I’ll have a little hack with that latte

It’s become so easy to use our phones to pay for goods, especially on the go.  While many of us use our debit/credit cards, loaded into an app, to pay for an item from our phone, the proliferation of third-party apps that allow us to do this has made it even easier. Unfortunately, many of us don’t realize that there’s a double-edged sword to using those third-party apps . . . they can be hacked.

The latest victim in the never-ending fight to keep our data secure is the Starbucks app, which allows us to pay from our smartphone, whether it’s an Android or iPhone device.  As Bob Sullivan’s article (he has his own “Red Tape Chronicles” site) on NBCNews.com describes, hackers have found a way into the Starbucks app through the auto-reload feature of the app (and its associated gift card) to drain the Starbucks account, automatically reload the account against the registered gift card, and then drain that as well.

But what’s more insidious about this hack is that the auto-reload feature of the app, associated with the Starbucks card, is auto-reloaded from a linked debit or credit card.  So the perpetrators are stealing from the debit or credit card you used to auto-reload your Starbucks card (app). It’s so convenient to auto-reload from that stored card, you just don’t think about it.

Starbucks likes the app because it reduces credit-debit card interchange transaction fees and it improves customer loyalty.  And admittedly, although this hack has occurred, it’s not widespread.  In addition, Starbucks states that

“We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers,” said spokeswoman Maggie Jantzen. “Our customers’ security is incredibly important to us and we take all these concerns seriously. … Customers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks.”

Still, how can you protect yourself against this hack?  There are several things you can do:

  • Use good old cash to buy your coffee.
  • Use your credit card (although, as pointed out above, Starbucks doesn’t prefer that you use this method)
  • Use your Starbucks card/app, but limit the amount of money you have in it at any given time, AND, most importantly, do not implement the auto-reload feature AND do not tie it to any given credit or debit card.  In other words, DON’T SAVE YOUR CC/DC IN THE STARBUCKS APP.  You want to reload some $$ into it?  Fine, do it with a small amount of money (maybe $5 or $10) and DON’T save that CC/DC.  It may be annoying, but just manually enter it each time.
  • Or, better yet, brew it at home, and take it with you, or brew it in your office (if it’s allowed)