The discovery that hackers can use your Starbucks mobile app to drain your bank and PayPal accounts or run up charges on your credit cards proves once and for all that the old conventional wisdom regarding the safety of apps is now officially obsolete.
According to the old conventional wisdom (“old” here meaning “before summer 2014”), smartphone apps are much safer than traditional Internet-connected website-visiting computers. After all: not until last August did security researchers first discover a previously unknown security weakness that left Android, Windows and iOS mobile operating systems vulnerable to what was basically the app equivalent of malware.
And only in November did anyone discover the first serious virus threatening iPhones and iPads.
But those circa-2014 stories both involved dangers from third-party apps; the conventional wisdom could still believe you'd stay safe so long as you stay away from third parties and stick to officially approved app store options.
That happy state of affairs ended during the first week of January 2015, when researchers discovered a bad app in the official Google Play store, a malware app that “pretends to protect your data, then steals it.” More bad apps were discovered in (and removed from) the Google Play store in February.
And late last week, Starbucks acknowledged that hackers were stealing money from some customers' mobile accounts — although Starbucks insists that the company itself wasn't hacked; instead, the thieves managed to break into individual users' Starbucks apps, most likely after the thieves managed to somehow steal that person's password. (The initial evidence, plus the genuinely small number of Starbucks app users who've complained of theft, suggests that Starbucks is right.)
Consumer advocate Bob Sullivan first pointed out the problem last week. Once the thieves gain entrance to your Starbucks app account, they can steal from your credit card without even knowing its account number, by taking advantage of the Starbucks app's ability to auto-reload money to the account. As Sullivan explains:
Maria Nistri, 48, was a victim this week. Criminals stole the Orlando wom[a]n’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes. … The trouble started at 7:11 a.m. on Wednesday when she received an automated email saying her username and password had been changed, and if she hadn’t authorized the change, she should call customer service. She tried, but the number she called notified her an operator couldn’t answer until 8 a.m.
“Whoever did this knew the right time to do it,” she said.
When Nistri launched her phone's Starbucks app, she could actually see the thieves stealing first the $25, then $75, in real-time as it happened — and other Starbucks app users report suffering similar thefts, too.
Starbucks, for its part, says that it won't hold consumers responsible for the costs in cases like this — which is definitely a wise public-relations move on Starbucks' part.
But what would happen if Starbucks (or some other company in the same situation) chose instead to leave customers holding the bag for these costs? As Sullivan points out, “it’s unclear what level of consumer protection consumers would be legally entitled to. Because their credit card accounts aren’t actually compromised and their cards not stolen, it’s unclear that standard 'Regulation E' credit card liability protections would apply. Prepaid card users don’t enjoy the same level of consumer protection.”
If you use the Starbucks mobile app – or any app connected to actual monetary accounts – treat it with the same stringent protection you'd use for your actual online banking or investing. Use a very strong password, and make sure it's an exclusive password. You should never use the same password across multiple accounts, especially financial accounts, to ensure that a thief who steals the password to one of your accounts at least can't use it to break into others.