A new attack on the Starbucks Mobile Payment Application was launched. Criminals have been breaking into individual customer rewards accounts and transferring funds to other accounts.
The Starbucks application lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
This is the second occurrence of fraud on Starbucks Application.
Last year researchers discovered that Starbucks stored usernames and passwords in clear text on the device.
Could these two have a connection?
What can Starbucks customers do to prevent further damage?
o Use Strong and unique passwords
o Remove payment methods associated to their Starbucks account
o Disable the auto-reload option on the Starbucks App
What Should Starbucks do to reduce risks?
o Implement Strong Authentication techniques
o Ensure the application is not vulnerable to additional attack techniques
The attack was launched by criminals who had access to usernames and passwords. Seeing that last year Starbucks failed to secure their User’s data on the Mobile Application, one could argue the credentials for the current attack were stolen on that occasion and stored for a “rainy day”.
Using CxSAST to analyze the Starbucks Mobile Application code, Starbucks would have known during the development stage that data was being stored in an in-secure manner. This may have prevented the initial credential theft.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.