What was stolen?
A new attack on the Starbucks Mobile Payment Application was launched. Criminals have been breaking into individual customer rewards accounts and transferring funds to other accounts.
How was the attack executed?
The Starbucks application lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
- Break into a victim’s Starbucks account online
- Add a new gift card, transfer funds over
- Repeat the process every time the original card reloads
This is the second occurrence of fraud on Starbucks Application.
Last year researchers discovered that Starbucks stored usernames and passwords in clear text on the device.
Could these two have a connection?
What can Starbucks customers do to prevent further damage?
o Use Strong and unique passwords
o Remove payment methods associated to their Starbucks account
o Disable the auto-reload option on the Starbucks App
What Should Starbucks do to reduce risks?
o Implement Strong Authentication techniques
o Ensure the application is not vulnerable to additional attack techniques
What is Checkmarx’s angle on this breach and could we prevent it?
The attack was launched by criminals who had access to usernames and passwords. Seeing that last year Starbucks failed to secure their User’s data on the Mobile Application, one could argue the credentials for the current attack were stolen on that occasion and stored for a “rainy day”.
Using CxSAST to analyze the Starbucks Mobile Application code, Starbucks would have known during the development stage that data was being stored in an in-secure manner. This may have prevented the initial credential theft.
Latest posts by Amit Ashbel (see all)
- ROI of Shifting Left - February 9, 2017
- Do Hackers Use Source Code Analysis? - April 27, 2016
- White Box vs. Black Box Testing Tools: How Would You Treat Your Symptoms? - March 28, 2016