Credit card hackers looking for new ways to drain money from consumers' bank accounts and evade increased bank security measures have discovered a clever side door—the Starbucks mobile payment app and gift cards. Criminals are hijacking consumers' coffee accounts, draining the stored value of their cards, and then using Starbucks' auto-reload function to hack consumers' associated debit and credit cards.
Maria Nistri, 48, said it happened to her last week. Early in the morning on May 6, criminals stole $34.77 in value that the Orlando, Fla., resident had loaded onto her Starbucks app by transferring it to a gift card they controlled. Immediately, her account was reloaded with $25 because her balance had hit zero. The criminals stole that, too. Then they upped the ante, changing her auto-reload amount to $75, and stealing the $75, all within seven minutes. Because an email had alerted her to a change in her account, she was able to see what was happening in real time, though unable to stop the transfers immediately.
"It was crazy. I was like, 'What in the world?'" Nistri said. "I was lucky I happened to check my email when I did. Otherwise, who knows how much they would have gotten?"
The scheme is part of a new fraud trend, said Gartner security analyst Avivah Litan: Credit card hackers are targeting third-party firms that create alternative payment systems and attacking them, finding they are often easier to hack than financial institutions.
"Fraud is moving away from banks into big e-commerce companies," she said. "Criminals are learning how to turn rewards programs, points and prepaid cards into cash."
She pointed to underground forums where hackers swap and sell hotel and travel points for cash. Traditional bank and retailer fraud-fighting software typically detects unusual purchase patterns, such as an attempted purchase of jewelry in a foreign country. But unless the card hackers get greedy, auto-reload purchases at Starbucks don't trigger such warnings.