In the last fiscal quarter, Starbucks reported that over 25 percent of it sales in the U.S. were paid through the Starbucks app. That means a lot of money is passing through the app, which is great news for Starbucks’ mobile presence. But on the internet, where there’s money and a way to pay it out, there are going to be people who’ve figured out how to take it.
Venessa Wong is the deputy business editor at BuzzFeed News, and she had a firsthand run-in with fraud on her own Starbucks app. She talked to Marketplace host Kai Ryssdal about the experience. Below is an edited transcript of their conversation.
Kai Ryssdal: Tell me what happened with your Starbucks card.
Venessa Wong: So this was a really weird one. I was actually just finishing up a story about how there was a data breach of Chipotle’s payment system. And as I was publishing that, I got this email alert from Starbucks thanking me for my $100 reload on my Starbucks app. Which clearly wasn’t me, because I was writing a story about Chipotle’s security issues. So I freaked out, and I checked my app, and it showed a $100 reload tied to a stored credit card on my account. And three separate purchases that had basically emptied out the entire balance of my account at some Starbucks in San Diego. I’m based in New York, so …
Ryssdal: Right. And that’s a key point. So first of all, that’s a whole lot of coffee to be buying. But second of all, it’s not like this is a new thing with Starbucks, right? This is a known security flaw that they have. Tell us about that.
Wong: So this is not a new issue for Starbucks at all. They call it an account takeover, or an ATO if you’re in the industry. And basically what happens is the bad guys, which several security experts have referred to them as bad guys, basically find your logins from other people who steal them, and then they use them in other accounts and hijack your account. And this happened with many Starbucks customers back in 2015. And at the time Starbucks issued this statement that you really shouldn’t use the same username and password across accounts, so just change that immediately.
|Starbucks CEO Howard Schultz on handing over the reins and creating the ‘Willy Wonka’ of coffee|
|Before unicorn frappucinos, there was unicorn toast|
Ryssdal: Wait, so it’s our fault, right? Because that’s basically what they’re saying.
Wong: It is, based on Starbucks’ response, in some way our own fault for not changing up our passwords and logins enough. In this age, we have so many accounts. You basically need an account to do every single thing in your life. And there are so many requirements at this point, between using caps and exclamation points and, like, other things like that. I think at some point, you do end up reusing some of your passwords and logins.
Ryssdal: As we get ever increasingly mobile in this economy, as we do more and more with our phones, how worried ought we be?
Wong: So after my account was hijacked, I was really worried. You know, I think at this point, it’s really not worth the risk in order for me to pay for my coffee with my mobile phone.
Ryssdal: But then you have to stand in line, right? That’s the trade-off. You can order with your app and go in and pick it up, assuming that they’ve got that mobile thing figured out. But then you have to stand in line if you don’t use the app.
Wong: I feel like, in the spectrum of bad things that can happen to me, standing in line is not that horrible.