Hackers hit Starbucks mobile users for credit card details

Reports emerged earlier this week that hackers are targeting Starbucks customers and stealing credit card details through the company's mobile app.

Reporter Bob Sullivan first broke the news, saying that the hackers' scam is "so ingenious they don’t even need to know the account number of the card they are hacking."

Apparently, criminals are accessing people's credit card information through the auto-load function in the app and draining bank accounts before the victims are even aware that something is wrong.

Various industry experts have offered their thoughts on the news.

Brendan Rizzo, technical director EMEA, HP Security Voltage:

"This hack underscores the need for companies to protect all of the sensitive information they hold on their customers. Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash.

"In this case, there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address. Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks.

"Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks."

Stephen Coty, chief security evangelist, Alert Logic:

"16 Million Starbucks customer who utilise their mobile payment service may have been compromised as part of a organised attack. There have been reports of the mobile app being manipulated to hijack funds once the mobile device is reloaded with funds from a credit or gift card.

"There has been conversations through Twitter about customers seeing fraud taking place with their Starbucks accounts. Starbucks has said that they process approximately $2 billion in mobile payments

"The timing of this attack is very interesting since, just about a week ago, Starbucks had an issue in their stores with their payment system not allowing for the processing of credit cards. Makes you think what exactly happened to the payment system that shut down the service for a day and gave attackers an opportunity to compromise a part of their system."

Gavin Reid, VP of threat intelligence, Lancope:

"Nothing too new here – if you guess the username and password for an account that is backed by you bank bad things can and will follow. This highlights problems with using consumer cards & accounts that are backed up with either a high limit credit card or even worse the current checking account.

"Ideally vendors would make this form of compromise harder by using multi factor authentication and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss.

"This type of small amount theft can be automated reusing already exposed credentials. Consumers can protect themselves by setting hard to guess unique passwords."

Roy Tobin, Threat Researcher at Webroot:

"Whilst there have been no reports of similar incidents in the UK this should serve as a timely reminder for consumers and businesses alike to re-examine their security protocols.

"Credentials leaked in previous cyberattacks are likely to have been used to allow hackers to siphon off money from Starbucks' customers. The key security takeaway from this incident is the fact that as a company, your customers’ security information often doesn’t exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly reused by customers across separate online accounts. Consumers should take steps to regularly change their passwords and avoid using the same password across multiple online services.

"Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts. Best practice for mitigating this is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location whenever financial details are accessed or used.

"This extra security hurdle can effectively stop hackers in their tracks, while alerting the user to the unauthorised attempt to access their account and prompting them to change their password.