Starbucks, the internationally popular coffee chain, acknowledged that criminals are actively using the company's official app to obtain personal details as well as gain access to monetary accounts. The criminals create a new gift card, load your money onto the card, and transfer the funds over. Starbucks had no process in place to challenge or halt the transactions, or ask for customers affected to provide a secondary approval. Bob Sullivan reports:
Because Starbucks isn't answering specific questions about the fraud, I cannot confirm precisely how it works, but I have informed speculation, based on conversations with an anonymous source who is familiar with the crime. The source said Starbucks was known to be wrestling with the problem earlier this year. Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer's stored value, and attack their linked credit card.
Since many people use the same, simple password for multiple, if not all accounts, once one system has been compromised, criminals can just try the same username and password combinations on other systems, and often get right in.
Once they have access, the criminals are reportedly using the auto-refresh option to load more money onto the Starbucks account, and then using that money to send gift cards to email addresses they control.
"Your eGift Just Made Someone's Day! It's a great way to treat someone — whether it's to say Happy Birthday, Thank you or just 'this one's on me."
To be clear, there's no indication anyone has hacked into Starbucks's system to steal customer data. They're just exploiting week, repetitive passwords. It's absolutely a crime, but it's one we can help prevent by using strong, unique passwords. An example of a strong, unique password is: 8qHjz>g%wHkY+siEzri8
Because strong, unique passwords are not only incredibly hard to crack, they're almost impossible to remember, we also recommend using a password manager like 1Password or LastPass. These tools also offer password generators that can supply random passwords for use on various accounts. You're even able to determine the password strength.
Starbucks should also make two-step authentication — where a token gets texted to a trusted device, like your iPhone — for better security on their end as well.
