What Starbucks Hacks Can Teach all of Us

Photo (cc) by marcopako 

Money used to be simple, because it nearly always came from a bank. Money is getting a lot more complicated lately, as increasingly retailers like Starbucks and technology firms like Apple are acting like banks.

While ApplePay, Starbucks mobile wallet, and other forms of new money called “alternative payment systems” can be convenient, they are still going through growing pains. Two incidents recently involving Starbucks gift cards and mobile payments illustrate why it’s so important that consumers keep a careful eye on their money — wherever it might be.

Criminals have begun training their attention away from financial institutions and on third-party firms because they are easier to hack than banks, said Avivah Litan, a fraud analyst at consultancy Gartner.

“Fraud is moving away from banks into big ecommerce companies,” she said. “Criminals are learning how to turn rewards programs, points and prepaid cards into cash.”

Starbucks — far from the only target of this kind of attack — got some bad news earlier this month when a computer security researcher revealed he had found a way to hack Starbucks’ gift card system and add value to a gift card essentially for free. Security consultant Egor Homakov, who conducts penetration tests under the brand name Sakurity.com, said on his website he was able to turn $15 worth of Starbucks cards into $20 during a proof of concept experiment.

That kind of value creation is the holy grail for criminals who attack money systems, with the implied potential of creating infinite value out of thin air. Practically speaking, that’s not possible, but you can imagine the value of such a hack to a computer criminal with evil intentions.

Fortunately, theft wasn’t Homakov’s motivation — unlike the credit card criminals I wrote about recently who target Starbucks accounts with linked credit or debit cards. In that case, criminals hacked their way into consumers’ Starbucks.com accounts, drained the value of the victims’ cards that had been loaded onto their mobile phone apps, then raided the victims’ linked credit or debit cards to steal hundreds of dollars at a time. Those criminals were essentially breaking into the bank using a less-secure side door created by Starbucks.

For his hack, Homakov says he was able to exploit a common bug known as “race conditions” to trick the Starbucks system into letting him transfer the same $5 in value onto a second card twice, leaving him with a $15 card and a $5 card. He did it by initiating transfers from separate web browsers at essentially the same time, confusing Starbucks’ systems.

Igor Homakov's receipt allegedly showing his value creation hack worked.Click for his website.
Egor Homakov’s receipt allegedly showing his value creation hack worked. Click for his website.

Race condition attacks rely on a failure of computers to properly handle instructions that occur in very close time sequence. If instructions are not handled in the right order, serious problems can occur. For example, if funds are credited to a new account before they are deleted from an old account, it can be possible to transfer the same funds twice.

Homakov, who is from Russia but is now based in San Francisco, then purchased several items from Starbucks to prove his technique worked.

“$15 in, $16.70 out. The concept is proven and now let’s deposit $10 from our credit card to make sure the U.S. justice system will not put us in jail over $1.70,” he wrote on his blog.

The rapid success of Starbucks mobile-pay and gift-card system has helped make it a target, as my recent report on credit card hackers and their successful attacks showed. And last year, a researcher discovered that the Starbucks app was storing passwords in plain text.

While Starbucks did not answer my questions about the hack, it issued a statement to the BBC.

“After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication,” the firm said, according to the BBC.

It’s important to note that Starbucks said last year that it didn’t know of a single customer who had been a victim of the password issue; and we don’t know of anyone who’s been victimized by this value-creation attack. The risk to consumers here is probably very, very low.

The news does suggest Starbucks is struggling with security issues and growing pains as it creates what might be considered an alternative money system. The massive point of sale outage last month, which led to Starbucks handing out free coffees around the country for several hours, also paints a picture of a firm struggling with technical issues as it becomes one of the largest “banks” in the country. Already, Starbucks processes some 8 million transactions every week for its 16 million mobile app users.

The real risk for consumers, however, comes from trusting third-party firms with bank account data. Those who link their payment accounts to an app or any re-loadable card, a behavior Starbucks encourages with rewards and free drinks, should realize their bank accounts are probably only protected by the username and password they use at that third-party site.

Perhaps for you, the convenience is worth it. But the more places you have to watch for fraud, the more likely you are to miss it, and remember: If you don’t spot a fraud and report it within the time required by federal law, you won’t get a refund.

Sign up for Bob Sullivan’s free email newsletter.

Disclosure: The information you read here is always objective. However, we sometimes receive compensation when you click links within our stories.

Read Next
21 Things You Should Always Buy at a Dollar Store
21 Things You Should Always Buy at a Dollar Store

Dollar stores have great bargains on both everyday and occasional purchases.

Marooned at Home? Earn Some Cash Playing on Your Computer
Marooned at Home? Earn Some Cash Playing on Your Computer

Earn cash by reading emails, taking surveys, playing games, shopping and signing up for offers through this website.

29 Purchases That Can Save You Money Every Day
29 Purchases That Can Save You Money Every Day

Sometimes, you’ve got to spend to save.

7 Ways Coupons Waste Your Money and Time
7 Ways Coupons Waste Your Money and Time

Here’s why I hung up my scissors and quit clipping coupons.

7 Social Security Blunders That Can Ruin Your Retirement
7 Social Security Blunders That Can Ruin Your Retirement

Making even one of these mistakes can sap your retirement income.

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Most Popular
7 Kirkland Signature Items to Avoid at Costco
7 Kirkland Signature Items to Avoid at Costco

Even if it seems you save a bundle buying Costco’s Kirkland Signature brand products, they may not be the bargain they appear to be.

How to Buy Gas At Costco Without a Membership
How to Buy Gas At Costco Without a Membership

The warehouse club often has some of the cheapest gas in town. Here’s how you can get it as a nonmember.

10 Things to Stop Buying If You Want a Clutter-Free Home
10 Things to Stop Buying If You Want a Clutter-Free Home

If you like to keep things simple, avoid these purchases.

Prices Are Soaring on These 7 Items
Prices Are Soaring on These 7 Items

Some surprise price jumps are making life more difficult for consumers.

A Simple Way to Silence Robocalls Today
A Simple Way to Silence Robocalls Today

A few steps can keep your phone from ringing when a spammer calls.

If You Find This Thrift Shopping, Buy It
If You Find This Thrift Shopping, Buy It

This iconic dinnerware is prized for everyday use as well as reselling for profit.

This Company Makes the Best Tires in America
This Company Makes the Best Tires in America

Driver satisfaction with tires is at an all-time high, but one brand stands out.

This Health Issue Can Hint at Dementia Years in Advance
This Health Issue Can Hint at Dementia Years in Advance

One type of pain is especially associated with cognitive decline.

Can I Switch to Spousal Social Security Benefits When My Ex Dies?
Can I Switch to Spousal Social Security Benefits When My Ex Dies?

Knowing when to claim can help you maximize benefits.

Medicare Will Not Cover These 6 Medical Costs
Medicare Will Not Cover These 6 Medical Costs

Don’t let these health care expenses catch you off guard in retirement.

7 Home Improvements That Cost a Lot More in 2021
7 Home Improvements That Cost a Lot More in 2021

These projects will take a bigger bite out of your budget than in the recent past.

8 Things You Should Always Buy on Amazon
8 Things You Should Always Buy on Amazon

The giant retailer shines when it comes to these things, from basics to hard-to-find specialty goods.

Beware This Hidden Ingredient in Rotisserie Chicken
Beware This Hidden Ingredient in Rotisserie Chicken

Something foul may lurk in those delicious, ready-to-eat birds.

5 Ways to Get Amazon Prime for Free
5 Ways to Get Amazon Prime for Free

Hesitant to drop $119 a year on an Amazon Prime membership? Here’s how to get it for free.

5 Ways to Fill Your Pantry With Free Food
5 Ways to Fill Your Pantry With Free Food

Anyone can take advantage of these resources.

5 States With the Worst Health Care for Retirees
5 States With the Worst Health Care for Retirees

All of these states are located in the same region of the nation.

7 Big Purchases You Should Never Make
7 Big Purchases You Should Never Make

Sometimes a big-ticket purchase is nothing more than a big waste of money.

3 Ways to Get Microsoft Office for Free
3 Ways to Get Microsoft Office for Free

With a little ingenuity, you can cut Office costs to zero.

6 Reasons You Should Stop Hiding Cash at Home
6 Reasons You Should Stop Hiding Cash at Home

Stashing money around the house is anything but harmless.

View More Articles

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Add a Comment

Our Policy: We welcome relevant and respectful comments in order to foster healthy and informative discussions. All other comments may be removed. Comments with links are automatically held for moderation.