Mobile Payments Convenient for Customers; Criminals Too
Update: No, Starbucks is not hacked, as their statement noted yesterday. They acknowledge that they get customer reports of "unauthorized activity on their online accounts" due to criminals that "obtain reused names and passwords from other sites and attempt to apply that information to Starbucks." While they recommend using strong passwords, there's no word if they plan to offer two-factor authentication to their customers.
Mobile payment enthusiasts, beware: criminals are targeting customers that use a Starbucks card or the company’s mobile payment app to make purchases at the chain. As usual, the attacks are traced back to stolen customer usernames and passwords that allow attackers to steal money from their accounts.
One convenient feature enables customers to auto-fill their Starbucks account whenever the balance dips below a custom amount, which requires linking a credit card to their account.
While it’s convenient for both customers and Starbucks, it’s also convenient for anyone with a stolen password to log into their account, reload and steal the money.
Another convenient feature allows customers to transfer their balance from one gift card to another or combine balances from multiple cards onto a single card - which means a criminal who logs in with a stolen passwords can also easily move balances to their own card.
This is a key example of the need to balance usability, convenience and security when providing payment features for customers. It may be good for business to streamline the payment process, but there’s a tradeoff in this scenario that puts customers at risk.
According to an investigative reporter, Bob Sullivan and his blog on Elliott.org, the coffee chain giant processed $2 billion in mobile payment transactions last year, with one in six Starbucks transactions being conducted with the app. These are no small numbers - there’s no telling how many users may be affected
This isn’t the first time that mobile payments have been targeted by attackers - in March, The Wall Street Journal reported that criminals were loading stolen credit card data on iPhones and making fraudulent purchases, taking advantage of poor authentication security on behalf of banks. When it came to verifying that credit cards were legit, banks often outsourced the job to call centers, with security as an afterthought. Find out more in Criminals Leverage Apple Pay for Fraud; Banks Boost Authentication Security.
Furthermore, it certainly isn’t the first time that accounts linked to credit cards have been hacked and exploited by criminals - in November, criminals targeted Hilton Hotel reward members that used the Hilton HHonors app, which accrues loyalty points whenever members book hotel rooms. Criminals easily brute-forced 4-digit PIN passwords using automated password-guessing tools, stealing points and using linked credit cards to buy more points. Learn more in Preferred Hotel Guest Programs: Keyless Entry & Security.
Again, the root of all of these breaches trace back to not-very-strong authentication practices that require only a password to get access to credit card and other payment/financial information.
For example, the balance transfer feature on the Starbucks app requires entry of a verification code sent to their email address. While this may seem like a reasonable extra security measure, it’s stupid easy to sidestep: criminals that already have access to your Starbucks account can change the email address associated with it, meaning they can complete the second verification step themselves.
Using an out-of-band method to complete two factor, such as a smartphone authentication mobile app that sends push notification authentication requests to your phone, is one way to ensure greater security when logging into mobile payment or other accounts that are linked to your credit card. Or, use an authentication app to generate TOTP (time-based one-time passwords) that you can type into your two-factor authentication prompt in order to log into your mobile payment account securely.
While email verification can be completed by anyone with your password and a web browser, mobile app authentication requires the use of a registered, physical mobile device, which can deter attackers that attempt to log into your accounts remotely to steal money.
Learn more about two-factor authentication in our free Two-Factor Authentication Evaluation Guide.