Menu
Starbucks still grappling with fraud in online accounts, gift cards

Starbucks still grappling with fraud in online accounts, gift cards

Fraudsters are taking advantage of auto top-up on some accounts to move balances to cards they control

An advertisement for a discounted Starbucks gift card

An advertisement for a discounted Starbucks gift card

Starbucks is still grappling with fraud involving its customers' online accounts and gift cards, with some victims seeing hundreds of dollars stolen.

Gift-card related fraud with Starbucks cards is not new, but recent victims were highlighted earlier this week in an article by journalist and author Bob Sullivan.

Starbucks officials could not be immediately reached for comment, although Sullivan wrote the company told him that customers would not be liable for charges and transfers they didn't make.

A comment thread started more than a year ago on Facebook has tales from many people who have been stung by scammers through their Starbucks accounts.

Those at risk are Starbucks customers who have linked either a payment card or PayPal to their online account, which can be used to send gift cards to others with a preloaded balance.

Fraudsters have been taking aim at Starbucks accounts for at least a couple of years. The card itself can be used to pay for items in a store, and the online account can be used to send someone an e-gift certificate by email. It's also a loyalty tool, with Starbucks offering free food and drink rewards and other discounts.

Like many online services, Starbucks requires a username and password to access it, which means cybercriminals who obtain those credentials can get in.

It appears that hackers have obtained large numbers of Starbucks account credentials, according to a forum post on the Evolution marketplace.

Evolution, which went offline for unknown reasons in March, was a website for illegal goods along the lines of the Silk Road drugs bazaar. A scan of archived posts showed a thriving marketplace for Starbucks cards.

Shortly before Evolution shut down, one vendor wrote that "we are in the process of sifting through thousands and thousands of possible logins for Starbucks with balance."

Since people often reuse login credentials on many different web services, hackers will try to see if the details unlock another service. That's especially dangerous for Starbucks accounts since customers can set their cards to auto top-up with funds from a payment card or PayPal. The cards can hold up to a $500 balance.

Once in control of an account, the scammers can then transfer the balance to another Starbucks card, which is sold at a discount. An advertisement on a well-known bitcoin forum from last September offered a $100 Starbucks gift card for $35 worth of the virtual currency.

There are a few ways Starbucks could strengthen security around its accounts. It could offer two-factor authentication, which requires entering a time-sensitive passcode along with login credentials. At one time, that security feature might have been overboard for a loyalty account at a coffee merchant, but perhaps that's not the case these days.

Starbucks could also stop balances from being sent from one card to another, although it would probably ultimately result in fewer sales for the company. Still, companies often have to make hard choices between security and convenience, and all of them set their own tolerance level for fraud.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags starbuckssecurity

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Show Comments