What exactly is going on with the Starbucks mobile app?
Last week, after a (relative) handful of customers complained about thieves hacking into their Starbucks apps and stealing money from whatever bank accounts or payment cards were connected to them, Starbucks did finally acknowledge that these thefts were happening.
However, the company also suggested the problem was not with Starbucks' own network security, but with the individual customers who got hacked, presumably because they either used weak passwords or used the same password across multiple accounts – in other words, because those victimized customers failed to take certain very basic online security precautions.
And in fairness to Starbucks: the initial evidence, combined with the relatively small number of app customers who had this problem, seemed to suggest that Starbucks was correct. After all: if the company itself had suffered a security breach, you'd expect to see almost every Starbucks app user suffer as a result, right? And since it was only a handful of customers here and there, that would suggest the Starbucks app problem was similar to the Dropbox and StubHub “hackings” from last year: neither Dropbox nor StubHub had any breach of their network or database security, but millions of individual customer accounts were breached after hackers managed to steal those individual passwords from another source.
May be other reasons
Yet Bob Sullivan, the consumer journalist who first broke word of the Starbucks hackings early last week, pointed out last night that there might be reasons to suspect there's something else going on with the Starbucks app problems.
In the first place, “A few victims I’ve spoken to say they use strong passwords. One victim who said his card had been hit for four $50 refills said their password randomly generated 15 characters. … consumers are often mistaken about their password management skills, but corporations aren’t always transparent about their security practices, either.”
Something else to consider: last month, Starbucks suffered a temporary outage to all of its point-of-sale (POS) systems, an outage which the company said “was caused by an internal failure during a daily system refresh and was not the result of an external breach.” However, the company insists that its current app issues are in no way related to that POS outage.
An altered state
Meanwhile, Starbucks.com has apparently altered the email requirements for any customer trying to change their login information. As of Monday, anyone trying to change their login credentials was asked two apparently new questions: “Can you still access email at your previous address?” and “Why are you changing your email address today? To stay organized/to avoid spam/for security reasons/other.”
Whoever stole money from these hacked Starbucks apps did so by taking advantage of the app's auto-reload function: even if you only have, for example, $10 worth of credit loaded on your Starbucks app, that does not mean any thief is limited to only stealing your $10; once in the account, the thieves adjusted the auto-reload settings so that as soon as they drained that initial $10, they'd simply arrange to re-load the money and re-drain the account.
If you are going to use the Starbucks mobile app and want to be absolutely sure no hacker can use it to drain your bank accounts or run up your credit card charges, you need to de-link all such financial accounts and cards from the app altogether, and manually re-load money into the app account (rather than arrange for these re-loads to be done automatically).