Scammers are draining payment cards linked with Starbucks customer accounts

Scammers are actively targeting Starbucks customers and syphoning money from the credit or debit card they have tied to their Starbucks accounts.

In order to perform this attack, the only thing the scammers need is the victims’ username and password for their Starbucks account, and they can get it either via phishing, keylogging, password bruteforcing, or by testing leaked compromised username/password combinations for other online services.

According to Bob Sullivan, who talked to a number of individuals who were affected by this scam, the first indication that something might be wrong is usually an automated email from Starbucks saying their username and password had been changed.

Once the crooks have control of the account, they can transfer the money currently loaded on the gift card on the victims’ Starbucks app to another gift card they have control of, and which they can resell later. Or they can simply buy gift cards and send them to accounts they control.

If the victim has enabled the auto-load feature on the account, additional amounts are automatically loaded into the Starbucks card and can be stolen in the same way. In one instance, a victim witnessed the scammers triple the auto reload amount she set and make off with that money as well.

If the victim is not aware of the attack, these steps can be repeated until all the money on the associated payment card is drained.

According to an inside source, similar attacks have been going on since January. When contacted for a comment, a company spokeswoman said that they “have safeguards in place to constantly monitor for fraudulent activity,” but they are “unable to discuss specific security measures” publicly for obvious reasons.

“If a customer believes their account may be subject to fraudulent activity, we encourage them to contact us and their financial institution immediately,” she stated, adding that “customers are not responsible for charges or transfers they didn’t make.”

“Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards,” Sullivan advised.

“If the convenience of auto-reload is just too irresistible for you – and admittedly, it is convenient – then you must use very strong passwords on your Starbucks account.”

“Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash. In this case, there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address. Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks,” warned Brendan Rizzo, technical director EMEA, HP Security Voltage.

According to Gavin Reid, VP of threat intelligence, Lancope, this type of attack is not a new occurrence. “If someone guesses the username and password for an account that is backed by you bank bad things can and will follow. This highlights problems with using consumer cards and accounts that are backed up with either a high limit credit card or even worse the current checking account,” he says.

“Ideally vendors would make this form of compromise harder by using multi factor authentication and the banks themselves would issue one-time-use account numbers that contain a fixed amount of cash limiting the loss. This type of small amount theft can be automated reusing already exposed credentials.”