What Starbucks Hacks Can Teach all of Us

Photo (cc) by marcopako 

Money used to be simple, because it nearly always came from a bank. Money is getting a lot more complicated lately, as increasingly retailers like Starbucks and technology firms like Apple are acting like banks.

While ApplePay, Starbucks mobile wallet, and other forms of new money called “alternative payment systems” can be convenient, they are still going through growing pains. Two incidents recently involving Starbucks gift cards and mobile payments illustrate why it’s so important that consumers keep a careful eye on their money — wherever it might be.

Criminals have begun training their attention away from financial institutions and on third-party firms because they are easier to hack than banks, said Avivah Litan, a fraud analyst at consultancy Gartner.

“Fraud is moving away from banks into big ecommerce companies,” she said. “Criminals are learning how to turn rewards programs, points and prepaid cards into cash.”

Starbucks — far from the only target of this kind of attack — got some bad news earlier this month when a computer security researcher revealed he had found a way to hack Starbucks’ gift card system and add value to a gift card essentially for free. Security consultant Egor Homakov, who conducts penetration tests under the brand name Sakurity.com, said on his website he was able to turn $15 worth of Starbucks cards into $20 during a proof of concept experiment.

That kind of value creation is the holy grail for criminals who attack money systems, with the implied potential of creating infinite value out of thin air. Practically speaking, that’s not possible, but you can imagine the value of such a hack to a computer criminal with evil intentions.

Fortunately, theft wasn’t Homakov’s motivation — unlike the credit card criminals I wrote about recently who target Starbucks accounts with linked credit or debit cards. In that case, criminals hacked their way into consumers’ Starbucks.com accounts, drained the value of the victims’ cards that had been loaded onto their mobile phone apps, then raided the victims’ linked credit or debit cards to steal hundreds of dollars at a time. Those criminals were essentially breaking into the bank using a less-secure side door created by Starbucks.

For his hack, Homakov says he was able to exploit a common bug known as “race conditions” to trick the Starbucks system into letting him transfer the same $5 in value onto a second card twice, leaving him with a $15 card and a $5 card. He did it by initiating transfers from separate web browsers at essentially the same time, confusing Starbucks’ systems.

Igor Homakov's receipt allegedly showing his value creation hack worked.Click for his website.
Egor Homakov’s receipt allegedly showing his value creation hack worked. Click for his website.

Race condition attacks rely on a failure of computers to properly handle instructions that occur in very close time sequence. If instructions are not handled in the right order, serious problems can occur. For example, if funds are credited to a new account before they are deleted from an old account, it can be possible to transfer the same funds twice.

Homakov, who is from Russia but is now based in San Francisco, then purchased several items from Starbucks to prove his technique worked.

“$15 in, $16.70 out. The concept is proven and now let’s deposit $10 from our credit card to make sure the U.S. justice system will not put us in jail over $1.70,” he wrote on his blog.

The rapid success of Starbucks mobile-pay and gift-card system has helped make it a target, as my recent report on credit card hackers and their successful attacks showed. And last year, a researcher discovered that the Starbucks app was storing passwords in plain text.

While Starbucks did not answer my questions about the hack, it issued a statement to the BBC.

“After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication,” the firm said, according to the BBC.

It’s important to note that Starbucks said last year that it didn’t know of a single customer who had been a victim of the password issue; and we don’t know of anyone who’s been victimized by this value-creation attack. The risk to consumers here is probably very, very low.

The news does suggest Starbucks is struggling with security issues and growing pains as it creates what might be considered an alternative money system. The massive point of sale outage last month, which led to Starbucks handing out free coffees around the country for several hours, also paints a picture of a firm struggling with technical issues as it becomes one of the largest “banks” in the country. Already, Starbucks processes some 8 million transactions every week for its 16 million mobile app users.

The real risk for consumers, however, comes from trusting third-party firms with bank account data. Those who link their payment accounts to an app or any re-loadable card, a behavior Starbucks encourages with rewards and free drinks, should realize their bank accounts are probably only protected by the username and password they use at that third-party site.

Perhaps for you, the convenience is worth it. But the more places you have to watch for fraud, the more likely you are to miss it, and remember: If you don’t spot a fraud and report it within the time required by federal law, you won’t get a refund.

Sign up for Bob Sullivan’s free email newsletter.

Disclosure: The information you read here is always objective. However, we sometimes receive compensation when you click links within our stories.

Read Next
14 Service Providers Most Likely to Lower Your Bill If You Ask
14 Service Providers Most Likely to Lower Your Bill If You Ask

With these companies, it might be easier than you think to negotiate your monthly bill down.

3 Bank Accounts With Perks for Customers Age 55 and Older
3 Bank Accounts With Perks for Customers Age 55 and Older

These checking accounts offer exclusive discounts and other perks — including interest — to older customers.

7 Mistakes Guaranteed to Ruin Your Retirement
7 Mistakes Guaranteed to Ruin Your Retirement

Make even one of these money mistakes, and you’ll probably end up eating ramen noodles in your golden years.

14 Products That Keep Foods Fresh Longer
14 Products That Keep Foods Fresh Longer

We’ve rounded up innovative Amazon purchases to lengthen the life of your favorite foods and beverages.

Big-Ticket Things You Should Never Buy
Big-Ticket Things You Should Never Buy

In this week’s podcast: Are you wasting big money on these common purchases?

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Most Popular
9 Things You’ll Never See at Costco Again
9 Things You’ll Never See at Costco Again

The warehouse store offers an enormous selection, but these products aren’t coming back.

11 Things Retirees Should Always Buy at Costco
11 Things Retirees Should Always Buy at Costco

This leader in bulk shopping is a great place to find discounts in the fixed-income years.

Over 50? The CDC Says You Need These 4 Vaccines
Over 50? The CDC Says You Need These 4 Vaccines

Fall is the time to schedule vaccines that can keep you healthy — and even save your life.

Why Cloth Masks May Increase Your Coronavirus Risk
Why Cloth Masks May Increase Your Coronavirus Risk

A new study finds that wearing a cloth mask can backfire if you don’t clean it properly.

11 Household Items That Go Bad — or Become Dangerous
11 Household Items That Go Bad — or Become Dangerous

When you get the impulse to stockpile these everyday items, pay close attention to their expiration dates.

8 Things You Can Get for Free at Pharmacies
8 Things You Can Get for Free at Pharmacies

In this age of higher-priced drugs and complex health care systems, a trip to the pharmacy can spark worry. Freebies sure do help.

7 Ways to Boost Your Credit Score Fast
7 Ways to Boost Your Credit Score Fast

Your financial security might soon depend upon the strength of your credit score.

These Are the 4 Best Medicare Advantage Plans for 2020
These Are the 4 Best Medicare Advantage Plans for 2020

Medicare Advantage customers themselves rate these plans highest.

The 15 Worst States for Retirees in 2020
The 15 Worst States for Retirees in 2020

Based on dozens of metrics tied to affordability, quality of life and health care, these are not ideal places to spend retirement.

The 10 Most Commonly Stolen Vehicles in America
The 10 Most Commonly Stolen Vehicles in America

A new model parks atop the list of vehicles that thieves love to pilfer.

This Is the Cheapest Place to Buy a Used Car
This Is the Cheapest Place to Buy a Used Car

Looking for a good deal on a set of wheels? This should be your first stop.

19 High-Paying Jobs You Can Get With a 2-Year Degree
19 High-Paying Jobs You Can Get With a 2-Year Degree

These jobs pay more than the typical job in the U.S. — and no bachelor’s degree is required.

5 Ways to Get Amazon Prime for Free
5 Ways to Get Amazon Prime for Free

Hesitant to drop $119 a year on an Amazon Prime membership? Here’s how to get it for free.

5 Keys to Making Your Car Last for 200,000 Miles
5 Keys to Making Your Car Last for 200,000 Miles

Pushing your car to 200,000 miles — and beyond — can save you piles of cash. Here’s how to get there.

26 States That Do Not Tax Social Security Income
26 States That Do Not Tax Social Security Income

These states won’t tax any of your Social Security income — and in some cases, other types of retirement income.

3 Ways to Get Microsoft Office for Free
3 Ways to Get Microsoft Office for Free

With a little ingenuity, you can cut Office costs to zero.

10 Reasons Why You Should Actually Retire at 62
10 Reasons Why You Should Actually Retire at 62

If you can, here are several good reasons to retire earlier than we’re told to.

7 Surprising Features That Boost Your Home Value
7 Surprising Features That Boost Your Home Value

You can add value to your home without hiring a contractor to do expensive renovations.

5 Things That Make Life More Meaningful for Retirees
5 Things That Make Life More Meaningful for Retirees

Retirees agree: These are the things that give them purpose and fulfillment in their golden years.

View More Articles

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Add a Comment

Our Policy: We welcome relevant and respectful comments in order to foster healthy and informative discussions. All other comments may be removed. Comments with links are automatically held for moderation.