Hackers Guzzle Your Money via Starbucks Mobile App

Paying at Starbucks with smartphone

Starbucks devotees, prepare for a jolt beyond what’s provided in those morning cappuccinos: Hackers are draining financial accounts of customers who use a Starbucks gift card or mobile app to pay for coffee.

The (no latte pun intended) skinny on this scam: Thieves hack victims’ online Starbucks accounts, via the users’  weak and/or overused passwords or credential-stealing malware, to access linked payment accounts – credit and debit cards, PayPal and bank accounts. This allows them to add a new gift card, then transfer funds from it to their pockets.

The key to this scam is the auto-reload function, which allows gift card or mobile payment users to automatically reload their Starbucks card once it dips below $10.

Get the latest on protecting your money and saving for retirement — AARP Money newsletter »

“Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes,” explains consumer protection journalist Bob Sullivan, who broke news of this scam. “Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.”

In addition to the cases he outlines, a Texas man says that 10 reload charges were made in just five minutes. The total tab: $550 – and none were flagged by Starbucks. When he called the company, CNNMoney reports, he was told to dispute the charges with his bank.

“Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card,” Sullivan says. “Starbucks allows consumers to transfer balances from one gift card to another, or to combine balances from multiple cards onto a single card. A criminal who controls a Starbucks card can move a balance from a victim’s card to a card they control. The hackers’ cards — or the electronic codes behind them — can then be sold on the black market for cash.”

Starbucks has confirmed that there’s a flaw that allows crooks access to rewards accounts, from which they can start stealing money. Last year, $2 billion in mobile payment transactions were processed, and 1 in 6 transactions are conducted with the Starbucks app.

Get discounts on financial services from trusted companies — AARP Member Advantages »

Sound like how you start your mornings? Then either:

* Don’t use the Starbucks app until there are future security assurances.

* If you use the app, don’t use auto-load.

* If either is too tough – or just because it’s smart – use unique and strong passwords on your Starbucks account.

For information about other scams, sign up for the Fraud Watch Network . You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and gain access to a network of experts, law enforcement and people in your community who will keep you up to date on the latest scams in your area.

Also of Interest

See the  AARP home page for deals, savings tips, trivia and more.

Search AARP Blogs