There has been a lot written recently about major system compromises, where banks, Government departments, Healthcare, and other companies are targeted and huge collections of personal information get harvested. Often lasting for months before discovered these attacks reveal PII (Personally Identifiable Information) such as social security numbers, dates of birth, addresses, email addresses and, in too many cases, passwords.
Defending against these attacks is an on-going challenge, but storing information in a way that it can be harvested has a significant impact on users of the service - ranging from identity theft to direct financial loss.
But it is not just servers where the risks lie. Poor information security on the end user experiences compromise individual accounts and can be hard to detect, easy to overlook because of how it’s reported.
Earlier this year Starbucks was mentioned as a possible victim of one of these attacks as users accounts mysteriously were being accessed. To remedy this Starbucks rolled out an update to their iOS app and presumably their Android app. This may or may not have improved things for their website or for 3rd party apps running on other platforms. Most of their response appeared to have been PR and damage limitation rather than really beefing up security.
Recently I experienced one of these mysterious losses. While I was in Australia on business someone in Ontario Canada was apparently using my card. And thanks to the convenient auto-reload facility on my account the system kept merrily making more funds available to the thief.
As soon as I realized what was happening I checked the whereabouts of my card. Safe and sound where I thought it was. I changed the password on my account, cancelled the auto-reload and unlinked my credit card just to make sure. Then, a couple of days later when I got back to the US, I reached out to Starbucks to find out about getting my money back.
Sorry, they said initially. Can’t help. Talk to your credit card provider. So I persisted. Their phone support folks were friendly and helpful but beyond reporting the card (which I still have) stolen and replacing it there was nothing they could do. If the transactions had been online they could have reversed them, but as they had happened in a store there was nothing they could do. They couldn’t tell me if my card had been used via an app, a physical cloned mag strip card or even just someone quoting the number (I didn’t even know that was possible!). I appreciated the gesture of a $30 credit on my replacement card but that still left me around $120 out of pocket. And with a to-do item for me to talk to American Express to see if they can help (not sure why Starbucks would want the chargeback on top of a disgruntled customer)
Being curious by nature, I wondered how secure my Starbucks web account is. What I found didn’t exactly impress me.
The website makes no attempt to limit against brute force attacks. Want to guess a username/password combo … well, it looks like you can just keep typing away because it doesn’t appear to limit guesses, or even add a progressively longer timeout between attempts on an account to make this technique less effective.
If I change the password on the website, it doesn’t log the app out or force me to re-authenticate. So if someone has accessed my account then changing my password doesn’t guarantee that they’ve been locked out. I can only imagine that the third party apps that work by screen scraping the Starbucks site (as they don’t have an API) love the cookie that keeps them logged in.
There’s no two factor authentication (2FA) when a new device is logged in. The simplest is send an SMS with a code, but there are many techniques available to manage this today. Industry standard solutions certified by the FIDO Alliance would easily add an extra layer of protection. Applying some additional logic to force a check if an account is accessed in multiple places would also reduce risk (though two different cards on the same account might be used that way so there needs to be some intelligence).
When you add a new device to your Starbucks account there’s no confirmation - no SMS, no email, nothing. And no way via the Web UI to see what devices are attached to your account. So there’s no notification if someone has logged into your account on a different phone.
If I report a card as stolen and replace it with a new one… if they still have access to my account then the abuse can continue. The only way to cut a thief off appears to be cancel the account (losing any rewards) and start over. The cynic in me says Starbucks would love that.
While Starbucks suggest that users should use a complex password there are a couple of problems with this. The first is that they only enforce some simple rules (mixed case, one digit). The second, and more challenging, is that with their current security model you have to be able to type that password in on your mobile device.
In conclusion until Starbucks improve their security I won’t be re-linking a credit card or activating autopay. Sure, it’s going to be a pain to swipe my card and then have to pay - but that way I get my reward points and I’m not exposing any more of my $ to misappropriation. For Starbucks this has some downsides: I’ve got slightly less incentive to go there vs searching out interesting alternatives; when I do go through the line I’m less efficient to “process”; they take the small financial hits of dealing with a credit card fee for every swipe rather than just one every reload; and while tiny there’s the loss of the interest they’re earning on my stored balance.