There’s an emerging problem with the Starbucks app and stored-value cards that could drain the money out of your account or worse.
Starbucks hack impacts customers
One in 5 purchases at Starbucks is now made using the app. Because the chain tends to attract a higher-income customer, that has made the app a big fat target for criminals.
The latest breach is seeing criminals try one password after another after another until they can break in and empty accounts. It’s what’s known as a brute force attack in hacker terminology.
In the simplest scenario, the money is drained from your app or your stored-value card. But in a more malicious turn, if that app or card is tied to your checking account, that could be drained too!
Here’s a tip: Turn off automatic reload if it’s something you have set up. And never tie any app or stored-value program into a debit card. Do it to your credit card only.
Starbucks is now saying that if you find money vanishing from your account, they will restore it.
More security measures could be coming
Starbucks has gotten a lot of heat for not locking you out after 3 wrong password attempts. Ditto for not having ‘two-factor authentication‘ or ‘two-step authentication.’ But with all the scrutiny being thrown their way, I’m expecting they’ll get on board with these measures shortly.
Two-step authentication is where you have to go through an additional step to authenticate who you are when doing a transaction.
The most common type of second-layer authentication is something you may be familiar with from the banking world. It’s a security token (FSR token or fob that you carry with you) which you can get by calling your bank or brokerage firm. The security token generates a 6-digit code that changes every 30 seconds. So when you log in, you enter your username and password as usual and then also the latest six digits from your token.
Another way to have second layer of authentication is to have a verbal password put onto your account. But note this well: When you call your bank or brokerage firm, they will *not* give you any prompt to remember your verbal password — so you’ve got to be sure you have it memorized.
