While walking into school any given morning, one would be hard-pressed not to see at least a few Mercy girls clutching a Starbucks drink on their way to class. The green straw and insignia are as recognizable throughout the halls as Mercy’s namesake bun. However, recent controversy surrounding the security of the Starbucks card may have some students heading to Tim Hortons for their morning caffeine fix, or at least only paying with cash at Starbucks.
Consumer journalist Bob Sullivan released a report describing the recent increase in instances where hackers access people’s PayPal accounts, gift cards, credit cards, and, ultimately, bank accounts through their affiliated Starbucks cards. This comes just a year after Starbucks was criticized for its app’s vulnerability due to its storage of passwords as plain text. The increase reflects the current shift of cyber- thieves’ attentions away from large corporations and banks and toward e-commerce hotspots.
The Starbucks app and card rewards system represent a large portion of the company’s revenue— $2 billion in transactions involving Starbucks cards were reported last year and 16 percent of all purchases are done through the card, according to CNBC.com. It is easy to see why so many people choose to use the card over a credit card or cash. Points and rewards are earned by using the card, which can be loaded with money through a gift card or, more commonly, simply ‘linked’ to an individual’s credit card or PayPal and auto-filled from the user’s account. Therefore, any sort of weakness in security spells disaster, as seen in recent developments.
People across the United States have reported instances in which they observed their Starbucks card accounts being drained in real time until the remaining balance hit zero, only to watch the hackers refill the account and drain it yet again. Jean Obando of Sugar Land, Texas was alerted that he had given away a $50 Starbucks e-gift (unauthorized by himself) that was simply the hacker(s) transferring money from his account into their own, according to CNNmoney.com. Ten more ‘gifts’ were given within five minutes, until Obando had lost $500. Obando is not alone. Many people have complained about having had their accounts compromised, prompting Starbucks to release a statement assuring customers their system had not been hacked, and that customer data is still secure.
Junior Carmela Sleva typically purchases a drink with her Starbucks card several days a week.
“I’m so glad I don ‘t have a credit or debit card linked to my account,” said Sleva. “It does make me wonder, though, how great of security is on the app.”
Victims of the hacking share Sleva’s sentiments. Many wonder why it was so easy for the hackers to access accounts and take money. Others demand that Starbucks let users to enable two-step authentication, which would alert the cardholder anytime their account was logged into on another device.
As for remedies to the situation, Starbucks said it is still investigating individual claims. Simply turning your card’s auto-refill ‘off’ on your app is ineffective, since hackers can easily dip your account and turn it back on. The company’s best advice? Make a stronger password.