REM Hackers are draining bank accounts through Starbucks’ mobile app

Hackers are draining bank accounts through Starbucks’ mobile app

Some Starbucks customers have had money taken out of the Starbucks mobile app by hackers with the help of a new attack. But, on Friday, the company said that it itself hasn’t been targeted.

The attack has first happened this week. It took advantage of a few things, including the Starbucks’ app auto-load function, consumers using same ID and password in multiple accounts, and the fact that Starbucks doesn’t seem to limit the number of password tries before it locks a customer’s account.

In 2014, Starbucks processed over $2 billion in mobile payment. Starbucks announced that at present approximately 18% of its transactions are made on the company’s app.

The attack process was very simple. At first the thieves get hold on stolen passwords and IDs from the underground market. Checkmarx, application security firm explained that then they used a program to try the stolen combinations on the Starbucks mobile app until one happened to work. Such programs can ‘process’ thousands of ID-password combinations every second.

Generally, sites keep a limit on the number of password attempts before locking the account, but such is not the case with Starbucks, as it doesn’t do so on its app. When the hackers got into a victim’s account, they immediately added a new gift card.

After it, they transferred the money the victim had put into their account to the gift card, which is under the control of the thieves. With the help of this strategy, the thieves stole all the money from the app by putting it into the gift card.

If the user has set the app to automatically reload their PayPal account or credit card, the thieves can steal again once the app gets more money.

Kevin Mahaffey, CTO of security firm Lookout said that the thieves can then resell the gift cards on the Internet ‘for face value or less, eventually turning those Starbucks dollars into real dollars’.