Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Crime The Almighty Buck

Hackers Using Starbucks Gift Cards To Access Credit Cards 124

Posted by samzenpus from the protect-ya-neck dept.
jfruh writes: Starbucks inspires loyalty among its heavy users — so much so that they're willing to connect their Starbucks gift cards and phone apps directly to their credit or debit cards, auto-refilling the balance when it runs low. But this has opened up a hole hackers can exploit. Writing about the scheme journalist Bob Sullivan says: "The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app. Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes."
This discussion has been archived. No new comments can be posted.

Hackers Using Starbucks Gift Cards To Access Credit Cards More

Hackers Using Starbucks Gift Cards To Access Credit Cards

Comments Filter:

  • I don't trust any auto-top ups (Score:5, Insightful)

    by Chrisq ( 894406 ) on Thursday May 14, 2015 @04:58AM (#49687813)
    I don't use it on my phone, didn't use it on my Disney pass, and would not use it for coffee either. None of these organisations have either the security awareness of credit card companies nor the statutory framework requiring them to cover losses where you are not at fault. I like to limit my exposure to the amount I add on

    • Re: (Score:1)

      by Anonymous Coward

      Why hackers are stupid. Stealing somebody's coffee money is one thing. Putting a $2B industry at risk will probably get you killed.

      • Re: (Score:2)

        by Chrisq ( 894406 )

        Why hackers are stupid. Stealing somebody's coffee money is one thing. Putting a $2B industry at risk will probably get you killed.

        Maybe they really like coffee!

    • What's a Disney pass?

      • It's a card that allows you access to the parks, your hotel room if you're staying on Disney ground, and gives the ability to charge food and souvenirs to the card on file. So need for a wallet when you're in the parks - the card does it all. What the card does especially well is drain you of resources better spent on paying your rent, car payments etc. Use sparingly :)

    • Re: (Score:2)

      by ZipK ( 1051658 )

      I like to limit my exposure to the amount I add on

      Which you can easily do by associating your Starbucks account with a virtual credit card number that has a low-dollar limit, or adding/funding/removing your credit card or other financial details.

    • Re: (Score:2)

      by tlhIngan ( 30335 )

      I don't use it on my phone, didn't use it on my Disney pass, and would not use it for coffee either. None of these organisations have either the security awareness of credit card companies nor the statutory framework requiring them to cover losses where you are not at fault. I like to limit my exposure to the amount I add on

      More correctly, I don't see the point

      I mean, instead of Starbucks charging you $5 a day on your credit card, you have them charge $25 every 5 days? Doesn't seem to beneficial for me.

      It's

  • Moral (Score:2)

    by ttyX ( 1546893 )
    Don't trust a third party with your credit card info.

    • Re: (Score:3, Interesting)

      by sectokia ( 3999401 )
      The post didn't even actually say exactly what is going on.... People link their credit card to some star bucks account with auto reload. Hackers just guess the users password or get it some other way. Once inside the you can transfer the money to another card. They then sell that other card to idiots below its account balance. Star bucks then honour it anyway?

      • Re:Moral (Score:5, Informative)

        by hippo ( 107522 ) on Thursday May 14, 2015 @06:18AM (#49687971) Homepage

        RTF linked article. Bad people guess your Starbucks login and transfer your funds to another Starbucks gift card which is the auctioned off on some anonymous dodgy version of Ebay.

        • But can somebody get a refund on that second gift card? If not, what use is it - unless, as the man said - you really like coffee?

          • The thieves sell the gift card on an auction site to people who will use the gift card to buy coffee.

          • Re: (Score:2)

            by hippo ( 107522 )

            Apparently, there is a thriving black market in Starbucks gift cards. I guess you type the number into your app and use it to get coffee without having to actually travel to meet the guy selling the gift card. Starbucks must be honouring these or there would be no market.

            There isn't one person who really likes coffee, just lots of people who like it enough to take part in morally dubious and possibly criminal activities. A bit like the pirated DVD trade but with zero overheads and less evidence after the c

        • Exactly. While Starbucks probably does need to tighten up its transfer process, the fundamental issue here is the same one we've been seeing for a couple decades now - stolen passwords.

      • Starbucks probably removes the balance once they are informed of the theft, but by then the thieves are long gone with their money so they don't care.

    • Re: (Score:3, Interesting)

      by Kokuyo ( 549451 )

      The first party is you, the second the credit card company... So how exactly would you ever use a credit card if you don't trust any third party with it?

      • Re:Moral (Score:5, Insightful)

        by CastrTroy ( 595695 ) on Thursday May 14, 2015 @05:38AM (#49687887)

        This is what's wrong with online payments. To make a credit card payment, the website should just direct me to the website of visa/mc/amex and have me verify myself, and transfer money to the merchant, very similar to how PayPal works. With phones being so ubiquitous, a similar thing could be done for brick and mortar stores. Pop up a QR code at the register, scan it with a visa app, enter your credentials, and the payment is done. We need to fix the system and get rid of these antiquated payment methods.

        • The new chip-based credit card will cover the issue with brick and mortar stores. The chip only gives enough information to the merchant to complete a single transaction. The chip is an active component unlike the current magnetic strip. It contains an public/private key encryption module that signs information that can be used to verify that specific authorization. I could be wrong but I think the mobile NFC payment technologies do something similar.

      • Re:Moral (Score:4, Interesting)

        by AK Marc ( 707885 ) on Thursday May 14, 2015 @06:44AM (#49688043)
        You trust the infrastructure between you and the second party, but only in the US (and some tourist areas) is it considered acceptable to hand over your card to a 3rd party who disappear with it for a while. The rest of the world, the third party never, or rarely even touches your card. So you don't have to trust a 3rd party with your card to use it. At most, you trust the infrastructure between you and the credit card company.

        • Re: (Score:3, Insightful)

          by jittles ( 1613415 )

          You trust the infrastructure between you and the second party, but only in the US (and some tourist areas) is it considered acceptable to hand over your card to a 3rd party who disappear with it for a while. The rest of the world, the third party never, or rarely even touches your card. So you don't have to trust a 3rd party with your card to use it. At most, you trust the infrastructure between you and the credit card company.

          Except that the third patty controls the card terminal. If they're unscrupulous or if they don't have proper security, then anyone could come in there and install hardware that would get your card details, even your PIN if you're on a chip and pin system. Will that allow them to clone your chip? I'm not sure - probably not. But that doesn't stop them from having someone mug you when you're a few blocks away, either. Plus, you don't use the chip or pin for online purchases.

        • UK perspective here:

          Cards in the UK (both credit and debit*) used to be processed in much the same way americans describe their credit card processing now. You handed your card to the retailer who swiped it (in shops this would happen in your presense but I belive in places like restarants they would often take it away and swipe it) and gave you a reciept for to sign.

          Then chip and pin came in and retailers were strongly encouraged** to switch. The need to get the customer to type the pin meant that portable

  • dem haxx0rz (Score:2, Funny)

    by Anonymous Coward

    r in ur c0ff33 nao

  • use bitcoin (Score:1)

    by Anonymous Coward

    using the fold app, use bitcoin and get a 20% discount on Starbucks purchases....And because it is Bitcoin there is no CC to steal.

  • tipping over vending machines!

  • That's a lot of coffee (Score:2, Funny)

    by Anonymous Coward

    If police are looking for a criminal who drank $125ish of coffee in 7 minutes I'm guessing they just need to look for the crazy wired guy bouncing off the walls...

  • Like usual: anytime your credit card is involved: use a good password!

    That's all there is to this.

    The rest is just fear mothering and click bait.

  • I have Ipass with auto-reload, wondering if they are safe. I used to have only gift cards in amazon. Then got a little lazy and added a credit card. Then my friend told me about how it was very difficult to deal with Amazon when his account got hacked somehow. He caught a 4000$ order before shipment and tried to get it cancelled. He said he found Amazon very difficult to deal with. He traced the ship-to address to some warehouse on the west coast which acts as proxy customers to people outside USA needing a

  • Explain this one to me (Score:4, Interesting)

    by holophrastic ( 221104 ) on Thursday May 14, 2015 @07:14AM (#49688135)

    Why can starbucks gift cards be used for anything other than buying starbucks products? Why is the cash accessible in the first place? Anyone stealing starbucks gift cards, hackers or thieves, ought to be stuck with boat-loads of coffee, after having visited a starbucks store. Otherwise, folks, it ain't a gift card, it's a charge card, credit card, or direct-monetary-device -- and since starbucks ain't a bank, you ought not be entrusting them with direct access to your money.

    What's the point of a starbucks "gift card" if it operates no differently from the attached credit card?

    • Re:Explain this one to me (Score:5, Informative)

      by slashkitty ( 21637 ) on Thursday May 14, 2015 @08:54AM (#49688847) Homepage
      There is a huge market for gift card reselling online. starbucks makes it a bit easier because you can move $ from one card to another.. http://www.giftcardgranny.com/... [giftcardgranny.com]

      • that's the problem. a gift card is designed, by it's very nature, to not be currency. It's supposed to be a pre-purchase, such that the financial component is entirely removed. Show up with the card, get the product, no monetary transaction of any kind.

        What starbucks is using is simply not a gift card. It is a bank card. So who's surprised that a bank card issued by someone that isn't a bank lacks any sort of procedural security whatsoever?

        Stop giving your hard-earned money to someone who isn't regulat

    • Why can starbucks gift cards be used for anything other than buying starbucks products?

      [remainder of incorrect assumption improperly promoted into 'facts' deleted]

      They can't be.

      • Then what's the use in hacking one? So I can buy coffee with your card? Don't I need your physical card for that? Here's the easier version for you: Why can starbucks gift cards be used without starbucks gift cards?

        • Then what's the use in hacking one?

          You don't hack a card, you hack the app.

          I can take money from your account and put it on a card (or access code) in my possession. I can then resell the card (or the access code).

          So, how the scam works is - a) I buy a card from Starbucks for $5, then since the cards are infinitely reloadable b) I hack your account and move money (say $100) from your account to my card and disconnect it from the account, c) I resell the cards for $50.

          There's a lot of places Starbucks can d

          • You're saying that these stupid people actually let starbucks access their bank account directly? That's the most idiotic thing I've ever heard. Even my bank doesn't have access to my bank account to pay my mortgage. No one can touch a single dollar of mine except me and a judge. Why the hell would I let a coffee shop have unfettered access to my money?

            Thanks for explaining the scam to me. Although I'm more pissed off now than ever before. Who's this stupid?

  • What's the Point? (Score:1)

    by Anonymous Coward
    I don't understand what the point is of using a gift card that is automatically reloaded from a credit card once it hits zero. Why not cut out the middleman and use the credit card directly?

    • Their stupid rewards program is tied to a gift card. And ONLY works on purchases paid via that gift card (which can be auto-reloaded and have balance transfers to it from gift cards you receive as gifts). The answer for most people is not to use their rewards program at all.

  • This is why I don't let companies do ever have direct access to my accounts.

    Not my banking accounts, not my credit card, not anything. Never. Period. No way. If a company demands this, I walk away from the deal 100% of the time.

    Giving companies the ability to go in and raid your money is a recipe for disaster. Tying that ability to a phone or a gift card is even worse.

    You have pre-authorized the bearer of that device to go in and take your money without any oversight or authentication.

    I've known far too

    • I don't give anybody access to my accounts or debit cards (sorry, Paypal, it's that I don't trust you), but credit cards are fairly safe provided you check the statements when you get them. Make sure you use certified mail with return receipt, to make sure you have legal proof of questioning charges.

  • There are many reports of starbucks taking back gift cards.. I had bought a few gift cards online, and combined them into one in the app. Then, starbucks canceled the whole value. They said one of the cards payment method couldn't be verified. .. So, they wiped out my entire balance ($200) .. Never using starbucks cards or the app again. Please just switch to apple pay.
  • I'm not sure how much "auto-reload" has caught on yet, but normally Amazon requires you reenter your credit card when you send a package to a new address, and if you have auto-reload on, it might not ask if you use your gift card balance. Amazon, does however have a good anti-fraud team which will delay or cancel suspicious orders.
  • What's so convenient about adding another step between me and paying someone. Why use a gift card or app as an intermediary? In pack, hand the damn person a $10 bill. What's so damn hard about that? At least if someone tries to steal that from me I can tase or shoot them (in my state).

    • You do know that "hipsters" are all about using cash right? All the trendy coffee shops are cash only. So, welcome to team hipster.

      To answer your question, the main reason is that Starbuck's reward program (13th drink free) is tied to using their gift cards. That's probably the main reason, it also made paying more convenient, before nfc/tap-and-go credit cards became a thing, when going cash-less.

  • Yup, this is real.

    Yesterday morning, I had a notification on my phone that my account was now at $0.00. HUH??!

    Launched the app and then noticed my Starbuck's card was removed. WTF?!

    I called their support line. They didn't offer much in the way of help, but did say that the email address had been changed on my card and that it was indeed removed. They reset my password and are sending me a new Gold Card.

  • I woke up to five "We auto-reloaded your card" e-mails from Starbucks overnight. They hit me for $500. They used my Starbucks card (linked to my debit card, set to auto-renew by adding $100 when the balance was low) to purchase email gift card codes in multiples of $25. Canceled my Starbucks card, canceled my debit card, filed a police report. The investigator determined that the codes were sent to a generic e-mail account in Canada, and that was the end of it. The bank was good and put the money back

    • I woke up to five "We auto-reloaded your card" e-mails from Starbucks overnight.

      I have a serious question: I assume you must see some advantage to using a refillable gift card or you'd just use your regular credit card in the shop. So what's the benefit? Discounts? Frequent drinker points? Mind boggling convenience? I'm just trying to understand the appeal.

  • If you're going to quote Bob Sullivan's article in the summary, the least you could do is link to his article [bobsullivan.net] instead of a re-hash on IT World.

    Oh, wait. Submitter jfruh [slashdot.org] sure has modded up a lot of firehose submissions by user itwbennett [slashdot.org], and vice versa. No sense questioning what the "itw" stands for, as ~itwbennett's profile links straight to IT World. Thankfully it doesn't appear to be "our" Bennett, but come on. If you work for IT World, and you have a Slashdot account set up to promote IT world, submit t

  • When I worked as a cashier in the self scan lane, our store was hit by criminals with stolen credit cards, trying to buy expensive gift cards, to instantly launder the stolen credit cards. They would attempt to buy multiple expensive gift cards in one transaction. I told my manager this, but he didn't really care, just "Make them go thru a regular lane". Gift card fraud is getting out of hand. "There is more stupidity than hydrogen in the universe, and it has a longer shelf life.” Frank Zappa

Slashdot Top Deals

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Close