Friday, 15 May 2015

Starbucks Denies Hack & Blames Customers

Hackers have successfully exploited a smartphone application used by the customers of  Starbucks. The "rewards card" app allows users to pay for coffee and food with pre-loaded "rewards cash," using saved customer credit or debit card data, as well as other saved identity information.

Without initially knowing specific card details or account numbers, hackers were able to access Starbucks customers' rewards cards via the compromised app. They could then trace the data backwards to gain access to users' personal data, and reuse their credentials for subsequent attacks, specifically using the "auto top-up" feature which automatically adds cash value to the card from a linked bank or credit card account. Hackers were able to repeatedly "top-up" hacked accounts using this flawed feature.Cited SC Magazine 
However don't worry Starbucks have got it all sorted - this won't happen again...Well as long as there customers start to 'protect their security' more. In a statement made by Starbucks;
"Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false...Occasionally, Starbucks receives reports from customers of unauthorized activity on their on-line account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information." cited The Register 
Now that strikes me as shifting the blame to their customers, however it should be noted that if you are located out of the US then you haven't been affected...yet!
There is a fine line between corporate responsibility and the end user but as they say 'the customer is always right'. Maybe it is time for Starbucks (and others!) to start educating their customers on Security or taking a more robust approach to such matters. What are your thoughts? 

No comments:

Post a comment