Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
More and more purchases are being made through non-traditional methods, like mobile apps. However, concerns remain about the security of these methods as we continue to see data breaches hit the news on an almost daily basis.
Large numbers of Starbucks’ customers have reported their accounts being hacked, which was reportedly from an attack dating back to 2015. Some say they’ve had money tapped from their accounts on the mobile app, and according to USA TODAY, the cyber-hackers used a ‘clever new attack’ without actually hacking Starbucks itself.
The attack which first appeared in May 2015 takes advantage of:
As many customers use the Starbucks app to process the payment for their daily coffee fixes, any threat to the app could be disastrous. The company notes that nearly 1/3 of its transactions are done via the app. In 2014, Starbucks processed $2 billion (£1.5 billion) in mobile payment transactions, so you can see how a data breach can really endanger the company.
According to one cyber-security firm, Checkmarx, this is one way hackers can profit from stolen information. First, cyber-criminals can purchase stolen login details and passwords from the black market. Secondly, they can use an automated programme that’ll try the stolen combinations on the Starbucks mobile app until one works. This kind of attack on stolen information is known as a “brute force” attack. It’s lethal as the programme can process hundreds of login-password combinations per second.
This shows that the stolen information can generate fraudulent activity in no time.
Checkmarx continues to say that, once the cyber-criminals have access to the account, they can add a new gift card and transfer whatever balance the account holder has onto the gift card – which they have full control over. If the account holder has set up a reoccurring payment from their credit card, this could effectively give the cyber-criminals a never-ending supply of money until the app user realises.
Chief technology officer of Lookout, Kevin Mahaffey, says that cybercriminals are:
“…likely [to] resell them on the internet for face value or less, eventually turning those Starbucks dollars into real dollars.”
The brute force attack is possibly one of the most successful and common methods of cyber-attacks. As customers use the same login and password combinations across several of their online accounts, it doesn’t leave much to the imagination – hackers can access multiple accounts with one theft.
Buzzfeed News reporter Venessa Wong reported that her account was compromised back in March 2017. Ms Wong received an email alert from Starbucks containing a receipt for reloading $100 (£77) onto her mobile app, using the saved credit card. She noted that, by the time she logged into her account, the cyber-hacker had made 3 purchases in the San Diego store: $48.32 (£37), $49.75 (£38) and $15.83 (£12). By the time that she got on the phone to the customer service department, she noted that her account was emptied.
Two years on from the first reports of the cyber-hack and Starbucks are still reportedly none the wiser and haven’t really done much about the hack. The Starbucks app still appears to be vulnerable to the same weaknesses from two years ago.
Starbucks confirmed that it doesn’t support a two-factor authentication as of yet. Many companies like Apple and Facebook support this cyber-security method which sends a code via text message or email when you/someone else is trying to login to the account from a new device.
Chief Executive of US Cyber Vault, Rob LaMear, notes his disappointments:
“I was surprised that in two years, Starbucks hasn’t gotten more aggressive.”
More customers are venting their frustration at Starbucks on Twitter, but their only response seems to be that they have “a team of engineers dedicated to advancing security and fraud prevention” and they also said, “We strongly encourage our customers to follow best practices to protect their accounts.”
What does that even mean?!
Shouldn’t Starbucks introduce the two-factor authentication to minimise the risk of fraudulent activity?
The simple answer is yes, in our view.
Shockingly, Starbucks doesn’t seem to see the urgency in the issue when they emailed BuzzFeed News:
“…while account takeover (ATO) activity is an industry wide challenge, we see only a tiny fraction of one percent of our account holders impacted.”
I mean, with Starbucks having over 500 customers per day per store (in 2013), isn’t that a large enough figure for them to take their cyber-security more seriously?
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020