Starbucks app is popular and still vulnerable to fraud

Kai Ryssdal May 8, 2017
HTML EMBED:
COPY
"I think at this point, it's really not worth the risk in order for me to pay for my coffee with my mobile phone," said Venessa Wong, deputy business editor at Buzzfeed News. Justin Sullivan/Getty Images

Starbucks app is popular and still vulnerable to fraud

Kai Ryssdal May 8, 2017
"I think at this point, it's really not worth the risk in order for me to pay for my coffee with my mobile phone," said Venessa Wong, deputy business editor at Buzzfeed News. Justin Sullivan/Getty Images
HTML EMBED:
COPY

In the last fiscal quarter, Starbucks reported that over 25 percent of it sales in the U.S. were paid through the Starbucks app. That means a lot of money is passing through the app, which is great news for Starbucks’ mobile presence. But on the internet, where there’s money and a way to pay it out, there are going to be people who’ve figured out how to take it.

Venessa Wong is the deputy business editor at BuzzFeed News, and she had a firsthand run-in with fraud on her own Starbucks app. She talked to Marketplace host Kai Ryssdal about the experience. Below is an edited transcript of their conversation.

Kai Ryssdal: Tell me what happened with your Starbucks card.

Venessa Wong: So this was a really weird one. I was actually just finishing up a story about how there was a data breach of Chipotle’s payment system. And as I was publishing that, I got this email alert from Starbucks thanking me for my $100 reload on my Starbucks app. Which clearly wasn’t me, because I was writing a story about Chipotle’s security issues. So I freaked out, and I checked my app, and it showed a $100 reload tied to a stored credit card on my account. And three separate purchases that had basically emptied out the entire balance of my account at some Starbucks in San Diego. I’m based in New York, so …

Ryssdal: Right. And that’s a key point. So first of all, that’s a whole lot of coffee to be buying. But second of all, it’s not like this is a new thing with Starbucks, right? This is a known security flaw that they have. Tell us about that.

Wong: So this is not a new issue for Starbucks at all. They call it an account takeover, or an ATO if you’re in the industry. And basically what happens is the bad guys, which several security experts have referred to them as bad guys, basically find your logins from other people who steal them, and then they use them in other accounts and hijack your account. And this happened with many Starbucks customers back in 2015. And at the time Starbucks issued this statement that you really shouldn’t use the same username and password across accounts, so just change that immediately.

Ryssdal: Wait, so it’s our fault, right? Because that’s basically what they’re saying.

Wong: It is, based on Starbucks’ response, in some way our own fault for not changing up our passwords and logins enough. In this age, we have so many accounts. You basically need an account to do every single thing in your life. And there are so many requirements at this point, between using caps and exclamation points and, like, other things like that. I think at some point, you do end up reusing some of your passwords and logins.

Ryssdal: As we get ever increasingly mobile in this economy, as we do more and more with our phones, how worried ought we be?

Wong: So after my account was hijacked, I was really worried. You know, I think at this point, it’s really not worth the risk in order for me to pay for my coffee with my mobile phone.

Ryssdal: But then you have to stand in line, right? That’s the trade-off. You can order with your app and go in and pick it up, assuming that they’ve got that mobile thing figured out. But then you have to stand in line if you don’t use the app.

Wong: I feel like, in the spectrum of bad things that can happen to me, standing in line is not that horrible.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.