Do you use the Starbucks mobile app to order and pay for your favorite beverages? You’d better check your account because there’s been an uptick in people getting hundreds of dollars stolen through the app.
Thieves are breaking into Starbucks customers’ rewards accounts through the mobile app and stealing money. It’s called an account takeover, and, in the case of these Starbucks thefts, the process is a bit convoluted. It basically entails reloading the customer’s gift card using whatever bank account, credit card or PayPal account the customer has connected to the app and either spending it directly from the customer’s account or transferring the balance to a different account. If you aren’t familiar with how the Starbucks mobile app works, it’s really just a mobile version of Starbucks’ gift cards, so it’s not actually a payment platform like Apple Pay. It’s more like a prepaid cell phone; users load money onto mobile gift cards that they use to pay for their drinks. Where security gets a bit dicey is that users can connect a bank account, credit card or PayPal account to reload their gifts cards, with an option to auto-reload their cards when the balance falls a below a designated amount.
News of the thefts broke earlier this month when BuzzFeed News reporter Vanessa Wong wrote about her own experience. Wong says she received an email alert from Starbucks with a receipt for reloading $100 on her Starbucks app using the credit card she’d saved in her account. When she opened the app, three purchases totaling $113.90 had been made at a Starbucks in San Diego using her account. In her article about the thefts, Wong documented what she called a “slow trickle of complaints from Starbucks customers” that had begun to show up on social media. Since then, other media outlets, such as Good Housekeeping and CNN Money, have dug up other customers who’ve recently experienced this same kind of theft through the Starbucks app.
Perhaps because she’s a high profile reporter, Wong was told by Starbucks’ customer service that they’d cancel the $100 charge on her credit card and refund the balance on her account before the fraud took place. Others have not been so lucky. In an interview with CNN Money, Jean Obando was told by Starbucks customer service that they’d conduct a review but that he’d have to dispute the charges with PayPal. The fraudster had gotten away with $550, and it took Obando two weeks to get the money back. That was back in December. In a statement to Good Housekeeping on May 9, Starbucks said, “if we are made aware of any unauthorized activity, we work with our customers directly to ensure that their account remains whole.”
This isn’t a new problem with the Starbucks app. Freelance journalist Bob Sullivan reported on this same activity in 2015, stating that this tactic has allowed criminals to steal hundreds of dollars in a matter of minutes, and “consumer protections controlling the transactions are unclear.” Unfortunately, Starbucks’ response to this issue hasn’t changed much over the last two years. The company’s response to Sullivan in 2015 and CNN Money and Good Housekeeping in 2017 is that the thefts are a result of customers using weak passwords to protect their accounts. However, customers are discovering strong passwords simply aren’t enough to protect themselves from this kind of fraud. Sullivan reported in 2015 that the Starbucks app allows users to log in to multiple devices at the same time. Seems like a really convenient feature, but according to Sullivan:
The criminal is logged in using their new email address, while the victim is logged in with the old credentials — presumably because their mobile device never logs off. This turns out to be a good thing in some cases because it has allowed many victims to hurriedly de-link their credit cards from the app in the middle of a fraud. But it’s also atypical security behavior. Why would old credentials ever allow someone to log in to an account? Clearly because the app isn’t verifying that it has up-to-date credentials very frequently. More than one consumer has rightly asked me: Once their account is restored, can the criminal still log in?”
Two years later and, you guessed it, that feature hasn’t changed. Starbucks’ online customer service center still says simultaneous log-ins are permitted. As far as adding two-factor authentication to the app, Starbucks told Wong, “While we do not share specifics on future security protocol timelines or practices, our security and anti-fraud teams actively continue to develop, and invest in, enhanced protection measures, further strengthening our platforms.”
It’s important to note that the Starbucks mobile app and its website have not been hacked in any way. Customer data has not been stolen or compromised. This is an account access issue, and in the absence of stronger security features built into the app, consumers have very few options for how to protect themselves. Most importantly, it is always best practice to use strong passwords for your accounts and to change those passwords regularly, and don’t reuse passwords across accounts. If you’re still concerned about falling victim to this type of fraud, unlink your payment information from the app and pay with cash or card at your local Starbucks.