Starbucks has had one of the most successful mobile payments strategies to date with more than one in six transactions being conducted via the Starbucks mobile app, which is connected to a reloadable Starbucks gift card. Targeting Starbucks mobile app users and exploiting a setting that automatically reloads the Starbucks gift card, fraudsters are taking over accounts and repeatedly stealing funds.
Consumer security journalist Bob Sullivan was the first to report of these attacks targeting consumers with Starbucks accounts for managing their reloadable card, most often used with in-store mobile payments through the Starbucks mobile app. When paying the consumer opens the Starbucks app to scan a QR code that references and charges the consumer’s closed-loop Starbucks Card. In 2014 Starbucks processed $2 billion in mobile payment transactions via their mobile app, which has over 12 million users.
Fraudsters are targeting Starbucks user accounts to gain access to the stored value on Starbucks Cards. It is believed that fraudsters are using email and password combinations compromised in unrelated data breaches and brute force techniques to gain access to these accounts. Once the fraudsters gain unauthorized access, however, it is clear they have carefully planned their attack.
The fraudsters are specifically targeting an automatic billing feature, where the payment card or bank account a consumer has on file with Starbucks is automatically charged a set amount when the balance on the Starbucks reloadable card is approaching zero. Consumers can set how much this automatic reimbursement amount is, such as $25 or $100. Changing this automatic payment amount requires an email confirmation, but the fraudsters are changing the email address associated with the Starbucks account first.
What’s more is that fraudsters seem to be timing their attacks during weekends and off hours when consumers cannot reach customer service to disable or regain control of their Starbucks accounts. Once the fraudster changes the email associated with the Starbucks account, they can change the password and other settings to keep the real user out. They then increase the automatic payment amount so each time they drain the balance on the Starbucks Card another $100 is added, charging the payment account the consumer has on file. Exploiting these factors the fraudsters have been able to steal hundreds to thousands of dollars per compromised account in very little time.
In terms of how fraudsters are monetizing these attacks, it is likely that they are purchasing some goods but primarily gift cards. Starbucks account users are able to transfer balances from one gift card to another and combine balances from several cards on to one. Balance transfers do require a verification step with a code sent via email, but fraudsters are changing the primary account email beforehand. The fraudsters simply transfer the balances on to cards they already control to then use or resell in a secondary market.
For more information: