Last month international headlines blared that the Starbucks rewards app had been hacked and people’s accounts were being drained. I even sent a Tweet related to the news, encouraging people to use strong passwords for their Starbucks rewards accounts.
But was the smartphone app really hacked? Headlines like this: “Hackers are draining bank accounts via the Starbucks app” make it sound like hackers could magically access the rewards app on your smartphone and drain your card balance. Users would be forgiven for thinking the best way to deal with this problem would be to delete the app from their smartphone.
However, looking a little closer reveals that the problem isn’t with the app, but with the Starbucks rewards website at Starbucks.com. Deleting the app wouldn’t help fix the problem at all.
The real problem appears to be that the accounts of Starbucks rewards customers were compromised by attackers. Either the passwords to customer accounts were too simple and were “brute forced,” or the passwords were obtained from other recent website hacks. Because people often reuse their passwords, it makes sense for attackers to start with previously used passwords they already have.
Starbucks rewards users were advised to unlink their credit cards from the Starbucks rewards system and disable auto-reloading of their Starbucks card balance. In fact, I was in line at a Starbucks and I heard the cashier give that very advice to a customer: “Delete your credit card from the website. We’ll reload your rewards card for you,” he told her.
While his advice was sound, I was disappointed with this defeatist approach to dealing with security: “We were hacked, so don’t use our app the way it was designed.”
Who’s Really to Blame?
That an attack on the Starbucks rewards site occurred is obvious, but who is really at fault is less so. From my perspective, there are three potential parties who could be blamed for this attack: the hackers, the users, and Starbucks. Let’s look at them one by one.
First, the hackers. Obviously, if the hackers were removed from this equation, the problem would go away entirely. But that’s always the case: if there are no bad actors, then we’d all be safe. But the fact is, there will always be bad actors. While they are the source of the problem, there is still plenty of room for blame.
Second, the users. Customers who reused passwords from other sites on the Starbucks rewards site or had easily brute forced passwords opened themselves up to simple attacks and were much more likely to be victims. Using weak passwords on accounts that connect to credit cards is practically asking for trouble, and any users who did that must share part of the blame.
Finally, Starbucks. Starbucks cannot go without blame in this case. I find it interesting that Starbucks didn’t say, “Criminals attacked our site and were able to access some of our user accounts. We will refund any money lost by our users and will implement new security controls to ensure this doesn’t happen again.”
Instead, they essentially said, “Sometimes our customers reuse their user names and passwords on many sites—and if they did that on ours, they might have been hacked. We encourage our customers to use different user names and passwords on different sites.”
It sounds like Starbucks is blaming their customers even though it was their site, which they are responsible for protecting, that got hacked.
While the attackers who took advantage of people who used weak security on the Starbucks rewards site are truly the ones at fault for the attack, both Starbucks and the site users get to share some blame, too. If Starbucks had implemented some fundamental website security controls (as I’ll describe in my upcoming ebook), the chances of the attacks succeeding would have been significantly reduced.
If I were in charge of the website security for the Starbucks rewards site, here are four security controls I would implement:
- Login blocks after 5 incorrect attempts.
- A Captcha system to prevent automated logins from bots.
- Two-step authentication for major account changes such as changing email addresses or transferring card balances.
- Hire a security firm to conduct a penetration test of the Starbucks rewards website and remediate any serious security findings.
If you use the Starbucks customer rewards website, here’s what I recommend you do:
- Change your password to a complex password that you don’t use on any other website.
- Change your password every 90 days.
- If you don’t want to make these changes, you should remove any credit card information from the site and disable auto-reload of your card. You can always reload your card with a Starbucks cashier.
- Check https://passrock.com/checkaccounts.php to see if your email address is associated with any compromised accounts
Personally, I use the Starbucks rewards app and website, but I have a very strong password that’s unique to their website. I also make sure to change it periodically. Since I use a password manager, that isn’t a big deal.
In conclusion, there’s plenty of blame to go around when it comes to this attack and the money that was stolen. There are also many security practices that both Starbucks and its customers could follow to help prevent similar attacks from happening in the future.
The question is: will those security practices be followed?
What do you think? Please leave your thoughts in the comments below.
Related links
An early report of the original hack:
https://bobsullivan.net/cybercrime/identity-theft/exclusive-hackers-target-starbucks-mobile-users-steal-from-linked-credit-cards-without-knowing-account-number/#
Starbucks denies blame for the security flaw:
http://www.theregister.co.uk/2015/05/15/starbucks_top_up_scam_hack/
Customers struggle to get refunds from Starbucks:
https://bobsullivan.net/cybercrime/identity-theft/starbucks-victim-i-had-to-beg-and-plead-to-get-my-money-back-also-new-security-questions/
Suggesting account lockouts to Starbucks for better security:
http://theconversation.com/apple-and-starbucks-could-have-avoided-being-hacked-if-theyd-taken-this-simple-step-41999
A customer tells Starbucks about a different security problem, but Starbucks doesn’t respond well:
http://www.bbc.com/news/technology-32844123
Photo credit: jerine
