Hackers steal money from Starbucks mobile customers using linked credit cards, nearly 16 million customers who use the company app are at risk.
Starbucks is the last victim of scammers, cyber criminals are syphoning money from the credit or debit card linked to the customers’ Starbucks accounts.
The attack is quite simple for fraudsters, the criminal just need user credentials for Starbucks account, that could be easily stolen with a phishing campaign, to operate with the victim’s credit card.
Criminals could also steal credentials by keylogging, by attempting to use credentials leaked after other data breaches, or by password bruteforcing.
Victims usually received an email that pretends to come from Starbucks informing them that their username and password had been changed.
Once the fraudsters gain the access to the victim’s Starbucks account, they can transfer the money present on the gift card on the victims’ Starbucks app to another gift card they control in order to resell them later. Another cash out schema for scammers is to buy gift cards and send them to accounts they control.
The worst scenario for the victim occurs when he has enabled the auto-load feature on the Starbuck account, because in this case additional amounts of money are automatically loaded into the Starbucks card every time the credit is reduced.
According to a source inside the company, the frauds have gone at least since January, the Starbucks company explained that it is already working to protect its customers and urged users to report any suspicious activity on their accounts.
“have safeguards in place to constantly monitor for fraudulent activity,” but they are “unable to discuss specific security measures” publicly for obvious reasons.
“If a customer believes their account may be subject to fraudulent activity, we encourage them to contact us and their financial institution immediately,” she stated, adding that “customers are not responsible for charges or transfers they didn’t make.” states the company.
Of course, I recommend all Starbucks consumers immediately disable auto-reload feature on the Starbucks mobile payments and gift cards.
The attack on Starbucks demonstrates the importance of the adoption of multi factor authentication process, for cyber criminals it is too easy to guess or stole a user password and when the accounts are linked to payment process the effect could be serious. This type of small amount theft can be automated reusing already exposed credentials.”
As usual also a proper security posture could help to mitigate account take over, I always recommend you avoid using the same credentials across multiple service to prevent a domino effect in case one of them is breached.
Unfortunately, cyber attacks similar to the one occurred to Starbucks are quite common.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.