Starbucks Application Breach #2

May 14, 2015 By Amit Ashbel

What was stolen?

A new attack on the Starbucks Mobile Payment Application was launched. Criminals have been breaking into individual customer rewards accounts and transferring funds to other accounts.

How was the attack executed?

The Starbucks application lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.

  1. Break into a victim’s Starbucks account online
  2. Add a new gift card, transfer funds over
  3. Repeat the process every time the original card reloads

This is the second occurrence of fraud on Starbucks Application.

Last year researchers discovered that Starbucks stored usernames and passwords in clear text on the device.

Could these two have a connection?


What Now?

What can Starbucks customers do to prevent further damage?

o   Use Strong and unique passwords

o   Remove payment methods associated to their Starbucks account

o   Disable the auto-reload option on the Starbucks App

What Should Starbucks do to reduce risks?

o   Implement Strong Authentication techniques

o   Ensure the application is not vulnerable to additional attack techniques


What is Checkmarx’s angle on this breach and could we prevent it?

The attack was launched by criminals who had access to usernames and passwords. Seeing that last year Starbucks failed to secure their User’s data on the Mobile Application, one could argue the credentials for the current attack were stolen on that occasion and stored for a “rainy day”.

Using CxSAST to analyze the Starbucks Mobile Application code, Starbucks would have known during the development stage that data was being stored in an in-secure manner. This may have prevented the initial credential theft.

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.