What Starbucks Hacks Can Teach all of Us

Advertising Disclosure: When you buy something by clicking links on our site, we may earn a small commission, but it never affects the products or services we recommend.

Image Not Available

Money used to be simple, because it nearly always came from a bank. Money is getting a lot more complicated lately, as increasingly retailers like Starbucks and technology firms like Apple are acting like banks.

While ApplePay, Starbucks mobile wallet, and other forms of new money called “alternative payment systems” can be convenient, they are still going through growing pains. Two incidents recently involving Starbucks gift cards and mobile payments illustrate why it’s so important that consumers keep a careful eye on their money — wherever it might be.

Criminals have begun training their attention away from financial institutions and on third-party firms because they are easier to hack than banks, said Avivah Litan, a fraud analyst at consultancy Gartner.

“Fraud is moving away from banks into big ecommerce companies,” she said. “Criminals are learning how to turn rewards programs, points and prepaid cards into cash.”

Starbucks — far from the only target of this kind of attack — got some bad news earlier this month when a computer security researcher revealed he had found a way to hack Starbucks’ gift card system and add value to a gift card essentially for free. Security consultant Egor Homakov, who conducts penetration tests under the brand name Sakurity.com, said on his website he was able to turn $15 worth of Starbucks cards into $20 during a proof of concept experiment.

That kind of value creation is the holy grail for criminals who attack money systems, with the implied potential of creating infinite value out of thin air. Practically speaking, that’s not possible, but you can imagine the value of such a hack to a computer criminal with evil intentions.

Fortunately, theft wasn’t Homakov’s motivation — unlike the credit card criminals I wrote about recently who target Starbucks accounts with linked credit or debit cards. In that case, criminals hacked their way into consumers’ Starbucks.com accounts, drained the value of the victims’ cards that had been loaded onto their mobile phone apps, then raided the victims’ linked credit or debit cards to steal hundreds of dollars at a time. Those criminals were essentially breaking into the bank using a less-secure side door created by Starbucks.

For his hack, Homakov says he was able to exploit a common bug known as “race conditions” to trick the Starbucks system into letting him transfer the same $5 in value onto a second card twice, leaving him with a $15 card and a $5 card. He did it by initiating transfers from separate web browsers at essentially the same time, confusing Starbucks’ systems.

Image Not Available
Egor Homakov’s receipt allegedly showing his value creation hack worked. Click for his website.

Race condition attacks rely on a failure of computers to properly handle instructions that occur in very close time sequence. If instructions are not handled in the right order, serious problems can occur. For example, if funds are credited to a new account before they are deleted from an old account, it can be possible to transfer the same funds twice.

Homakov, who is from Russia but is now based in San Francisco, then purchased several items from Starbucks to prove his technique worked.

“$15 in, $16.70 out. The concept is proven and now let’s deposit $10 from our credit card to make sure the U.S. justice system will not put us in jail over $1.70,” he wrote on his blog.

The rapid success of Starbucks mobile-pay and gift-card system has helped make it a target, as my recent report on credit card hackers and their successful attacks showed. And last year, a researcher discovered that the Starbucks app was storing passwords in plain text.

While Starbucks did not answer my questions about the hack, it issued a statement to the BBC.

“After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication,” the firm said, according to the BBC.

It’s important to note that Starbucks said last year that it didn’t know of a single customer who had been a victim of the password issue; and we don’t know of anyone who’s been victimized by this value-creation attack. The risk to consumers here is probably very, very low.

The news does suggest Starbucks is struggling with security issues and growing pains as it creates what might be considered an alternative money system. The massive point of sale outage last month, which led to Starbucks handing out free coffees around the country for several hours, also paints a picture of a firm struggling with technical issues as it becomes one of the largest “banks” in the country. Already, Starbucks processes some 8 million transactions every week for its 16 million mobile app users.

The real risk for consumers, however, comes from trusting third-party firms with bank account data. Those who link their payment accounts to an app or any re-loadable card, a behavior Starbucks encourages with rewards and free drinks, should realize their bank accounts are probably only protected by the username and password they use at that third-party site.

Perhaps for you, the convenience is worth it. But the more places you have to watch for fraud, the more likely you are to miss it, and remember: If you don’t spot a fraud and report it within the time required by federal law, you won’t get a refund.

Sign up for Bob Sullivan’s free email newsletter.

Get smarter with your money!

Want the best money-news and tips to help you make more and spend less? Then sign up for the free Money Talks Newsletter to receive daily updates of personal finance news and advice, delivered straight to your inbox. Sign up for our free newsletter today.