Hackers Using Starbucks Gift Cards To Access Credit Cards

jfruh writes: Starbucks inspires loyalty among its heavy users — so much so that they're willing to connect their Starbucks gift cards and phone apps directly to their credit or debit cards, auto-refilling the balance when it runs low. But this has opened up a hole hackers can exploit. Writing about the scheme journalist Bob Sullivan says: "The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app. Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes."

I don't trust any auto-top ups

[Chrisq]

I don't use it on my phone, didn't use it on my Disney pass, and would not use it for coffee either. None of these organisations have either the security awareness of credit card companies nor the statutory framework requiring them to cover losses where you are not at fault. I like to limit my exposure to the amount I add on

Re:I don't trust any auto-top ups

Why hackers are stupid. Stealing somebody's coffee money is one thing. Putting a $2B industry at risk will probably get you killed.

Re:I don't trust any auto-top ups

[Chrisq]

Why hackers are stupid. Stealing somebody's coffee money is one thing. Putting a $2B industry at risk will probably get you killed.

Maybe they really like coffee!

Re:I don't trust any auto-top ups

[OzPeter]

Why hackers are stupid. Stealing somebody's coffee money is one thing. Putting a $2B industry at risk will probably get you killed.

Maybe they really like coffee!

You do realize that this is Starbucks we are talking about, don't you??????

Re:I don't trust any auto-top ups

[thegarbz]

What's a Disney pass?

Re:I don't trust any auto-top ups

I'd be more afraid of Disney's processes on storing biometric data (fingerprints namely) in their parks...

Re:I don't trust any auto-top ups

[Ol+Olsoc]

You do realize that this is Starbucks we are talking about, don't you??????

Some people like overly strong coffee with redolent mud flavors and overtones of mold, you insensitive clod!

Re:I don't trust any auto-top ups

[SQLGuru]

They need all of that caffeine to fuel their hacking sessions.

Re:I don't trust any auto-top ups

[ZipK]

I like to limit my exposure to the amount I add on

Which you can easily do by associating your Starbucks account with a virtual credit card number that has a low-dollar limit, or adding/funding/removing your credit card or other financial details.

Re:I don't trust any auto-top ups

Starbucks call this roasting process "double popping" It creates a consistent shit/mud like flavor so where ever you go in the world you know you can get the same shit that tastes like crap. Like apple, they have somehow branded/positioned themselves as the boutique high end vendor. Even worse, most of the coffee is blended to produce consisant flavors as well. All those nice flavorful, Arabica beans ruined by blending and over-roasting. If you'd like to compare to wines, Starbucks is the equivalent of taking every variety of grape you can get your hands on throwing them all into the same batch and selling it as a premium product.

I wholeheartedly agree with others, that Starbucks is the worlds worst coffee. (short of Robusta)

Personally, I like the single plantation Ethiopians and Sumatra, though a good Costa Rican is nice as well

Re:I don't trust any auto-top ups

You're just as bitter as their coffee but no one is saying about about that, are they?

Re:I don't trust any auto-top ups

Hey! Leave my Orange Valencia alone!

Re:I don't trust any auto-top ups

[Ol+Olsoc]

Starbucks call this roasting process "double popping" It creates a consistent shit/mud like flavor so where ever you go in the world you know you can get the same shit that tastes like crap.

The ultimate indictment - McDonalds coffee is better. It's nothing to write home about, but I don't shudder when I drink it.

Re:I don't trust any auto-top ups

I'll bet you just automatically don't like anything that's popular, and then only later do you decide why.

Re:I don't trust any auto-top ups

[flex941]

Thanks! Learned a new word today - redolent. Never seen that before.

Re:I don't trust any auto-top ups

[tlhIngan]

I don't use it on my phone, didn't use it on my Disney pass, and would not use it for coffee either. None of these organisations have either the security awareness of credit card companies nor the statutory framework requiring them to cover losses where you are not at fault. I like to limit my exposure to the amount I add on

More correctly, I don't see the point

I mean, instead of Starbucks charging you $5 a day on your credit card, you have them charge $25 every 5 days? Doesn't seem to beneficial for me.

It's auto-top-up, so it's not like you can't spend $25 in a day and have it charged once instead of 5 times.

So what's the benefit, other than the company only paying the credit card per-transaction fee once, versus 5 times? And giving them access to your billing information.

Especially since Starbucks takes credit already - is there some sort of benefit to using a gift card that refills itself over your credit card?

Re:I don't trust any auto-top ups

[Deekin_Scalesinger]

It's a card that allows you access to the parks, your hotel room if you're staying on Disney ground, and gives the ability to charge food and souvenirs to the card on file. So need for a wallet when you're in the parks - the card does it all. What the card does especially well is drain you of resources better spent on paying your rent, car payments etc. Use sparingly :)

Re:I don't trust any auto-top ups

[radarskiy]

Kids these days don't remember when you could actually get coffee worse than Starbucks.

Re:I don't trust any auto-top ups

[thegarbz]

Oh wow, so it actually is as bad as I guessed.

Re: I don't trust any auto-top ups

Free coffee every 10 orders etc. Cheap deals. Surely that's what is on offer

Re:I don't trust any auto-top ups

Starbucks was shit before they were popular. Take one sip of their swill and you'll know.

I'll bet that you're just some poser who pretends to enjoy coffee because you think a Starbucks cup in your hand makes you look "hip".

Moral

[ttyX]

Don't trust a third party with your credit card info.

Re:Moral

[sectokia]

The post didn't even actually say exactly what is going on.... People link their credit card to some star bucks account with auto reload. Hackers just guess the users password or get it some other way. Once inside the you can transfer the money to another card. They then sell that other card to idiots below its account balance. Star bucks then honour it anyway?

Re:Moral

[Kokuyo]

The first party is you, the second the credit card company... So how exactly would you ever use a credit card if you don't trust any third party with it?

Re:Moral

By not checking that small "remember my credit card info" box?

Re:Moral

[CastrTroy]

This is what's wrong with online payments. To make a credit card payment, the website should just direct me to the website of visa/mc/amex and have me verify myself, and transfer money to the merchant, very similar to how PayPal works. With phones being so ubiquitous, a similar thing could be done for brick and mortar stores. Pop up a QR code at the register, scan it with a visa app, enter your credentials, and the payment is done. We need to fix the system and get rid of these antiquated payment methods.

Re:Moral

[Viol8]

"With phones being so ubiquitous"

Speak for youself. I dont own a smartphone because I dont need an over priced toy computer in my pocket. Why should I be forced to buy one just to make a fucking purchase??

"Pop up a QR code at the register, scan it with a visa app, enter your credentials, and the payment is done"

Blah blah. Or use PIN codes like europe have done for almost 20 years.

Re:Moral

[hippo]

RTF linked article. Bad people guess your Starbucks login and transfer your funds to another Starbucks gift card which is the auctioned off on some anonymous dodgy version of Ebay.

Re:Moral

Why should I be forced to buy [a smart phone] just to make a fucking purchase??

You shouldn't buy one just to make a fucking purchase, but you should buy one because having a tiny computer on your person is amazing!

Re:Moral

"over priced"? "need"?

Gad!

Re:Moral

Indeed, the comment "Don't trust a third party with your credit card info." seems to (unwittingly?) imply that one should simply avoid using credit cards.

Which seems a good idea in any case, so I do indeed avoid using credit cards. :)

Re:Moral

[Hognoxious]

But can somebody get a refund on that second gift card? If not, what use is it - unless, as the man said - you really like coffee?

Re:Moral

[AK+Marc]

You trust the infrastructure between you and the second party, but only in the US (and some tourist areas) is it considered acceptable to hand over your card to a 3rd party who disappear with it for a while. The rest of the world, the third party never, or rarely even touches your card. So you don't have to trust a 3rd party with your card to use it. At most, you trust the infrastructure between you and the credit card company.

Re:Moral

[AK+Marc]

You can buy Android smartphones for under $100. What price would they need to be to not be "overpriced"?

Re: Moral

[Stewie241]

The thieves sell the gift card on an auction site to people who will use the gift card to buy coffee.

Re:Moral

[hippo]

Apparently, there is a thriving black market in Starbucks gift cards. I guess you type the number into your app and use it to get coffee without having to actually travel to meet the guy selling the gift card. Starbucks must be honouring these or there would be no market.

There isn't one person who really likes coffee, just lots of people who like it enough to take part in morally dubious and possibly criminal activities. A bit like the pirated DVD trade but with zero overheads and less evidence after the crime.

Re:Moral

[The+MAZZTer]

Starbucks probably removes the balance once they are informed of the theft, but by then the thieves are long gone with their money so they don't care.

Re:Moral

Coinstar

Re:Moral

[jittles]

You trust the infrastructure between you and the second party, but only in the US (and some tourist areas) is it considered acceptable to hand over your card to a 3rd party who disappear with it for a while. The rest of the world, the third party never, or rarely even touches your card. So you don't have to trust a 3rd party with your card to use it. At most, you trust the infrastructure between you and the credit card company.

Except that the third patty controls the card terminal. If they're unscrupulous or if they don't have proper security, then anyone could come in there and install hardware that would get your card details, even your PIN if you're on a chip and pin system. Will that allow them to clone your chip? I'm not sure - probably not. But that doesn't stop them from having someone mug you when you're a few blocks away, either. Plus, you don't use the chip or pin for online purchases.

Re:Moral

[CastrTroy]

For brick and mortar stores, you are absolutely right. I think chip and PIN is a pretty decent authentication method. But for it to really work, we need to get to the point that there's no mag stripe, and no number on the card. We should completely get rid of the legacy payment by mag stripe, or simply knowing the card number and expiration date. There shouldn't be an insecure alternative. Payments should either be authenticated through the chip, or through the card issuer's website. There should be ability for the retailer, online or otherwise, to obtain information that would allow fraudulent transactions to be made.

Re:Moral

[Stewie241]

It isn't just the $100. He would also be giving up his ability to look down on all us smartphone owning folk that have just thrown our money away.

Re:Moral

[RavenLrD20k]

I still don't like Chip & PIN. It's better than swipe and sign of current credit cards, but it's not much more secure than using a Debit Card at the terminals now, which is Mag-stripe Swipe and PIN here. I'd rather have cards with 2FA. Sure, my idea requires a smartphone with data access, but a business needs some kind of data-line to process credit card transactions now anyway. For my Idea to work replace the card machines with a type that has a keypad and provides NFC or Bluetooth access, or uses a screen to display a QR code; similar to the parent's idea so far... Now the device doesn't even have to be a smartphone... just smartphone like. Smartphones now are capable of using fingerprint readers so a payment device only would need a Camera, NFC radio, Cell Radio (possibly optional, but would make SMS messaging viable), WiFi radio, Fingerprint reader, and a TFT (maybe GPS too...).

My idea goes something like this: POS has rung up all the customer's items and requests payment. POS Pay-Pad Pops up the total and a QR code on the screen and activates the NFC Radio. Customer can either use the NFC or Camera on their device to get the relevant information (Store Name/Number/Location, Total amount due, any other pertinent info), Device then uses whatever data connection it has available (POS NFC, POS Bluetooth, Wi-Fi hotspot, Cell Data, SMS...etc) to send the information to the requisite Authentication company (MC/V/AmEx/Dsc/Store Card Auth; possibly chosen from a menu on device), Authenticator application then requests fingerprint from user to authenticate with. Upon successful authentication a confirmation page would come up where the user can verify all the information received from the QR code / NFC transfer and make sure it's right (the information would not be what was stored from the initial read but received again from the AuthCo to ensure that the data wasn't corrupted in transfer). Re-authenticating by fingerprint confirms the info, hitting a physical button will cancel it. Upon successful second authentication, a one time use pin number would appear on the screen for the user to punch into the POS terminal keypad. When the POS receives the PIN and verifies it against information it just received from the Authentication Company, it accepts payment and marks the transaction complete. The only time this whole scenario would fail is during data outages, which could be mitigated by having a physical card as a backup for performing imprints and manual processing on, which the user can possibly log in their authenticator application.

This is just a thought, but I'm just a dreamer. I hope I'm not the only one.

Re:Moral

[Githaron]

The new chip-based credit card will cover the issue with brick and mortar stores. The chip only gives enough information to the merchant to complete a single transaction. The chip is an active component unlike the current magnetic strip. It contains an public/private key encryption module that signs information that can be used to verify that specific authorization. I could be wrong but I think the mobile NFC payment technologies do something similar.

Re:Moral

[ageoffri]

I would say that in Colorado it would have to be under $10.50. You are likely asking where does this number come from, well it is quite simple. I've been repeatedly told that it disenfranchises people to require a State or Federal issue ID to vote, and in Colorado the ID card costs $10.50. So obviously that means phones to be used for payment they must be less than an ID card, otherwise it is discrimination.

Re:Moral

You can buy Android smartphones for under $100. What price would they need to be to not be "overpriced"?

It's not $100. It's $100+$50/month. Even if it's "Free" + $50/month, it's still $50/month. I'm not anxious to pay $50/month for the privilege of paying for things.

Re:Moral

[Viol8]

Exactly. Its not the initial price , its the contract fees.

Re:Moral

[Viol8]

"Sure, my idea requires a smartphone with data access"

Yeah, it seems like you're missing the point. I don't want to have to carry around ANY sort of device to use my credit card. What if I lose it? What if the battery dies? What if the app fails?

Technology is supposed to make life easier, not harder.

Re:Moral

[93+Escort+Wagon]

Exactly. While Starbucks probably does need to tighten up its transfer process, the fundamental issue here is the same one we've been seeing for a couple decades now - stolen passwords.

Re:Moral

Well, if you love Europe so much, then maybe you should marry it....

Re:Moral

You don't have to buy data to own a smartphone. I got a pretty kickass AT&T ZTE Compel phone for $50 and spend about $10 a month on voice and text service.

Using a smartphone for texting vs a dumphone with T9 is worth the price of admission alone. And I get to play with all the apps I want. Oh yeah, and Navmii for free GPS navigation.

Re:Moral

> Pop up a QR code at the register, scan it with a visa app, enter your credentials

Holy fuck that would be so annoying. I don't want to dick around on my phone (which I need on my person and charged) to buy some shit.

Re:Moral

Then he segues into how he doesn't even own a TV.

Re:Moral

[praxis]

Just to clarify, while Colorado charges $10.50 for an ID card, the cost to the potential voter is greater when you factor in travel time, expenses, and costs of having a mailing address.

Re:Moral

[RavenLrD20k]

Technology is supposed to make life easier, not harder.

That may be true, but the current track record of technology is that when it makes things easier for the user it also makes things easier for the hacker.

Don't want a smartphone? All the capabilities stated above could in theory be placed into a relatively small dedicated device that is only used for Authentication purposes. Hell, instead of even having an onboard battery, the device could have a cord that plugs into the POS device and transfers data while receiving power that way.

I personally want something more secure than the Swipe & PIN that my Debit Card uses with the protection that comes with Swipe and Sign that's the current method used by American Credit Card companies. Like I said, Chip and PIN is only mildly more secure than Swipe & PIN and I feel that my proposed method would bring security to a more comfortable level, at least for me.

Re:Moral

[DroolTwist]

Technology is supposed to make life easier, not harder.

Only it isn't just technology, it is security. Security doesn't make it easier to use, but it sure as hell beats having to fight with a bank to get stolen funds returned. The app failing? That is just a risk you have to take. Any app that is related to finance I like to think would work most of the time. I don't see the big deal with carrying a smart phone around, and keeping it charged really isn't hard either. Given the choice of security vs. convenience and the extra 30 seconds security might add to your purchase, I'll take security.

Re:Moral

[petermgreen]

UK perspective here:

Cards in the UK (both credit and debit*) used to be processed in much the same way americans describe their credit card processing now. You handed your card to the retailer who swiped it (in shops this would happen in your presense but I belive in places like restarants they would often take it away and swipe it) and gave you a reciept for to sign.

Then chip and pin came in and retailers were strongly encouraged** to switch. The need to get the customer to type the pin meant that portable card terminals became common and cards were generally no longer taken out of customers sight. In the early days of chip and pin it was common to hand your card to the retailer who would run it down a combined swipe/chip reader. That seems to have fallen out of use now with the normal method being for the customer to insert their card in a smartcard only slot on the pin pad (there is also typically a swipecard slot on the pin pad but it's seperate from the smarcard slot and rarely used for payment***).

More recently contactless NFC cards have come in for small payments. I haven't used one yet though.

You do still occasionally come across a retailer who hasn't caught up with the times though and still does things the old fassioned way with the assistant swiping the card in a reader behind the counter. My most recent such experiance was at scan computers. Imprint machines also still exist though I belive they are generally only used during power cuts and I don't think i've ever had my card processed on one.

* The dichtomy between credit card transaction methods and debit card transaction methods that americans describe did not happen here. Credit and debit cards were and are used in the same ways on the same terminals. We do have "electronic only" debit cards that are given to children and people with terrible credit history but they are the exception not the rule.
** AIUI the card companies would accept the risk (or try and push it onto consumers by claiming that chip and pin made fraud impossible) for fraudulent chip and pin transactions whereas for fraudulent swipe and sign transactions they put the risk on the retailer.
*** Some retailers use the swipecard slot for loyalty cards, it can also be used for credit/debit cards but retailers are increasingly reluctant to do that because of the fraud risk. I imagine it sucks to be in the UK with a foriegn issued non-chip card.

Re:Moral

How would online transaction work then?

Re:Moral

[AK+Marc]

I've bought a "smartphone" for under $50 with no contracts or lock of any kind. You are shopping dumbly, then saying the result is dumb. The result isn't. Just the shopper.
http://www.aliexpress.com/item...

No contract. Under $50. You'd pay less for this than most people pay in bank fees to be able to buy things with other payment methods.

When you end up paying more to avoid something new, it makes you look like an idiot Luddite, not a cost-aware practical person.

Re:Moral

You're, give or take, describing the workings of the impending "CurrentC" system being foisted by major retailers. And you can buy pre-paid Android phones now for $20...

http://www.target.com/p/brightspot-zte-zinger-prepaid-cell-phone-black/-/A-16599233#prodSlot=medium_1_3&term=ZTE

Re:Moral

You're honestly comparing voting with buying coffee? WTF is wrong with you?

Re: Moral

[Vegemeister]

Black market Starbucks. Now I've seen everything.

dem haxx0rz

r in ur c0ff33 nao

Re:dem haxx0rz

[TeknoHog]

NaOH in ur c0ff33

FTFY.

use bitcoin

using the fold app, use bitcoin and get a 20% discount on Starbucks purchases....And because it is Bitcoin there is no CC to steal.

Starbucks so trendy!

Everybody wants to go to Starbucks to see and be seen. It's like Facebook in brick-and-mortar form. Seriously the Fakebook should just buy out Starbucks and brand that fucker with Facebook signs everywhere.

Re: Starbucks so trendy!

[AvitarX]

Did I just take a time machine back to 2000?

Re:Starbucks so trendy!

That's hilarious. Funny, I don't use TwitFaceInstaSnap (yes that is Twitter Facebook Instagram and Snapchat) and I also don't go to Starbucks. On the odd time that my wife drives to Starbucks with me in the passenger seat I don't go inside (hate the smell of coffee, even bad coffee).

Re: Starbucks so trendy!

"when my wife drives to Starbucks with me in the passenger seat"
But how do you feel about it when you sit down to pee?

Re: Starbucks so trendy!

[JazzLad]

If you did, warn them about 9/11

Re: Starbucks so trendy!

[phorm]

Ah yes, the +1 funny on the comment that indicates that a man whose wife does the driving isn't a real man...

Glad to see how much we've matured around here.

I believe that Saudi Arabia might be accepting immigration applications. You'd fit right in.

Re: Starbucks so trendy!

[AvitarX]

I did, has it still happened?

We've come a long way since

[delusional_wombat]

tipping over vending machines!

Re:We've come a long way since

You can still tip over vending machines if you really want to. The machines are much less likely to eat your money these days though, with the prevalence of guaranteed delivery sensors to reimburse you if your chosen item gets stuck.

That's a lot of coffee

If police are looking for a criminal who drank $125ish of coffee in 7 minutes I'm guessing they just need to look for the crazy wired guy bouncing off the walls...

Re:That's a lot of coffee

More like projectile-vomiting guy or passed-out-and-dying-from-caffeine-overdose guy.

Re:That's a lot of coffee

[Hognoxious]

It's only about 3 cups if you take the triple-organic choppa-whoppa-mocha-choppa shoved-up-a-weasel's-butt with chocolate flakes.

Re:That's a lot of coffee

Real weasel's butt coffee costs $50 a cup, unless they have fed some laxatives to the frigging weasels. Poor weasels.

Re:That's a lot of coffee

[freeze128]

I have never seen the weasels in a starbucks. Do they keep them in the back?

"Heavy User"

Lol. Is that what a coffee drinker is now? Like a heroin addict can be a "heavy-user" of heroin.

Does one really "use" coffee more so than drink it. I never really thought that I "used" chicken if I ate it. ?? (Chicken "user"??)

American vs. British English?

Good Passwords

[friedmud]

Like usual: anytime your credit card is involved: use a good password!

That's all there is to this.

The rest is just fear mothering and click bait.

Re:Good Passwords

[hippo]

Why bring my mother into this?
Sincerely,
Mr Fear.

Re:Good Passwords

[friedmud]

lol - good old iPhone autocorrect!

Obviously: "fear mongering"... lol

Re:Good Passwords

[Paradise+Pete]

Wait, your mother named you Mr. Fear? Is your last name Flexington?

How safe are Ipass accounts?

[140Mandak262Jamuna]

I have Ipass with auto-reload, wondering if they are safe. I used to have only gift cards in amazon. Then got a little lazy and added a credit card. Then my friend told me about how it was very difficult to deal with Amazon when his account got hacked somehow. He caught a 4000$ order before shipment and tried to get it cancelled. He said he found Amazon very difficult to deal with. He traced the ship-to address to some warehouse on the west coast which acts as proxy customers to people outside USA needing a shipping address in USA. Still it was tough to make Amazon cancel the order. After that I removed credit card from Amazon. If and when I place an order I enter the card data and then remove it immediately.

Re:How safe are Ipass accounts?

I don't think the credit card was the problem. It sounds like someone compromised the account. I'd be curious as to how. Such as password, forgotten password, social engineering, etc.

Explain this one to me

[holophrastic]

Why can starbucks gift cards be used for anything other than buying starbucks products? Why is the cash accessible in the first place? Anyone stealing starbucks gift cards, hackers or thieves, ought to be stuck with boat-loads of coffee, after having visited a starbucks store. Otherwise, folks, it ain't a gift card, it's a charge card, credit card, or direct-monetary-device -- and since starbucks ain't a bank, you ought not be entrusting them with direct access to your money.

What's the point of a starbucks "gift card" if it operates no differently from the attached credit card?

Re:Explain this one to me

The thieves are selling the access to coffee to third parties (general public) at a discount thereby laundering the gift card into cash.

Re:Explain this one to me

it's branded with starbucks and some people like starbucks more than they like themselves

Re:Explain this one to me

[slashkitty]

There is a huge market for gift card reselling online. starbucks makes it a bit easier because you can move $ from one card to another.. http://www.giftcardgranny.com/...

Re:Explain this one to me

[holophrastic]

that's the problem. a gift card is designed, by it's very nature, to not be currency. It's supposed to be a pre-purchase, such that the financial component is entirely removed. Show up with the card, get the product, no monetary transaction of any kind.

What starbucks is using is simply not a gift card. It is a bank card. So who's surprised that a bank card issued by someone that isn't a bank lacks any sort of procedural security whatsoever?

Stop giving your hard-earned money to someone who isn't regulated and insured to keep it. Welcome to the words: "at your own risk", "not responsible for stolen funds".

Maybe actually think before giving money to someone. Maybe, just maybe, make an actual decision for yourself.

Starbucks = Nigeria.

Re:Explain this one to me

[PPH]

F* Starbucks

Re:Explain this one to me

[DerekLyons]

Why can starbucks gift cards be used for anything other than buying starbucks products?

[remainder of incorrect assumption improperly promoted into 'facts' deleted]

They can't be.

Re:Explain this one to me

"Why can starbucks gift cards be used for anything other than buying starbucks products? "

Directly, it can't. Even if they didn't allow transferring cards, industrious people could still buy $1000 worth of coffee in the bag, goto a local flea market, and sell it at 50% of the original value. They could clear an easy $500 in an afternoon.

Re:Explain this one to me

[holophrastic]

I fail to understand how that's any different than walking into the store, buying coffee, and then selling it in the local flea market. the gift card is nothing more than pre-paying for a purchase that you intend to pickup -- and, as with all gift cards, there's absolutely zero benefit to doing so in the first place. Why the hell would you buy a cup of coffee before it's brewed? Why would you give your money away, and then risk losing the gift card? There's certainly no financial benefit to the consumer -- and there's a lot of risk to the consumer. Why not just make your gift card look identical to a five dollar note, out of the same materials too, then contract your national mint to print them for you? A note is a note is a note be it a card, paper, plastic, from a bank or a print shop. It's worth five bucks it's worth five bucks.

Re:Explain this one to me

[holophrastic]

Then what's the use in hacking one? So I can buy coffee with your card? Don't I need your physical card for that? Here's the easier version for you: Why can starbucks gift cards be used without starbucks gift cards?

Re:Explain this one to me

[DerekLyons]

Then what's the use in hacking one?

You don't hack a card, you hack the app.

I can take money from your account and put it on a card (or access code) in my possession. I can then resell the card (or the access code).

So, how the scam works is - a) I buy a card from Starbucks for $5, then since the cards are infinitely reloadable b) I hack your account and move money (say $100) from your account to my card and disconnect it from the account, c) I resell the cards for $50.

There's a lot of places Starbucks can detect and halt this fraud, since it all passed through their servers... they just don't or won't.

Re:Explain this one to me

[holophrastic]

You're saying that these stupid people actually let starbucks access their bank account directly? That's the most idiotic thing I've ever heard. Even my bank doesn't have access to my bank account to pay my mortgage. No one can touch a single dollar of mine except me and a judge. Why the hell would I let a coffee shop have unfettered access to my money?

Thanks for explaining the scam to me. Although I'm more pissed off now than ever before. Who's this stupid?

Re:Explain this one to me

[radarskiy]

"I fail to understand how that's any different than walking into the store, buying coffee, and then selling it in the local flea market."

It is easier to convey the gift card than the equivalent amount of coffee.

" as with all gift cards, there's absolutely zero benefit to doing so in the first place."

To give them to other people as gifts. That's why they are a called gift cards.

Correction, as with any credit card theft articles

Since money is coming from a linked credit card and not cash in her pocket, that stolen money is not Maria's, it's credit card issuer's. Sure, Maria has to deal with a small hassle of reporting a fraudulent transaction but be very sure, this is a much bigger problem for Starbucks and Chase/Citibank/etc that her.

I don't really care about PINs and chips and whatever. If my AmEx is stolen, they will FedEx overnight me a replacement - or I can drop by their office and they'll print me a new one on the spot.

What's the Point?

I don't understand what the point is of using a gift card that is automatically reloaded from a credit card once it hits zero. Why not cut out the middleman and use the credit card directly?

Re:What's the Point?

Starbucks ties it to a loyalty program where you get free drinks, that's why.

Re:What's the Point?

[omnichad]

Their stupid rewards program is tied to a gift card. And ONLY works on purchases paid via that gift card (which can be auto-reloaded and have balance transfers to it from gift cards you receive as gifts). The answer for most people is not to use their rewards program at all.

Re:What's the Point?

Because they would incur credit card processing fees on every transaction vs. one transaction to top up the gift card. It makes a huge difference to their margins.

Re:What's the Point?

So this gift card is acting like a credit card for your credit card?

Self inflicted wound ...

[gstoddart]

This is why I don't let companies do ever have direct access to my accounts.

Not my banking accounts, not my credit card, not anything. Never. Period. No way. If a company demands this, I walk away from the deal 100% of the time.

Giving companies the ability to go in and raid your money is a recipe for disaster. Tying that ability to a phone or a gift card is even worse.

You have pre-authorized the bearer of that device to go in and take your money without any oversight or authentication.

I've known far too many people who have been screwed over by companies who insist on auto-billing but have subsequently demonstrated themselves to be greedy and incompetent corporations who take more money than they're supposed to. And then fixing the problem becomes a nightmare.

So, I'll go all boohoo for people who crave their Starbucks so badly they've created a loophole where their money gets taken without them knowing it. But they did it to themselves.

And I'll continue to say this is precisely why I would never use one of them, or any of the things like Apple Pay and Google Wallet -- because the chance of it being abused, stolen, subject to corporate incompetence or spying is so utterly massive as to outweigh any perceived benefits.

Unfortunately, those of us who warn about these things get shouted down as paranoid worriers. And then people get bit in the ass and we stand here saying "well, we told you so" and laugh at you.

We live in an age where convenience and some shiny bauble will make us do things which, if you really think about it, are pretty reckless. When that has unfortunate, but predictable, consequences ... well, bummer dude.

It's a shame this happens to people. But it's not in any way surprising.

Re:Self inflicted wound ...

I was you and felt the same until they offered -0.25% interest on a mortgage to me for access. That's serious cash. We still keep separate accounts with the bulk of our money in them, but you'd have to be a fool to pass up an offer like that. Or stupid rich paying for everything with cash.

Re:Self inflicted wound ...

[david_thornley]

I don't give anybody access to my accounts or debit cards (sorry, Paypal, it's that I don't trust you), but credit cards are fairly safe provided you check the statements when you get them. Make sure you use certified mail with return receipt, to make sure you have legal proof of questioning charges.

Too funny

Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes."

Haw haw!

Starbucks stole my gift card...

[slashkitty]

There are many reports of starbucks taking back gift cards.. I had bought a few gift cards online, and combined them into one in the app. Then, starbucks canceled the whole value. They said one of the cards payment method couldn't be verified. .. So, they wiped out my entire balance ($200) .. Never using starbucks cards or the app again. Please just switch to apple pay.

Re:Starbucks stole my gift card...

[neo-mkrey]

...or just use cash.

Re:Starbucks stole my gift card...

[slashkitty]

That too can easily be stolen.

Re:Starbucks stole my gift card...

Funny that the company stole $200 from you, and your reaction isn't, "I refuse to patronize them," but rather is, "I won't use their gift cards anymore."

And they just added this to Amazon

[subanark]

I'm not sure how much "auto-reload" has caught on yet, but normally Amazon requires you reenter your credit card when you send a package to a new address, and if you have auto-reload on, it might not ask if you use your gift card balance. Amazon, does however have a good anti-fraud team which will delay or cancel suspicious orders.

convenient...for clueless hipsters

[slashmydots]

What's so convenient about adding another step between me and paying someone. Why use a gift card or app as an intermediary? In pack, hand the damn person a $10 bill. What's so damn hard about that? At least if someone tries to steal that from me I can tase or shoot them (in my state).

Re:convenient...for clueless hipsters

[Imazalil]

You do know that "hipsters" are all about using cash right? All the trendy coffee shops are cash only. So, welcome to team hipster.

To answer your question, the main reason is that Starbuck's reward program (13th drink free) is tied to using their gift cards. That's probably the main reason, it also made paying more convenient, before nfc/tap-and-go credit cards became a thing, when going cash-less.

Re:convenient...for clueless hipsters

You mean like a decade ago in every country not the US...

I had this happen yesterday!!!

[Jedi+Holocron]

Yup, this is real.

Yesterday morning, I had a notification on my phone that my account was now at $0.00. HUH??!

Launched the app and then noticed my Starbuck's card was removed. WTF?!

I called their support line. They didn't offer much in the way of help, but did say that the email address had been changed on my card and that it was indeed removed. They reset my password and are sending me a new Gold Card.

This happened to me last summer.

[possiblybored]

I woke up to five "We auto-reloaded your card" e-mails from Starbucks overnight. They hit me for $500. They used my Starbucks card (linked to my debit card, set to auto-renew by adding $100 when the balance was low) to purchase email gift card codes in multiples of $25. Canceled my Starbucks card, canceled my debit card, filed a police report. The investigator determined that the codes were sent to a generic e-mail account in Canada, and that was the end of it. The bank was good and put the money back right away. They also changed my debit card number. Starbucks sent me a new card but they never quite fixed the "reload online" part (not auto-reload, which I disabled), so I can only reload in a store, which I'm OK with. Had I known it was going to be that easy for them to hack me, I would have never used auto-reload or had it save my credit card.

Re:This happened to me last summer.

[Chelloveck]

I woke up to five "We auto-reloaded your card" e-mails from Starbucks overnight.

I have a serious question: I assume you must see some advantage to using a refillable gift card or you'd just use your regular credit card in the shop. So what's the benefit? Discounts? Frequent drinker points? Mind boggling convenience? I'm just trying to understand the appeal.

Bob Sullivan's article

[ShaunC]

If you're going to quote Bob Sullivan's article in the summary, the least you could do is link to his article instead of a re-hash on IT World.

Oh, wait. Submitter jfruh sure has modded up a lot of firehose submissions by user itwbennett, and vice versa. No sense questioning what the "itw" stands for, as ~itwbennett's profile links straight to IT World. Thankfully it doesn't appear to be "our" Bennett, but come on. If you work for IT World, and you have a Slashdot account set up to promote IT world, submit the IT World article from your IT World account. Plenty of astroturfing makes the front page these days, there's no need for subterfuge.

Anonymous

for credit hack, up of your credit score, change of grades, card hacks, internet security against hackers, blank credit card, listen to voice conversation and text message hack, mail hack, social network hacks and any other hackings, contact frank_zues@outlook.com

Hello

Hello friend, my name is Mr Kenneth Dana i want to share my testimony on how i got my BLANK ATM card which have change my life today. i was once living on the street where by things were so hard for me, even to pay off my bills was very difficult for me i have to park off my apartment and start sleeping on the street of Vegas. i tried all i could do to secure a job but all went in vain because i was from the black side of America. so i decided to browse through on my phone for jobs online where i got an advert on Hackers advertising a Blank ATM card which can be used to hack any ATM Machine all over the world, i never thought this could be real because most advert on the internet are based on fraud, so i decided to give this a try and look where it will lead me to if it can change my life for good. i contacted this hackers and they told me they are from Australia and also they have branch all over the world in which they use in developing there ATM CARDS, this is real and not a scam it have help me out. to cut the story short this women who were geeks and also experts at ATM repairs, programming and execution who taught me various tips and tricks about breaking into an ATM Machine with a Blank ATM card.i applied for the Blank ATM card and it was delivered to me within 3 days and i did as i was told to and today my life have change from a street walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate into it because it have been programmed with various tools and software before it will be send to you. my life have really change and i want to share this to the world, i know this is illegal but also a smart way of living Big because the government cannot help us so we have to help our self. if you also want this BLANK ATM CARD i want you to contact her on email via; marceatmhackers@gmail.com

Gift Card Fraud.

[hamsterz1]

When I worked as a cashier in the self scan lane, our store was hit by criminals with stolen credit cards, trying to buy expensive gift cards, to instantly launder the stolen credit cards. They would attempt to buy multiple expensive gift cards in one transaction. I told my manager this, but he didn't really care, just "Make them go thru a regular lane". Gift card fraud is getting out of hand. "There is more stupidity than hydrogen in the universe, and it has a longer shelf life.” Frank Zappa