Tag Archives: Starbucks

Security News for the Week Ending January 3, 2020

Starbucks Leaves Their API Key in a Public Github Repository

Vulnerability hunter Vinoth Kumar found a Starbucks API key in a public Github repo.

The flaw was set to CRITICAL after they verified that the key gave anyone access to their Jumpcloud (An AD alternative) directory.

The problem was reported on October 17th and it took Starbucks several weeks to understand how bad the damage was.  The key was revoked within 4 days, but still, best practice would like that to be more like 60 minutes.  That, to me, is a failure on Starbucks’ (and probably most company’s) part.  After all, the key, as demonstrated in a proof of concept, would have allowed a hacker to take over Starbucks AWS account.  They paid Kumar a bug bounty of $4,000.  They definitely got away cheap.  Source: Bleeping Computer


Location Data Can Put Employee Safety At Risk

On the heels of a story that reporters were able to identify Secret Service agents who were travelling with the President, including figuring out where they lived, using available location data (see story from earlier this week about colleges collecting thousands of location data points per day on each student), comes another story regarding the hazards of location data.

As companies isolate teams to mask R&D, M&A and other sensitive activities, location data that is being sent by apps allows anyone with access to that data to de-compartmentalize those activities and understand exactly what companies are doing, who they are talking to, who their vendors are, possibly what technology areas they are interested in, etc.  Executives are often the worst behaved users and often generate the biggest digital exhaust because of lack of understanding of how the apps work and the consequences.

Since companies have moved to BYOD devices and can no longer control what apps a user installs or what data those apps exhaust, they have very little control over the problem.  Some apps have been found to send out over a thousand data points per app, per person, per day.  To servers in China.  What could possibly go wrong.

The only way to counteract this is via employee education.   Source: ZDNet


Travelex Knocked Offline by Cyber Attack

Travelex, the currency exchange company, was knocked offline by some sort of cyber attack.  As seems to be the case much of the time, the company decided that staying silent and not telling anyone what is going on will make things better.  In one way they are right since they are not giving the lawyers who will be suing them any information now.  That will wait until the lawsuits are filed.

One of the services that Travelex offers is stored value credit card called the Money Card.  They sell it to travelers as the safest to travel with money.  Only for current Travelex Money Card customers, it is super safe, because they cannot get their money.  Which could be a problem if you are traveling and need access to your cash.

In addition, banks that use Travelex as their currency exchange service are also offline.  Travelex is a huge player in this space, so their being down is a big problem.

The attack hit them on New Year’s eve and as of the night of January 3rd, they are still offline.  This could have a long term impact on their business and some commercial customers might choose to leave them.

The silence only makes it worse.  They likely did not have a disaster recovery/business continuity plan – at least not one that works.  And, I am sure that regulators in many, many countries will be asking questions.  Source: Threatpost


Guess How Long It Takes For Hackers to Test Your Stolen Credit Card Once it is on the Dark Web?

A researcher decided to test how long it takes for your credit card to be tested after it is posted for sale on the dark web.  It turns out the test was a little harder to conduct than the researchers thought since everyone buying and selling on the dark web is, how shall I say this, A TAD BIT SUSPICIOUS OF EVERYONE ELSE.

Once he got past that problem, it turns out the answer is about two hours.  That is not very comforting.  Hackers buying the stolen cards want to know if they are any good, so they make very small purchases, thinking most people won’t bother to trace down a $0.50 transaction that they don’t recognize.

Two Hours is not very long and a bit of a surprise to me.  Source: Bleeping Computer

Your Starbucks Card Is A Hacking Target

CNN is reporting that hackers have found yet another opportunity.  Hacking your Starbucks app, they add new cards to the account, then use your autofill bank account to load them.  Starbucks has acknowledged that this is happening, but says that they were not hacked.  Customer’s bank accounts are getting drained, however.

Apparently, the way it works is this.  The hackers find Starbucks users with weak passwords for their Starbucks app and use the reload feature to add new GIFT cards to the account.  They then transfer funds over using the bank account attached to the Starbucks reward account.

Users are getting emails that these gift card transfers are being made – assuming they have a valid email address or one that they look at the email account attached to their Starbucks reward account, so they can go through the process of trying to get their money back from either Starbucks or their bank.  Now that it is public, Starbucks is saying they will make people whole.

There is no law that requires Starbucks or any other reward program to reimburse you.  If the rewards card hits your credit card, you can go back to your credit card company to ask for a reimbursement, but debit cards, checking accounts and business bank accounts each have different rules.

While the thefts have been small per user so far – typically in the hundreds of dollars – it is a hassle for users to deal with.

And, apparently, disabling auto-reload is not enough – the thieves have been turning it back on.

Since it appears that the thieves are guessing passwords, your best defense is to make your password something other than Coffee or 123456.  Obviously, if you remove the attached bank account from your rewards account, that will also solve the problem, but make the card less useful.

This is really only important in the bigger context (except to those folks who’s accounts were hacked, of course).

Starbucks CEO Howard Schultz says they want to turn your Starbucks Rewards app into a new digital wallet, with Starbucks offering other retailers the ability to let their customers use their Starbucks card to pay for say, a hamburger or a beer.  I assume that Starbucks would make a cut on the deal.  If Starbucks wants to be in that business, their app needs to be bullet proof, which right now, it is not.  All fixable, just needs to be fixed.

Secondly, think about all the different apps and web sites that ask for your credit card and conveniently store it for you.  Each one of those apps or web sites is a vector for hackers to get your stuff. Simple example – your Amazon account stores your credit card and allows a hacker to buy stuff using your credit card and ship it anywhere.  Hopefully, your Amazon password is not 123456 or even the more complex 12345678.

Food for thought.