Home > Identity Theft > Reports: Hackers Targeting Starbucks Mobile Users

Comments 0 Comments

Credit card hackers are targeting Starbucks gift card and mobile payment users around the country — and stealing from consumers’ credit cards — with a new scam so ingenious they don’t even need to know the account number of the card they are hacking.

Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, Starbucks customers should consider disabling auto-reload on the Starbucks mobile payments and gift cards.

Maria NistriThe fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.

Maria Nistri, 48, was a victim last week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0.  Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within seven minutes.

“I don’t know why Starbucks would recommend people do auto-reload when this crime is so easy,” she said.

The trouble started at 7:11 a.m. on Wednesday when she received an automated email saying her username and password had been changed, and if she hadn’t authorized the change, she should call customer service. She tried, but the number she called notified her an operator couldn’t answer until 8 a.m.

“Whoever did this knew the right time to do it,” she said.

Next, she picked up her phone and launched the Starbucks app. By then, there was a “debit” notice showing her $34 was gone. As she watched in real-time, trying to figure out what was happening, thieves stole $25 and another $75 in quick succession.

“It was crazy. I was like, what in the world?” Nistri said. “I was lucky I happened to check my email when I did, otherwise who knows how much they would have gotten.”

In effect, the hackers stole from her credit card, through her gift card loaded onto her Starbucks app, without having to touch her phone or even know what her credit card number was. And Nistri is not alone. It’s easy to find consumers are complaining about similar app/gift card/ credit card hacks all over the Internet.

“I got an email this morning that my username and password got changed,” writes one victim on a Facebook page devoted to the issue. The post is dated May 6, the same day as Nistri’s incident, “I checked my balance and $27.41 got wiped out.”

“I just got hacked! $163 in gift cards removed from my account,” complained another from earlier this month.

“My account was hacked this morning,” said another on April 24. “They got my balance and tried to reload the card with the saved credit card but the bank stopped it. Had all the hassle of canceling the credit card, and also because my address and email and phone number was on there, put in a fraud alert to the credit report companies as well just in case. While the lady who did customer service on the phone for Starbucks was great, this is RUBBISH from Starbucks. Has to be a vulnerable app.”

How It (Likely) Works

Because Starbucks isn’t answering specific questions about the fraud, I cannot confirm precisely how it works, but I have informed speculation, based on conversations with an anonymous source who is familiar with the crime. The source said Starbucks was known to be wrestling with the problem earlier this year. Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card.

Hackers often manage to steal huge groups of username and password combinations, the way they steal databases of credit card account numbers. Because consumers often re-use credentials, hackers take them and “brute force” thousands of potential logins at the website. Because Starbucks’ mobile payment app is so popular, any large set of stolen credentials is bound to have at least a few combinations that unlock Starbucks accounts.

Criminals could also be stealing credentials in other ways — through phishing emails, or keylogging programs.

Once logged in, criminals have several options for draining card values and helping themselves to victims’ debit or credit cards.

Starbucks allows consumers to transfer balances from one gift card to another, or to combine balances from multiple cards onto a single card. A criminal who controls a Starbucks card can move a balance from a victim’s card to a card they control. The hackers’ cards — or the electronic codes behind them — can then be sold on the black market for cash.

Victim accounts with auto-load enabled can turn the theft of a seemingly innocuous $10 or $20 account into a much more serious crime.

Transferring the balance from the consumers’ card to the hackers’ card requires one additional authentication step: Users at Starbucks.com/card are sent a verification code to their email address which they must enter before the transfer is complete. That means a would-be card hacker must control the email account associated with the Starbucks card. But that step is trivial, because a hacker with control of the Starbucks account can simply change the email address used for the verification code. I was able to change my associated email address to a second email and transfer my balance to a new card within a few moments.

The victim consumer gets notice that their email address has changed, but as Nistri’s story shows, even instant response to such an email isn’t always good enough to stop a fraud.

Another Version of the Crime

In another variation on the crime, hackers use a hijacked account to order themselves gift cards which can be emailed to accounts they control. Consumers complained about that on Facebook, also.

“Yesterday, April 22, I received emails that I had sent $200 worth of e gift cards to some dirt bag,” said one victim. “My Paypal account is linked to my Android app for Starbucks. I called SB and the rep apologized, deactivated the gift cards, and transferred me to Paypal. Paypal is working to reverse the charges. Really awful what people will get up to. Hopefully Starbucks will defend against this better in the future.”

Criminals have begun training their attention away from financial institutions and on third-party firms because they are easier to hack than banks, said Avivah Litan, a fraud analyst at consultancy Gartner.

“Fraud is moving away from banks into big ecommerce companies,” she said. “Criminals are learning how to turn rewards programs, points and prepaid cards into cash.”

What Starbucks Says

Starbucks said it could not discuss individual accounts, but offered this response.

“If a customer believes their account may be subject to fraudulent activity, we encourage them to contact us and their financial institution immediately. Our Customer Care hotline hours are Mon-Fri 5 AM – 8 PM (PST) and Sat –Sun 6 AM – 4 PM (PST), however customers can access their online accounts 24 hours a day to make any updates. Additionally, customers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks. As soon as we were contacted by the customer of this activity, we worked quickly to resolve her concerns,” she added.

“We also encourage our customers to follow several best practices to help ensure their information is as protected as possible, such as using different user name/passwords for different sites and changing their passwords often.”

Starbucks says consumers won’t be responsible for charges in situations like these, but it’s unclear what level of consumer protection consumers would be legally entitled to. Because their credit card accounts aren’t actually compromised and their cards not stolen, it’s unclear that standard “Regulation E” credit card liability protections would apply. Prepaid card users don’t enjoy the same level of consumer protection.

While Nistri said Starbucks was quick to give her a new gift card with $37.44 on it, she was disappointed to learn on Friday that the $25 and $75 charges had gone through on her American Express card, and it would be up to her to dispute them – even though she reported them almost immediately to Starbucks.

“It is harmless outside of inconvenience,” Nistri said. “But the potential of this crime is ridiculous. I’ll never have auto-reload on anything again.”

Red Tape Wrestling Tips

Protect your Starbucks account the way you protect your bank account.  If the convenience of auto-reload is just too irresistible for you — and admittedly, it is convenient — then you must use very strong passwords on your Starbucks account. Your Starbucks account is your credit card when you link the two. So use a strong password and be on the lookout for fraudulent transactions related to your account.

More on Identity Theft:

Image: iStock; Inset image courtesy Maria Mistri

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Certain credit cards and other financial products mentioned in this and other articles on Credit.com News & Advice may also be offered through Credit.com product pages, and Credit.com will be compensated if our users apply for and ultimately sign up for any of these cards or products. However, this relationship does not result in any preferential editorial treatment.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Our Owners

Credit.com is owned by Progrexion Holdings Inc. which is the owner and administrator of a number of business related to credit and credit repair, including CreditRepair.com, and eFolks. In addition, Progrexion also provides services to Lexington Law Firm as a third party provider. Despite being owned by Progrexion, it is not the role of the Credit.com editorial team to advocate the use of the company’s other services. In articles, reporters may mention credit repair as an option, for example, but we’ll also be sure to note the various alternatives to that service. Furthermore, you may see ads for credit repair services on Credit.com, but the editorial team isn’t responsible for the creation or implementation of those ads, anymore than reporters for the New York Times or Washington Post are responsible for the ads on their sites.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team