Monthly Archives: May 2015

Starbucks: Blaming passwords, victims is bad security practice

Bob Sullivan

Bob Sullivan

Since I broke news of the Starbucks mobile pay / gift card /credit card attack, there has been some confusion about what the real risk is, who is to blame, and how to fix the problem. This is not unusual when a security issue arises with a large company that’s not offering a lot of detail about what’s going on.  I’ve been talking to victims of the Starbucks fraud all week, and I’ll have a lot more detail on what’s really happening soon, but for now, I want to clarify a few important issues that keep cropping up: Bad passwords, what “hacked” means, what does mobile have to do with it, and why victims are “sharing” accounts with criminals.

Starbucks told media outlets around the world all last week that it hadn’t been hacked and blamed the situation on consumers with bad passwords. The firm also repeated many times that the attack has nothing to do with its mobile app. In its first response to my initial inquires, Starbucks told me the attack is “not connected to mobile payment.” Later, when the firm issued a statement, the first paragraph of that statement read, “News reports that the Starbucks mobile app has been hacked are false.” (Note, I never wrote that Starbucks mobile app had been hacked, though as you’ll see in a moment, I’m not a fan of the semantics being deployed here.) 

Taken collectively, these positions are meant to create the impression that there’s nothing wrong with the way Starbucks is processing payments, and in fact, some journalists declared that to be the case. Fortune magazine wrote “Starbucks says its popular mobile app has not been hacked, contradicting multiple media reports that intruders have hijacked the accounts of hundreds of the coffee chain’s customers…” Starbucks actually never denied that intruders had hijacked consumers accounts, and anyone can find victims complaining about just that with a few moment’s work, but some journalists seemed eager to clear Starbucks of any culpability in the issue. That’s unfortunate, because my email this week makes it clear that plenty of Starbucks customers are pretty angry at the way this issue has been handled, and many of them don’t appreciate being blamed for having their money stolen after they placed their trust in Starbucks.

So let me try to clarify a few of these issues.

Blaming the victim (passwords)

It’s true that the attack begins with criminals managing to hijack consumers’ Starbucks accounts by somehow obtaining their username/password combination.  As every firm that uses this most rudimentary authentication tool knows, a large percentage of those accounts will always be pretty hackable.  People re-use passwords and they use common passwords.  They even respond to phishing attacks and divulge their login information.   But many years ago, financial institutions stopped blaming customers for this, since that doesn’t solve the problem.  

Also, federal law prevents it. The Federal Reserve has ruled that even if customers give a hacker their online banking passwords, financial institutions can’t hold them liable. Here’s the relevant opinion: “Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E,” a decade-old Fed opinion concludes. “Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers.”

Blaming the victim is bad form, anyway.

What do banks do instead of blame the victim? They take matters out of consumers’ hands and use back-end software to spot fraudulent transactions and stop them.  That’s why, even if you are tricked by a hacker into coughing up your Big Giant Bank login credentials, it’s unlikely that a $2,000 wire transfer to Romania will be approved.

Certainly, Starbucks has some back-end tools in place — I don’t know, because the firm isn’t answering questions about its security. But so many victims have come forward to show me repeated debits with obvious criminal patterns — changed login information followed by rapid-fire withdrawals — it’s obvious Starbucks isn’t doing a great job of spotting suspicious transactions and stopping them in progress.  Why would that be?  One obvious guess: Dialing up the fraud-spotting software would also lead to false positives, which would inconvenience some consumers as they tried to add value to their Starbucks cards. It’s a tough balancing act, but consumers who see their credit or debit cards hacked via their Starbucks account don’t want to hear about balancing acts.

There’s also this troubling element: I’ve spoken to consumers who swear they didn’t reuse their Starbucks login information, and that their Starbucks passwords were complex, and they’ve been hacked, too. Of course, consumers often “misremember” such things, and are notoriously unreliable when making claims about their security choices. But then, so are corporations under scrutiny.

Maria Nistri and several other consumers I’ve spoken with haven’t been happy that A) Starbucks hasn’t been able to stop fraudulent transactions even when they are reported within a few minutes and B) Starbucks toll-free fraud hotline doesn’t open for business until 8 a.m. east coast time.  It seems unfair to blame consumers for bad passwords and then not answer the phone when they call to report fraud.

Has Starbucks been hacked? Wrong question

The word “hack” is always problematic in any news report involving a computer crime.  Security folks hate its use, because to them, hacking merely means tinkering. Using a computer as an aid when stealing money is another thing entirely. Unfortunately, hacking is a really convenient shorthand term that readers have come to understand, and it’s fallen into common use.

So we arrive at the confusion over Starbucks’ statement that its mobile app has not been hacked, which is not inaccurate.  To be precise: As far as I know, the crime I have described here doesn’t involve a criminal using some kind of advanced technique to intercept data from Starbucks mobile app, or any similar hacking technique that compromises the integrity of the Starbucks app itself (other researchers have discovered flaws in the app, but this is not that).   Instead, criminals have figured out a rather old-fashioned way to drain value off of Starbucks gift cards — loaded onto the Starbucks app or not — and onto to cards they control. This gives them the ability to steal from consumers’ debit and credit cards using a Starbucks account as a relay of sorts.  Consumers are very likely to experience this as their Starbucks app being “hacked.”  I used the word “attack” instead. But really, does it matter? Starbucks consumers are being hacked, after all, and that’s what matters.

Mobile pay vs. gift card

Starbucks’ rather ingenious and simple app is really just an electronic representation of its gift cards, and this simplicity is part of the reason the coffee giant now operates the most popular mobile wallet payment system in the U.S., dwarfing Apple Pay. That makes Starbucks mobile pay incredibly important to the firm.  Perhaps that’s why the main point Starbucks made to me in its initial statement was “what you’re describing is not connected to mobile payment – linking the two is inaccurate.”  You could argue that this attack really targets Starbucks gift cards and not the app, but I disagree.  The line between the Starbucks app and Starbucks gift cards is entirely blurry; they are basically one in the same.

Starbucks gift cards, and in particular the auto-reload function that is the source of some of this trouble — are so popular because the app is so popular.  It’s also important to note that Starbucks has gone to immense trouble to push gift card users onto the mobile app, offering all manner of loyalty incentives and so on.  I would argue that “de-linking” the two for the purposes of describing this attack would be inaccurate.

Hackers and consumers “sharing” accounts

Finally, one element of this story has confused me since I first spoke to Maria Nistri, and it’s been confirmed by many victims I’ve spoken to. Even after a criminal hijacked her account, Nistri was able to log in to her account on her smartphone. That means Starbucks is permitting simultaneous logins for the same account using different credentials.  The criminal is logged in using their new email address, while the victim is logged in with the old credentials — presumably because their mobile device never logs off. This turns out to be a good thing in some cases, because it has allowed many victims to hurriedly de-link their credit cards from the app in the middle of a fraud. But it’s also atypical security behavior. Why would old credentials ever allow someone to log in to an account? Clearly because the app isn’t verifying that it has up-to-date credentials very frequently. More than one consumer has rightly asked me: Once their account is restored,  can the criminal still log in?  Here’s what one consumer told me a Starbucks representative told her:

“I mentioned that when the hacker changed the login info, I was still logged in from my phone – so couldn’t the thief still have access to the account, too? The CSR said it should kick them off eventually’ because their login credentials will not be able to refresh. I asked for a specific timeframe and he had no idea. He said it should be a few hours…probably.”



Data Security in the Evolving Payments Ecosystem

Larry Ponemon

Larry Ponemon

Highly publicized payment card breaches affected millions of consumers in 2014. In the wake of these breaches, retailers, financial institutions, payment processors and credit card brands responsible for delivering these systems in the United States are facing more scrutiny than ever before and are meeting at a crossroads in the security conversation.

The discussion will only get more intense with continued innovation in the field. The payments
industry is undergoing a revolution led by emerging technologies including mobile payments and wallet technologies, virtual currencies and the deployment of chip and PIN technology. The
potential benefit of these new technologies is significant, but it remains to be seen if security risks will prove to be a major barrier to adoption.

Ponemon Institute and Experian® Data Breach Resolution are pleased to present the findings of Data Security in the Evolving Payments Ecosystem. The study explores the impact of mega
payments breaches on security and response, as well as the current levels of confidence in the
security of emerging payments technologies. Organizations in this study had an average of three data breaches in the past 24 months involving an average of 8,000 customer records.

You can access the entire study on Experian’s website.

As Figure 1 shows, 68 percent of survey respondents say pressure to migrate to new payment systems puts customer data at risk. Respondents are most positive about EMV chip and PIN cards. Fifty-nine percent of respondents cite it as an important part of their organization’s payment strategy and 53 percent of respondents believe chip and PIN cards will decrease or significantly decrease the risk of a data breach.

new payment

While some respondents doubt the ability of “chip and PIN” to address the current security issues with card payments, they also believe their companies face new threats posed by continued innovation in payment technologies. In fact, 59 percent of respondents expect data breach risk to increase through the use of mobile payments at point of sale in stores, and 54 percent believe near field communications technology will increase the risk of suffering a breach.

While risk and security concerns loom, large and new technologies are being
deployed because they offer vastly improved customer convenience.
Throughout our study, we found a large percentage of companies are likely to
keep moving forward with deployment of new technologies despite concerns about
security. More than half of respondents say customer convenience was a higher
priority to their organization than security.

In addition to concerns over the ability to secure the next generation of payments
technologies, there is also uncertainty about the ability of breached companies to
properly manage a security response.

Throughout the industry, organizations continue to be deficient in governance and security practices that could strengthen their data breach preparedness. Only 16 percent of respondents feel companies are very effective in breach response, which suggests much room for improvement in responding to the aftermath of a major incident. Left facing all these questions and the uncertain of new technologies, the industry can agree on one thing: the need for action.

While unprecedented threats and new security challenges may seem daunting, the payments
industry is taking steps to respond and focus more on security. Companies are prioritizing
customer needs in their security planning and investing time and resources in improving security.

Sixty-nine percent of companies say media coverage of breaches, including those in the
payments industry, over the past year caused their organizations to re-evaluate and prioritize

It’s receiving much more attention at the highest levels of organizations with 67 percent of
respondents noting their C-level executives are more supportive of enhanced security measures to protect payments information. Forty-five percent of respondents said they were increasing their budget and 54 percent are investing in new technologies.

Along with improving security, companies also recognize their responsibility and the importance of protecting their customers after an incident occurs and improving incident response planning. A majority of companies (61 percent) provide identity theft protection and fraud resolution services as a best practice. While 56 percent are re-evaluating and improving incident response planning for a breach, leading to greater communication and guidance to affected customers.

The study surveyed 748 US-based individuals in IT and IT security, risk management, product
development and others involved in the payments systems within their organizations. For
purposes of this research, payments ecosystem refers to the collection of retailers, financial
institutions, payment processors, credit card brands, regulators, consumers and other
stakeholders who ensure the smooth flow of payments and other transactional information.

Read the rest of the study on Experian’s website.