Starbucks Application Breach #2

What was stolen?

A new attack on the Starbucks Mobile Payment Application was launched. Criminals have been breaking into individual customer rewards accounts and transferring funds to other accounts.

How was the attack executed?

The Starbucks application lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.

  1. Break into a victim’s Starbucks account online
  2. Add a new gift card, transfer funds over
  3. Repeat the process every time the original card reloads

This is the second occurrence of fraud on Starbucks Application.

Last year researchers discovered that Starbucks stored usernames and passwords in clear text on the device.

Could these two have a connection?

 

What Now?

What can Starbucks customers do to prevent further damage?

o   Use Strong and unique passwords

o   Remove payment methods associated to their Starbucks account

o   Disable the auto-reload option on the Starbucks App

What Should Starbucks do to reduce risks?

o   Implement Strong Authentication techniques

o   Ensure the application is not vulnerable to additional attack techniques

 

What is Checkmarx’s angle on this breach and could we prevent it?

The attack was launched by criminals who had access to usernames and passwords. Seeing that last year Starbucks failed to secure their User’s data on the Mobile Application, one could argue the credentials for the current attack were stolen on that occasion and stored for a “rainy day”.

Using CxSAST to analyze the Starbucks Mobile Application code, Starbucks would have known during the development stage that data was being stored in an in-secure manner. This may have prevented the initial credential theft.

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Jump to Category