For many consumers, Starbucks coffee has become an essential part of their morning commute. They take a quick detour on their way to work, pay with their credit card or smartphone, and get back on their way, ready to take on the day. But recently, some customers have been reporting an unwanted addition to their morning routine: unauthorized charges on their debit and credit cards stemming from the Starbucks app.
The recent data breach goes like this. Hackers gain access to an unsuspecting customer’s account in some way. They then use the app’s ‘auto-reload’ function to top off as many as a dozen new Starbucks’ pre-paid cards. Finally, they ‘gift’ these cards to themselves, presumably to sell on the black market.While this lack of security has left many customers irate, Starbucks itself has denied that the data breach comes from an internal problem with their app. Instead, they claim, the problem has a much simpler explanation: weak passwords. Oftentimes, hackers will ‘spam’ a company’s automated login systems with a multitude of passwords, hoping that at least a few work. Other times, hackers get their hands on the login credentials of thousands of customers of
another company – say, a bank – and use that to attempt to log in to apps like Starbucks’ payment app.This is where customers can ensure their own security by employing certain practices. Merchant services and mobile payments experts suggest that customers use strong passwords. For example, don’t use a password that is easily associated with the application that you are using. The password for your Starbucks app probably shouldn’t be ‘frappucino.’ Secondly, don’t use the same password across different accounts. It’s bad enough if hackers get your password to one account. This problem is compounded if they can use this info to hack all of your accounts. Lastly, change your passwords frequently. Experts also agree that until the Starbucks breach is completely resolved, it is wise to turn off the ‘auto-reload’ feature in the app.
While the Starbucks breach isn’t disastrous in and of itself, it does signify some of the problems that lay ahead in the merchant services industry. As consumers demand quicker and easier mobile payments, how will their security be ensured? Certain practices, such as sending a confirmation text message to a person’s cell phone when an account has been accessed from a new device, seem like common sense and could have helped to prevent the Starbucks data breach. Will consumers embrace these policies, or will they view them as needless annoyances? Time will tell.
