believes their device has been lost or stolen, immediately change passwords for financial and personal accounts to prevent any identity theft or fraud.
Stay Alert
• Regularly review bank statements for suspicious activity. If something is in error, immediately report that to your financial institution.
• If you see any suspicious activity on your Starbucks Card or mobile app, please immediately notify Starbucks customer service at 1-800-STARBUC.
We certainly agree that these measures are extremely important in protecting personal information, but we think that it also goes without saying that companies using mobile applications should also limit the number of times a user can attempt to log-in before the user is locked out.
Another helpful security measure lets users enable two-step authentication, which sends a text message to your phone whenever you sign in from a new device. This added layer of security would have protected Starbucks customers by informing them that changes were being made to their accounts. This would have allowed users time to get in front of the issue.