Criminals have targeted Starbucks gift card and mobile app users. In this fraud, criminals have drained victims' accounts by using the auto-reload featured with Starbucks prepaid gift-card apps linked to consumers' checking, credit-card, or Paypal accounts. Consumer reporter Bob Sullivan first reported about the fraud:
"Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes."
Other customers have reported fraud this month. The coffee retail chain has had problems before with its mobile app. Starbucks announced in January 2014 a security update to its mobile app after the data of 10 million customers was exposed. Sullivan explained how criminals perpetrate the latest mobile gift-card fraud:
"Because Starbucks isn’t answering specific questions about the fraud, I cannot confirm precisely how it works, but I have informed speculation, based on conversations with an anonymous source who is familiar with the crime. The source said Starbucks was known to be wrestling with the problem earlier this year. Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card."
So, the fraud suggests that criminals have already stolen large numbers of Starbuck customers' usernames passwords, perhaps by keylogging malware, phishing e-mails, phishing texts, vulnerabilities in the mobile app, brute-force password attacks (since many consumers use the same password at multiple sites), or a combination. Starbucks claims its mobile app has not been hacked and the problem is not widespread.
Some banks have flagged multiple reloads through checking accounts and temporarily closed victims' accounts to stop the theft. Security experts fault Starbucks for not using two-factor authentication for gift-card reloads and for not flagging multiple reloads of consumers' cards within minutes.
Security experts advise consumers:
- Use strong passwords and don't use these weak passwords.
- Don't use the same username and password at multiple websites and mobile apps
- Change your passwords every 90 days
Be very careful about enabling auto-reload features with prepaid cards. Or, disable it. Instructions to disable the auto-reload feature are available at the Starbucks site.
Criminals love prepaid cards because they are a source of cash. You now know the risks for ignoring this advice. The whole situation highlights is a reminder that Apple branded mobile devices can be hacked, too.