What Starbucks Hacks Can Teach all of Us

Photo (cc) by marcopako 

Money used to be simple, because it nearly always came from a bank. Money is getting a lot more complicated lately, as increasingly retailers like Starbucks and technology firms like Apple are acting like banks.

While ApplePay, Starbucks mobile wallet, and other forms of new money called “alternative payment systems” can be convenient, they are still going through growing pains. Two incidents recently involving Starbucks gift cards and mobile payments illustrate why it’s so important that consumers keep a careful eye on their money — wherever it might be.

Criminals have begun training their attention away from financial institutions and on third-party firms because they are easier to hack than banks, said Avivah Litan, a fraud analyst at consultancy Gartner.

“Fraud is moving away from banks into big ecommerce companies,” she said. “Criminals are learning how to turn rewards programs, points and prepaid cards into cash.”

Starbucks — far from the only target of this kind of attack — got some bad news earlier this month when a computer security researcher revealed he had found a way to hack Starbucks’ gift card system and add value to a gift card essentially for free. Security consultant Egor Homakov, who conducts penetration tests under the brand name Sakurity.com, said on his website he was able to turn $15 worth of Starbucks cards into $20 during a proof of concept experiment.

That kind of value creation is the holy grail for criminals who attack money systems, with the implied potential of creating infinite value out of thin air. Practically speaking, that’s not possible, but you can imagine the value of such a hack to a computer criminal with evil intentions.

Fortunately, theft wasn’t Homakov’s motivation — unlike the credit card criminals I wrote about recently who target Starbucks accounts with linked credit or debit cards. In that case, criminals hacked their way into consumers’ Starbucks.com accounts, drained the value of the victims’ cards that had been loaded onto their mobile phone apps, then raided the victims’ linked credit or debit cards to steal hundreds of dollars at a time. Those criminals were essentially breaking into the bank using a less-secure side door created by Starbucks.

For his hack, Homakov says he was able to exploit a common bug known as “race conditions” to trick the Starbucks system into letting him transfer the same $5 in value onto a second card twice, leaving him with a $15 card and a $5 card. He did it by initiating transfers from separate web browsers at essentially the same time, confusing Starbucks’ systems.

Igor Homakov's receipt allegedly showing his value creation hack worked.Click for his website.
Egor Homakov’s receipt allegedly showing his value creation hack worked. Click for his website.

Race condition attacks rely on a failure of computers to properly handle instructions that occur in very close time sequence. If instructions are not handled in the right order, serious problems can occur. For example, if funds are credited to a new account before they are deleted from an old account, it can be possible to transfer the same funds twice.

Homakov, who is from Russia but is now based in San Francisco, then purchased several items from Starbucks to prove his technique worked.

“$15 in, $16.70 out. The concept is proven and now let’s deposit $10 from our credit card to make sure the U.S. justice system will not put us in jail over $1.70,” he wrote on his blog.

The rapid success of Starbucks mobile-pay and gift-card system has helped make it a target, as my recent report on credit card hackers and their successful attacks showed. And last year, a researcher discovered that the Starbucks app was storing passwords in plain text.

While Starbucks did not answer my questions about the hack, it issued a statement to the BBC.

“After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication,” the firm said, according to the BBC.

It’s important to note that Starbucks said last year that it didn’t know of a single customer who had been a victim of the password issue; and we don’t know of anyone who’s been victimized by this value-creation attack. The risk to consumers here is probably very, very low.

The news does suggest Starbucks is struggling with security issues and growing pains as it creates what might be considered an alternative money system. The massive point of sale outage last month, which led to Starbucks handing out free coffees around the country for several hours, also paints a picture of a firm struggling with technical issues as it becomes one of the largest “banks” in the country. Already, Starbucks processes some 8 million transactions every week for its 16 million mobile app users.

The real risk for consumers, however, comes from trusting third-party firms with bank account data. Those who link their payment accounts to an app or any re-loadable card, a behavior Starbucks encourages with rewards and free drinks, should realize their bank accounts are probably only protected by the username and password they use at that third-party site.

Perhaps for you, the convenience is worth it. But the more places you have to watch for fraud, the more likely you are to miss it, and remember: If you don’t spot a fraud and report it within the time required by federal law, you won’t get a refund.

Sign up for Bob Sullivan’s free email newsletter.

Disclosure: The information you read here is always objective. However, we sometimes receive compensation when you click links within our stories.

Read Next
The 5 Most Expensive U.S. States for Retirees
The 5 Most Expensive U.S. States for Retirees

If you have or expect to have a modest retirement income, you may want to avoid spending your golden years here.

60% of People With This Disease Don’t Know They Have It
60% of People With This Disease Don’t Know They Have It

Millions of people overlook this potentially potent condition that tends to strike women and older adults.

How to Buy a Refrigerator, Step by Step
How to Buy a Refrigerator, Step by Step

Here’s how I got the perfect appliance at the perfect price.

17 Amazon Finds Under $20 That Will Organize Your Life
17 Amazon Finds Under $20 That Will Organize Your Life

We’ve rounded up must-have products to help you get your ducks in a row.

7 Unusual Ways to Declutter Your Home
7 Unusual Ways to Declutter Your Home

Tired of possessions weighing you down? Here are seven ways to declutter painlessly and effectively.

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Most Popular
7 Kirkland Signature Items to Avoid at Costco
7 Kirkland Signature Items to Avoid at Costco

Even if it seems you save a bundle buying Costco’s Kirkland Signature brand products, they may not be the bargain they appear to be.

If You Find This Thrift Shopping, Buy It
If You Find This Thrift Shopping, Buy It

Whether you resell it for a big profit or add it to your own wardrobe, this type of clothing is a hidden steal.

3 Ways to Get Microsoft Office for Free
3 Ways to Get Microsoft Office for Free

With a little ingenuity, you can cut Office costs to zero.

9 Things You’ll Never See at Costco Again
9 Things You’ll Never See at Costco Again

The warehouse store offers an enormous selection, but these products aren’t coming back.

This Surprise Factor Can Raise Your Risk of Dementia
This Surprise Factor Can Raise Your Risk of Dementia

Nearly half of U.S. residents may face this threat.

Organize Your Home With These 10 Thrift Store Finds
Organize Your Home With These 10 Thrift Store Finds

Resolve to be clutter-free in 2021 with these secondhand purchases.

11 Laws You Could Be Breaking Without Knowing It
11 Laws You Could Be Breaking Without Knowing It

Seriously? Fibbing about the weather is a crime? This and other little-known legal traps await the unwary.

Is This Treatable Condition Causing Your High Blood Pressure?
Is This Treatable Condition Causing Your High Blood Pressure?

Researchers say too many doctors are overlooking this potential source of hypertension.

13 Things Seniors Can Get for Free — or Almost Free
13 Things Seniors Can Get for Free — or Almost Free

There are many ways to get cheap or free services and goods after reaching a certain age.

These Are the 3 Best Used Cars You Can Buy
These Are the 3 Best Used Cars You Can Buy

These vehicles boast reliability, safety and long-lasting value.

Taking a Multivitamin? Here’s Why You Should Reconsider
Taking a Multivitamin? Here’s Why You Should Reconsider

A new study has bad news for the millions of Americans who spend money on multivitamins.

Am I Eligible for My Mother’s Social Security Benefit?
Am I Eligible for My Mother’s Social Security Benefit?

Can an adult daughter tap into her late mother’s benefit?

21 Items to Cut From Your Budget That You Won’t Even Miss
21 Items to Cut From Your Budget That You Won’t Even Miss

Start off the new year by implementing these small-but-smart savings strategies. They’ll soon add up.

Internet Providers Can’t Charge You for This Anymore
Internet Providers Can’t Charge You for This Anymore

Starting this month, your ISP no longer can bill you for this fee.

15 Painless Ways You Can Cut Costs in 2021
15 Painless Ways You Can Cut Costs in 2021

Follow these tips to save, so you’ll have money for things that really matter.

9 Small Expenses That Are Bleeding Your Budget Dry
9 Small Expenses That Are Bleeding Your Budget Dry

Keep more of future paychecks by eliminating these budget-busting unnecessary expenses.

Prepare to Pay More for These 31 Drugs in 2021
Prepare to Pay More for These 31 Drugs in 2021

More than 700 prescription medications have seen price hikes so far this year. Here’s a look at the worst.

5 States Lowering Taxes This Year — and 2 Raising Them
5 States Lowering Taxes This Year — and 2 Raising Them

State personal income tax rates, brackets and deductions just changed in these places.

11 Huge Retirement Costs That Are Often Overlooked
11 Huge Retirement Costs That Are Often Overlooked

Does your retirement budget account for all of these costs?

View More Articles

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Add a Comment

Our Policy: We welcome relevant and respectful comments in order to foster healthy and informative discussions. All other comments may be removed. Comments with links are automatically held for moderation.