Wednesday, May 13, 2015
Hackers Hit Starbucks Mobile Users to Steal Credit Card Credentials
Credit card hackers are targeting Starbucks gift card and mobile payment users and stealing from consumers' credit cards. This new scam is so ingenious, the cyber criminals don't even need to know the account number of the card they are hacking! By taking advantage of the Starbucks auto-reload feature, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, it can escalate quickly.
"This hack underscores the need for companies to protect all of the sensitive information they hold on their customers," said Brendan Rizzo, technical director EMEA, HP Security Voltage. "Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash. In this case, there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address. Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks. Beyond the threat to customers' sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks."
"16 Million Starbucks customer who utilize their mobile payment service may have been compromised as part of a organized attack," observed Stephen Coty, chief security evangelist, Alert Logic. "There have been reports of the mobile app being manipulated to hijack funds once the mobile device is reloaded with funds from a credit or gift card. There has been conversations through Twitter about customers seeing fraud taking place with their Starbucks accounts. Starbucks has said that they process approximately $2 billion in mobile payments
"The timing of this attack is very interesting since, just about a week ago, Starbucks had an issue in their stores with their payment system not allowing for the processing of credit cards. Makes you think what exactly happened to the payment system that shut down the service for a day and gave attackers an opportunity to compromise a part of their system."
Gavin Reid, VP of threat intelligence, Lancope, points out that, "Nothing too new here – if you guess the username and password for an account that is backed by you bank bad things can and will follow. This highlights problems with using consumer cards and accounts that are backed up with either a high limit credit card or even worse the current checking account. Ideally vendors would make this form of compromise harder by using multi factor authentication and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss. This type of small amount theft can be automated reusing already exposed credentials. Consumers can protect themselves by setting hard to guess unique passwords."