Hackers Using Starbucks Gift Cards To Access Credit Cards

← Back to Stories (view on slashdot.org)

Hackers Using Starbucks Gift Cards To Access Credit Cards

Posted by samzenpus on Wednesday May 13, 2015 @09:50PM from the protect-ya-neck dept.

jfruh writes: Starbucks inspires loyalty among its heavy users — so much so that they're willing to connect their Starbucks gift cards and phone apps directly to their credit or debit cards, auto-refilling the balance when it runs low. But this has opened up a hole hackers can exploit. Writing about the scheme journalist Bob Sullivan says: "The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app. Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes."

25 of 124 comments (clear)

Min score:

Reason:

Sort:

I don't trust any auto-top ups by Chrisq · 2015-05-13 21:58 · Score: 5, Insightful

I don't use it on my phone, didn't use it on my Disney pass, and would not use it for coffee either. None of these organisations have either the security awareness of credit card companies nor the statutory framework requiring them to cover losses where you are not at fault. I like to limit my exposure to the amount I add on
1. Re:I don't trust any auto-top ups by OzPeter · 2015-05-13 23:07 · Score: 4, Funny
  
  Why hackers are stupid. Stealing somebody's coffee money is one thing. Putting a $2B industry at risk will probably get you killed.
  Maybe they really like coffee!
  You do realize that this is Starbucks we are talking about, don't you??????
  
  --
  I am Slashdot. Are you Slashdot as well?
2. Re:I don't trust any auto-top ups by Ol+Olsoc · 2015-05-14 00:57 · Score: 3, Funny
  
  You do realize that this is Starbucks we are talking about, don't you??????
  Some people like overly strong coffee with redolent mud flavors and overtones of mold, you insensitive clod!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
3. Re:I don't trust any auto-top ups by SQLGuru · 2015-05-14 01:13 · Score: 2
  
  They need all of that caffeine to fuel their hacking sessions.
Moral by ttyX · 2015-05-13 21:58 · Score: 2

Don't trust a third party with your credit card info.
1. Re:Moral by sectokia · 2015-05-13 22:13 · Score: 3, Interesting
  
  The post didn't even actually say exactly what is going on.... People link their credit card to some star bucks account with auto reload. Hackers just guess the users password or get it some other way. Once inside the you can transfer the money to another card. They then sell that other card to idiots below its account balance. Star bucks then honour it anyway?
2. Re:Moral by Kokuyo · 2015-05-13 22:23 · Score: 2, Interesting
  
  The first party is you, the second the credit card company... So how exactly would you ever use a credit card if you don't trust any third party with it?
3. Re:Moral by CastrTroy · 2015-05-13 22:38 · Score: 4, Insightful
  
  This is what's wrong with online payments. To make a credit card payment, the website should just direct me to the website of visa/mc/amex and have me verify myself, and transfer money to the merchant, very similar to how PayPal works. With phones being so ubiquitous, a similar thing could be done for brick and mortar stores. Pop up a QR code at the register, scan it with a visa app, enter your credentials, and the payment is done. We need to fix the system and get rid of these antiquated payment methods.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
4. Re:Moral by hippo · 2015-05-13 23:18 · Score: 5, Informative
  
  RTF linked article. Bad people guess your Starbucks login and transfer your funds to another Starbucks gift card which is the auctioned off on some anonymous dodgy version of Ebay.
5. Re:Moral by AK+Marc · 2015-05-13 23:44 · Score: 3, Interesting
  
  You trust the infrastructure between you and the second party, but only in the US (and some tourist areas) is it considered acceptable to hand over your card to a 3rd party who disappear with it for a while. The rest of the world, the third party never, or rarely even touches your card. So you don't have to trust a 3rd party with your card to use it. At most, you trust the infrastructure between you and the credit card company.
  
  --
  Learn to love Alaska
6. Re:Moral by AK+Marc · 2015-05-13 23:45 · Score: 2
  
  You can buy Android smartphones for under $100. What price would they need to be to not be "overpriced"?
  
  --
  Learn to love Alaska
7. Re:Moral by hippo · 2015-05-14 00:01 · Score: 2
  
  Apparently, there is a thriving black market in Starbucks gift cards. I guess you type the number into your app and use it to get coffee without having to actually travel to meet the guy selling the gift card. Starbucks must be honouring these or there would be no market.
  There isn't one person who really likes coffee, just lots of people who like it enough to take part in morally dubious and possibly criminal activities. A bit like the pirated DVD trade but with zero overheads and less evidence after the crime.
8. Re:Moral by jittles · 2015-05-14 00:42 · Score: 2, Insightful
  
  You trust the infrastructure between you and the second party, but only in the US (and some tourist areas) is it considered acceptable to hand over your card to a 3rd party who disappear with it for a while. The rest of the world, the third party never, or rarely even touches your card. So you don't have to trust a 3rd party with your card to use it. At most, you trust the infrastructure between you and the credit card company.
  Except that the third patty controls the card terminal. If they're unscrupulous or if they don't have proper security, then anyone could come in there and install hardware that would get your card details, even your PIN if you're on a chip and pin system. Will that allow them to clone your chip? I'm not sure - probably not. But that doesn't stop them from having someone mug you when you're a few blocks away, either. Plus, you don't use the chip or pin for online purchases.
9. Re:Moral by CastrTroy · 2015-05-14 00:49 · Score: 2
  
  For brick and mortar stores, you are absolutely right. I think chip and PIN is a pretty decent authentication method. But for it to really work, we need to get to the point that there's no mag stripe, and no number on the card. We should completely get rid of the legacy payment by mag stripe, or simply knowing the card number and expiration date. There shouldn't be an insecure alternative. Payments should either be authenticated through the chip, or through the card issuer's website. There should be ability for the retailer, online or otherwise, to obtain information that would allow fraudulent transactions to be made.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
10. Re:Moral by Stewie241 · 2015-05-14 01:42 · Score: 2
  
  It isn't just the $100. He would also be giving up his ability to look down on all us smartphone owning folk that have just thrown our money away.
11. Re:Moral by RavenLrD20k · 2015-05-14 02:06 · Score: 2, Interesting
  
  I still don't like Chip & PIN. It's better than swipe and sign of current credit cards, but it's not much more secure than using a Debit Card at the terminals now, which is Mag-stripe Swipe and PIN here. I'd rather have cards with 2FA. Sure, my idea requires a smartphone with data access, but a business needs some kind of data-line to process credit card transactions now anyway. For my Idea to work replace the card machines with a type that has a keypad and provides NFC or Bluetooth access, or uses a screen to display a QR code; similar to the parent's idea so far... Now the device doesn't even have to be a smartphone... just smartphone like. Smartphones now are capable of using fingerprint readers so a payment device only would need a Camera, NFC radio, Cell Radio (possibly optional, but would make SMS messaging viable), WiFi radio, Fingerprint reader, and a TFT (maybe GPS too...).
  My idea goes something like this: POS has rung up all the customer's items and requests payment. POS Pay-Pad Pops up the total and a QR code on the screen and activates the NFC Radio. Customer can either use the NFC or Camera on their device to get the relevant information (Store Name/Number/Location, Total amount due, any other pertinent info), Device then uses whatever data connection it has available (POS NFC, POS Bluetooth, Wi-Fi hotspot, Cell Data, SMS...etc) to send the information to the requisite Authentication company (MC/V/AmEx/Dsc/Store Card Auth; possibly chosen from a menu on device), Authenticator application then requests fingerprint from user to authenticate with. Upon successful authentication a confirmation page would come up where the user can verify all the information received from the QR code / NFC transfer and make sure it's right (the information would not be what was stored from the initial read but received again from the AuthCo to ensure that the data wasn't corrupted in transfer). Re-authenticating by fingerprint confirms the info, hitting a physical button will cancel it. Upon successful second authentication, a one time use pin number would appear on the screen for the user to punch into the POS terminal keypad. When the POS receives the PIN and verifies it against information it just received from the Authentication Company, it accepts payment and marks the transaction complete. The only time this whole scenario would fail is during data outages, which could be mitigated by having a physical card as a backup for performing imprints and manual processing on, which the user can possibly log in their authenticator application.
  This is just a thought, but I'm just a dreamer. I hope I'm not the only one.
dem haxx0rz by Anonymous Coward · 2015-05-13 22:08 · Score: 2, Funny

r in ur c0ff33 nao
1. Re:dem haxx0rz by TeknoHog · 2015-05-14 01:22 · Score: 2
  
  NaOH in ur c0ff33
  FTFY.
  
  --
  Escher was the first MC and Giger invented the HR department.
We've come a long way since by delusional_wombat · 2015-05-13 22:28 · Score: 2

tipping over vending machines!
That's a lot of coffee by Anonymous Coward · 2015-05-13 22:34 · Score: 2, Funny

If police are looking for a criminal who drank $125ish of coffee in 7 minutes I'm guessing they just need to look for the crazy wired guy bouncing off the walls...
1. Re:That's a lot of coffee by Hognoxious · 2015-05-13 23:48 · Score: 2
  
  It's only about 3 cups if you take the triple-organic choppa-whoppa-mocha-choppa shoved-up-a-weasel's-butt with chocolate flakes.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Explain this one to me by holophrastic · 2015-05-14 00:14 · Score: 3, Interesting

Why can starbucks gift cards be used for anything other than buying starbucks products? Why is the cash accessible in the first place? Anyone stealing starbucks gift cards, hackers or thieves, ought to be stuck with boat-loads of coffee, after having visited a starbucks store. Otherwise, folks, it ain't a gift card, it's a charge card, credit card, or direct-monetary-device -- and since starbucks ain't a bank, you ought not be entrusting them with direct access to your money.
What's the point of a starbucks "gift card" if it operates no differently from the attached credit card?
1. Re:Explain this one to me by slashkitty · 2015-05-14 01:54 · Score: 4, Informative
  
  There is a huge market for gift card reselling online. starbucks makes it a bit easier because you can move $ from one card to another.. http://www.giftcardgranny.com/...
  
  --
  -- these are only opinions and they might not be mine.
Re: Starbucks so trendy! by JazzLad · 2015-05-14 01:46 · Score: 2

If you did, warn them about 9/11

--
"If you have nothing to hide, you have nothing to fear." - Every fascist, ever
This happened to me last summer. by possiblybored · 2015-05-14 03:57 · Score: 2

I woke up to five "We auto-reloaded your card" e-mails from Starbucks overnight. They hit me for $500. They used my Starbucks card (linked to my debit card, set to auto-renew by adding $100 when the balance was low) to purchase email gift card codes in multiples of $25. Canceled my Starbucks card, canceled my debit card, filed a police report. The investigator determined that the codes were sent to a generic e-mail account in Canada, and that was the end of it. The bank was good and put the money back right away. They also changed my debit card number. Starbucks sent me a new card but they never quite fixed the "reload online" part (not auto-reload, which I disabled), so I can only reload in a store, which I'm OK with. Had I known it was going to be that easy for them to hack me, I would have never used auto-reload or had it save my credit card.