Slashdot Mirror
Hackers Using Starbucks Gift Cards To Access Credit Cards
jfruh writes: Starbucks inspires loyalty among its heavy users — so much so that they're willing to connect their Starbucks gift cards and phone apps directly to their credit or debit cards, auto-refilling the balance when it runs low. But this has opened up a hole hackers can exploit. Writing about the scheme journalist Bob Sullivan says: "The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app. Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes."
The post didn't even actually say exactly what is going on.... People link their credit card to some star bucks account with auto reload. Hackers just guess the users password or get it some other way. Once inside the you can transfer the money to another card. They then sell that other card to idiots below its account balance. Star bucks then honour it anyway?
The first party is you, the second the credit card company... So how exactly would you ever use a credit card if you don't trust any third party with it?
You trust the infrastructure between you and the second party, but only in the US (and some tourist areas) is it considered acceptable to hand over your card to a 3rd party who disappear with it for a while. The rest of the world, the third party never, or rarely even touches your card. So you don't have to trust a 3rd party with your card to use it. At most, you trust the infrastructure between you and the credit card company.
Learn to love Alaska
Why can starbucks gift cards be used for anything other than buying starbucks products? Why is the cash accessible in the first place? Anyone stealing starbucks gift cards, hackers or thieves, ought to be stuck with boat-loads of coffee, after having visited a starbucks store. Otherwise, folks, it ain't a gift card, it's a charge card, credit card, or direct-monetary-device -- and since starbucks ain't a bank, you ought not be entrusting them with direct access to your money.
What's the point of a starbucks "gift card" if it operates no differently from the attached credit card?
I still don't like Chip & PIN. It's better than swipe and sign of current credit cards, but it's not much more secure than using a Debit Card at the terminals now, which is Mag-stripe Swipe and PIN here. I'd rather have cards with 2FA. Sure, my idea requires a smartphone with data access, but a business needs some kind of data-line to process credit card transactions now anyway. For my Idea to work replace the card machines with a type that has a keypad and provides NFC or Bluetooth access, or uses a screen to display a QR code; similar to the parent's idea so far... Now the device doesn't even have to be a smartphone... just smartphone like. Smartphones now are capable of using fingerprint readers so a payment device only would need a Camera, NFC radio, Cell Radio (possibly optional, but would make SMS messaging viable), WiFi radio, Fingerprint reader, and a TFT (maybe GPS too...).
My idea goes something like this: POS has rung up all the customer's items and requests payment. POS Pay-Pad Pops up the total and a QR code on the screen and activates the NFC Radio. Customer can either use the NFC or Camera on their device to get the relevant information (Store Name/Number/Location, Total amount due, any other pertinent info), Device then uses whatever data connection it has available (POS NFC, POS Bluetooth, Wi-Fi hotspot, Cell Data, SMS...etc) to send the information to the requisite Authentication company (MC/V/AmEx/Dsc/Store Card Auth; possibly chosen from a menu on device), Authenticator application then requests fingerprint from user to authenticate with. Upon successful authentication a confirmation page would come up where the user can verify all the information received from the QR code / NFC transfer and make sure it's right (the information would not be what was stored from the initial read but received again from the AuthCo to ensure that the data wasn't corrupted in transfer). Re-authenticating by fingerprint confirms the info, hitting a physical button will cancel it. Upon successful second authentication, a one time use pin number would appear on the screen for the user to punch into the POS terminal keypad. When the POS receives the PIN and verifies it against information it just received from the Authentication Company, it accepts payment and marks the transaction complete. The only time this whole scenario would fail is during data outages, which could be mitigated by having a physical card as a backup for performing imprints and manual processing on, which the user can possibly log in their authenticator application.
This is just a thought, but I'm just a dreamer. I hope I'm not the only one.