-
Starbucks is known for its nonalcoholic beverages, but the success of its mobile payments application has forced it to contend with a bootlegger.
May 27
One man has shared his Starbucks prepaid card with the world, allowing anyone to spend and reload it using a feature of the card that was once called a security flaw.
Jonathan Stark, a mobile application consultant, even gave his card a Twitter account to broadcast its balance throughout the day. For every two people who download an image of his card to drain the account, one more person steps in to top off the balance.
To share his card, Stark made a screenshot of the Seattle coffee retailer's iPhone app, which displays a bar code that can be used at the point of sale to spend from a user's Starbucks prepaid account. Since the bar code does not change, a still image of it works just as well as the full-fledged app.
Some have called this a security flaw, since anyone who steals an image of the bar code can spend money without the account holder's permission. But the rest of Starbucks' payment system is solid enough to allow users to share their accounts without risk, Stark says.
"There's virtually no information" transmitted to the cardholder when someone reloads the card from a bank or credit card account, he says. "All I know, when someone loads the card, is it was loaded either in-store or online."
Because of the Payment Card Industry Data Security Standard, which prohibits the unnecessary storage of card details, Starbucks would not be able to display full card numbers to Stark. "They wouldn't be able to show that to me if they are PCI compliant," he says.
Though it would seem that people could misuse his account to cash out stolen credit cards by loading funds onto the account and moving them away, Stark says that method is impractical.
"This would be a terrible way to" launder money, "especially considering that you have to do it in person and you can't guarantee who's going to get the money," since the Twitter account tells the whole world about each reload, he says. "That would be a silly thing to do."
Starbucks agrees that Stark's experiment does not raise security issues.
"We think Jonathan's project is really interesting and are flattered he chose Starbucks for his social experiment," Gina Woods, director of executive communications for Starbucks, said in an email Monday. "We're curious to see how the project continues to evolve."
Other Starbucks card users should not be concerned, she says.
"No credit card information is stored on the Starbucks app, and we offer balance protection for registered customers," Woods wrote. "If their smartphone with Starbucks app or Starbucks card is lost or stolen, customers can report the loss and we'll freeze the remaining balance at the time it is reported, transfer it to a new Starbucks card, and mail a replacement card immediately."
Stark initially made a copy of his bar code for his personal use: He wanted to use the card from more than one phone, but Starbucks does not allow accessed from more than one mobile app. After discovering that he could make a payment from a screenshot, he posted the screenshot to the Web for others to try (his account had $30 in it).
"Much to my shock," Stark wrote on his blog last month, "my card balance went up without me doing anything. I panicked for a second because I thought someone had hacked the system and reloaded the card from my credit card. As it turns out … anyone can reload any card at starbucks.com/card as long as they have the card number."
After that shock, Stark wrote the script that pulls data from Starbucks' website and posts it to Twitter.
One does not even need the screenshot to generate the bar code from the card's account number. Stewart Gateley, a former Starbucks shift supervisor in Tigard, Ore., once developed a mobile app that could be used for payment, generating the bar code on its own. This app was offered for Android smartphones before Starbucks launched its own Android app.
Gartner Inc.'s Avivah Litan said that Stark's experiment seems to be secure.
"As long as the cardholder doesn't care … I don't think there's anything illegal," she says. And since there are records generated each time the card is used or reloaded, "it's actually even more secure than cash," she says.
