Hacking Starbucks’ App-uccino

UPDATE: ON JANUARY 16, 2014, THE SAME DAY THAT I PUBLISHED THIS BLOG, STARBUCKS ISSUED A SECURITY UPDATE TO ITS MOBILE APP TO CURE SOME OF THE DEFICIENCIES THAT I IDENTIFIED BELOW.

A major security flaw in the mobile Starbucks app is exposing more than 7 million customers to theft. Not just identity theft: directly stealing their money.

Before I begin my diatribe about security and privacy risks, I’ll confess: I am an avid Starbucks consumer. I really like its bold coffee; I meet people for social and business meetings in its cafes; I read and type there.

And I always pay for my coffee with my gold Starbucks card. (Why not? I earn points towards a free drink after every 15 purchases.)

Print

I’ve always marvelled when other customers pay by allowing a Starbucks employee to scan their telephones. I never understood their reasoning, other than the “cool” factor.
phone-scan
First of all, it’s no more convenient to swipe a phone than to swipe a credit card.

Second, if “cool” and status are one’s goals, the gold card sends that message to anyone in sight, doesn’t it?

But most significantly, why would you want another person to scan the screen of your phone, using her employer’s scanning device? It’s one thing to use your phone to scan other objects (by using a bar-code scanning app or taking a photo, for example). But the converse seems foolhardy and risky: letting a 3rd party’s device view your own phone.

Somehow, that always seemed unwise to me. Not from a technological viewpoint, but merely common sense. Exposing your phone is exposing your private life. What is the Starbucks scanning machine reading? Just your credit information? Or your emails?

starbucks app

Certainly, you’ve told Starbucks your geolocation data merely by paying at a given store. (But you do that when you pay any merchant with a credit card, at Starbucks or anywhere else, since you are obviously at the physical brick-and-mortar store when you use your card.)

Now, let’s step aside from the illogic of using the Starbucks mobile app.

It contains a security flaw that puts you in harm’s way.

Most banking and payment apps that require the user to enter her username/password each time the app is used. Not so with the Starbucks app.

It’s so easy to use the app. Maybe that’s the temptation for customers to use it.

Once the app has been installed on a phone, it can be used whenever it’s opened, without the need to type a password. This is accomplished because the password is stored on the phone.

The password not stored in the app! It’s stored on the phone itself. And not only is it embedded in your phone’s file system: it’s not even encrypted. The password is visible in a clear text file that the app (and anyone else) can access.

jailbreak-iphone-access-filesystem-usb
This ease-of-use feature is also an ease-of-hacking feature. Daniel Wood identified and described this security bug.

The text file is readily available to anyone who gains access to your phone. The phone’s PIN does not even have to be entered or hacked, in order to read the text file that contains your Starbucks password.

Why does this matter?

Once your password is in the hands of a malevolent person, your cash balance in your Starbucks account can be stolen.

But that’s rarely a significant amount of money, usually only US $25 or less.

However, if you’ve set your app to reload your card automatically, the hacker can reload your account with larger sums of money, and then withdraw that additonal cash as well.

Worse still, most of us are sloppy with our password protection. Most of us use only 1 or 2 passwords for all of our accounts – for banking, for email, for Google/Youtube, for access to so many aspects of our digital lives.

So here’s the worst case scenario (and not far-fetched):

1. Your Starbucks password is hacked (easily).

2. Your Starbucks account is drained (easily).

3. Your credit card reloads your Starbucks account, and that is drained.

4. Your geolocation data becomes known.

5. The credit card you use to load your Starbucks account becomes known.

6. Mobile bank apps on your phone indicate the banks that you use.

7. If you use the same password for those banks that you use for your Starbucks account, it becomes easy to hack into your bank accounts and withdraw and borrow money.

8. If your Starbucks password is also used for your cloud-based email (Gmail, Yahoo, etc), then your business and personal conversations can be misappropriated.

9. If your Starbucks password is also used for your social media sites…….anything can happen.

Lessons learned:

1. Don’t store your passwords on your phone.
2. Don’t pay for coffee with a mobile app.

Your thoughts?

Advertisements

3 thoughts on “Hacking Starbucks’ App-uccino

  1. I use the App… I find it useful that I do not get to carry my whole wallet or purse with its millions cards just to go get a coffee. Plus, if I only carried my gold card, it is so light that it could easily slip out of my jacket pocket as I take my gloves out. On the other hand, my ipod (do not have the phone yet) is much heavier than a plastic card, so I consider it less chances of loosing it.

    Another thing, I did not registered my password in the app and my ipod has its own password. So, two password to get to pay… Maybe not so user friendly you might say but… Refer back to my previous argument, the wallet/purse. And finally, to reload my app/virtual card, it is not done automatically and I need to type a password to confirm. Maybe it is the same, got to verify that! – I haven’t gone for SB for a while.

    Speaking of which, I haven’t redeem my b-day freebee – got to go soon…. and use my app! 🙂

    Like

  2. Thanks Paul for writing this post. Very timely! This news was alarming to say the least. I Googled “security of Starbucks mobile app” and landed on this January 16th letter from Starbucks notifying customers of a security upgrade available for download: http://news.starbucks.com/views/security-of-starbucks-mobile-app-for-ios. The letter says that a further upgrade is to come.
    Yes, I am one of the 7M customers who have the app, not because of the “cool” factor but because I was tired of asking cashiers for my balance all the time. After getting the app, I took advantage of other features not available with a Gold card alone. From the app, I can conveniently send my daughter Starbucks e-gifts (she’s a recent college grad who can’t always afford a good cup of java). I also can take advantage of Starbucks rewards and free iTunes music downloads instantly. So, having been a former Gold card user, I do find it more convenient, especially since my iPhone is practically glued to my hand 24/7 (unlike the card). BTW, with two adults children, I am beyond the days of trying to look “cool”. (Ha, ha!) All the same, your points are well taken and appreciated!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s