News has reached us that credit card hackers are targeting Starbucks gift card and mobile payment users and stealing from consumers’ credit cards.
This new scam is so ingenious, the cyber criminals don’t even need to know the account number of the card they are hacking. By taking advantage of the Starbucks auto-reload feature, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, it can escalate quickly.
“16 Million Starbucks customer who utilise their mobile payment service may have been compromised as part of a organised attack. There have been reports of the mobile app being manipulated to hijack funds once the mobile device is reloaded with funds from a credit or gift card,” explains Stephen Coty, chief security evangelist, Alert Logic.
“There has been conversations through Twitter about customers seeing fraud taking place with their Starbucks accounts. Starbucks has said that they process approximately $2 billion in mobile payments.
The timing of this attack is very interesting since, just about a week ago, Starbucks had an issue in their stores with their payment system not allowing for the processing of credit cards. Makes you think what exactly happened to the payment system that shut down the service for a day and gave attackers an opportunity to compromise a part of their system.”
“This hack underscores the need for companies to protect all of the sensitive information they hold on their customers. Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash,” continues Brendan Rizzo, technical director EMEA, HP Security Voltage.
“In this case, there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address. Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks.
Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.”