CNN is reporting that hackers have found yet another opportunity. Hacking your Starbucks app, they add new cards to the account, then use your autofill bank account to load them. Starbucks has acknowledged that this is happening, but says that they were not hacked. Customer’s bank accounts are getting drained, however.
Apparently, the way it works is this. The hackers find Starbucks users with weak passwords for their Starbucks app and use the reload feature to add new GIFT cards to the account. They then transfer funds over using the bank account attached to the Starbucks reward account.
Users are getting emails that these gift card transfers are being made – assuming they have a valid email address or one that they look at the email account attached to their Starbucks reward account, so they can go through the process of trying to get their money back from either Starbucks or their bank. Now that it is public, Starbucks is saying they will make people whole.
There is no law that requires Starbucks or any other reward program to reimburse you. If the rewards card hits your credit card, you can go back to your credit card company to ask for a reimbursement, but debit cards, checking accounts and business bank accounts each have different rules.
While the thefts have been small per user so far – typically in the hundreds of dollars – it is a hassle for users to deal with.
And, apparently, disabling auto-reload is not enough – the thieves have been turning it back on.
Since it appears that the thieves are guessing passwords, your best defense is to make your password something other than Coffee or 123456. Obviously, if you remove the attached bank account from your rewards account, that will also solve the problem, but make the card less useful.
This is really only important in the bigger context (except to those folks who’s accounts were hacked, of course).
Starbucks CEO Howard Schultz says they want to turn your Starbucks Rewards app into a new digital wallet, with Starbucks offering other retailers the ability to let their customers use their Starbucks card to pay for say, a hamburger or a beer. I assume that Starbucks would make a cut on the deal. If Starbucks wants to be in that business, their app needs to be bullet proof, which right now, it is not. All fixable, just needs to be fixed.
Secondly, think about all the different apps and web sites that ask for your credit card and conveniently store it for you. Each one of those apps or web sites is a vector for hackers to get your stuff. Simple example – your Amazon account stores your credit card and allows a hacker to buy stuff using your credit card and ship it anywhere. Hopefully, your Amazon password is not 123456 or even the more complex 12345678.
Food for thought.