Since I broke news of the Starbucks mobile pay / gift card /credit card attack, there has been some confusion about what the real risk is, who is to blame, and how to fix the problem. This is not unusual when a security issue arises with a large company that’s not offering a lot of detail about what’s going on. I’ve been talking to victims of the Starbucks fraud all week, and I’ll have a lot more detail on what’s really happening soon, but for now, I want to clarify a few important issues that keep cropping up: Bad passwords, what “hacked” means, what does mobile have to do with it, and why victims are “sharing” accounts with criminals.
Starbucks told media outlets around the world all last week that it hadn’t been hacked and blamed the situation on consumers with bad passwords. The firm also repeated many times that the attack has nothing to do with its mobile app. In its first response to my initial inquires, Starbucks told me the attack is “not connected to mobile payment.” Later, when the firm issued a statement, the first paragraph of that statement read, “News reports that the Starbucks mobile app has been hacked are false.” (Note, I never wrote that Starbucks mobile app had been hacked, though as you’ll see in a moment, I’m not a fan of the semantics being deployed here.)
Taken collectively, these positions are meant to create the impression that there’s nothing wrong with the way Starbucks is processing payments, and in fact, some journalists declared that to be the case. Fortune magazine wrote “Starbucks says its popular mobile app has not been hacked, contradicting multiple media reports that intruders have hijacked the accounts of hundreds of the coffee chain’s customers…” Starbucks actually never denied that intruders had hijacked consumers accounts, and anyone can find victims complaining about just that with a few moment’s work, but some journalists seemed eager to clear Starbucks of any culpability in the issue. That’s unfortunate, because my email this week makes it clear that plenty of Starbucks customers are pretty angry at the way this issue has been handled, and many of them don’t appreciate being blamed for having their money stolen after they placed their trust in Starbucks.
So let me try to clarify a few of these issues.
Blaming the victim (passwords)
It’s true that the attack begins with criminals managing to hijack consumers’ Starbucks accounts by somehow obtaining their username/password combination. As every firm that uses this most rudimentary authentication tool knows, a large percentage of those accounts will always be pretty hackable. People re-use passwords and they use common passwords. They even respond to phishing attacks and divulge their login information. But many years ago, financial institutions stopped blaming customers for this, since that doesn’t solve the problem.
Also, federal law prevents it. The Federal Reserve has ruled that even if customers give a hacker their online banking passwords, financial institutions can’t hold them liable. Here’s the relevant opinion: “Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E,” a decade-old Fed opinion concludes. “Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers.”
Blaming the victim is bad form, anyway.
What do banks do instead of blame the victim? They take matters out of consumers’ hands and use back-end software to spot fraudulent transactions and stop them. That’s why, even if you are tricked by a hacker into coughing up your Big Giant Bank login credentials, it’s unlikely that a $2,000 wire transfer to Romania will be approved.
Certainly, Starbucks has some back-end tools in place — I don’t know, because the firm isn’t answering questions about its security. But so many victims have come forward to show me repeated debits with obvious criminal patterns — changed login information followed by rapid-fire withdrawals — it’s obvious Starbucks isn’t doing a great job of spotting suspicious transactions and stopping them in progress. Why would that be? One obvious guess: Dialing up the fraud-spotting software would also lead to false positives, which would inconvenience some consumers as they tried to add value to their Starbucks cards. It’s a tough balancing act, but consumers who see their credit or debit cards hacked via their Starbucks account don’t want to hear about balancing acts.
There’s also this troubling element: I’ve spoken to consumers who swear they didn’t reuse their Starbucks login information, and that their Starbucks passwords were complex, and they’ve been hacked, too. Of course, consumers often “misremember” such things, and are notoriously unreliable when making claims about their security choices. But then, so are corporations under scrutiny.
Maria Nistri and several other consumers I’ve spoken with haven’t been happy that A) Starbucks hasn’t been able to stop fraudulent transactions even when they are reported within a few minutes and B) Starbucks toll-free fraud hotline doesn’t open for business until 8 a.m. east coast time. It seems unfair to blame consumers for bad passwords and then not answer the phone when they call to report fraud.
Has Starbucks been hacked? Wrong question
The word “hack” is always problematic in any news report involving a computer crime. Security folks hate its use, because to them, hacking merely means tinkering. Using a computer as an aid when stealing money is another thing entirely. Unfortunately, hacking is a really convenient shorthand term that readers have come to understand, and it’s fallen into common use.
So we arrive at the confusion over Starbucks’ statement that its mobile app has not been hacked, which is not inaccurate. To be precise: As far as I know, the crime I have described here doesn’t involve a criminal using some kind of advanced technique to intercept data from Starbucks mobile app, or any similar hacking technique that compromises the integrity of the Starbucks app itself (other researchers have discovered flaws in the app, but this is not that). Instead, criminals have figured out a rather old-fashioned way to drain value off of Starbucks gift cards — loaded onto the Starbucks app or not — and onto to cards they control. This gives them the ability to steal from consumers’ debit and credit cards using a Starbucks account as a relay of sorts. Consumers are very likely to experience this as their Starbucks app being “hacked.” I used the word “attack” instead. But really, does it matter? Starbucks consumers are being hacked, after all, and that’s what matters.
Mobile pay vs. gift card
Starbucks’ rather ingenious and simple app is really just an electronic representation of its gift cards, and this simplicity is part of the reason the coffee giant now operates the most popular mobile wallet payment system in the U.S., dwarfing Apple Pay. That makes Starbucks mobile pay incredibly important to the firm. Perhaps that’s why the main point Starbucks made to me in its initial statement was “what you’re describing is not connected to mobile payment – linking the two is inaccurate.” You could argue that this attack really targets Starbucks gift cards and not the app, but I disagree. The line between the Starbucks app and Starbucks gift cards is entirely blurry; they are basically one in the same.
Starbucks gift cards, and in particular the auto-reload function that is the source of some of this trouble — are so popular because the app is so popular. It’s also important to note that Starbucks has gone to immense trouble to push gift card users onto the mobile app, offering all manner of loyalty incentives and so on. I would argue that “de-linking” the two for the purposes of describing this attack would be inaccurate.
Hackers and consumers “sharing” accounts
Finally, one element of this story has confused me since I first spoke to Maria Nistri, and it’s been confirmed by many victims I’ve spoken to. Even after a criminal hijacked her Starbucks.com account, Nistri was able to log in to her account on her smartphone. That means Starbucks is permitting simultaneous logins for the same account using different credentials. The criminal is logged in using their new email address, while the victim is logged in with the old credentials — presumably because their mobile device never logs off. This turns out to be a good thing in some cases, because it has allowed many victims to hurriedly de-link their credit cards from the app in the middle of a fraud. But it’s also atypical security behavior. Why would old credentials ever allow someone to log in to an account? Clearly because the app isn’t verifying that it has up-to-date credentials very frequently. More than one consumer has rightly asked me: Once their account is restored, can the criminal still log in? Here’s what one consumer told me a Starbucks representative told her:
“I mentioned that when the hacker changed the login info, I was still logged in from my phone – so couldn’t the thief still have access to the account, too? The CSR said it should kick them off eventually’ because their login credentials will not be able to refresh. I asked for a specific timeframe and he had no idea. He said it should be a few hours…probably.”