Is Starbucks App's Security a Danger to Consumers?

Starbucks is reportedly storing mobile app users' passwords in a manner that makes them accessible to a hacker with access to a user's phone, creating potential security risks that could erode consumer confidence in mobile payments.

Mobile commerce is a large part of Starbucks brand; 11% of its U.S. and Canadian sales are made as mobile payments. Its app displays a bar code to be scanned at the point of sale to pay from a linked Starbucks Card prepaid account. The app can draw funds from a linked bank account to reload its balance.

Starbucks considers the vulnerability "theoretical," but has added safeguards to better protect customer data, Starbucks Chief Information Officer Curt Garner says in a written statement published Jan. 16. The vulnerability only applied to iPhones that are physical stolen and hacked, he says.

Security researcher Daniel Wood published a description of the vulnerability this week after his inquiries to Starbucks were repeatedly misrouted, according to a report from Computerworld.

"To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report," Garner said in the Jan. 16 statement. "Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection."

Starbucks is a rare success story in mobile payments. Many other mobile wallet providers have had mixed success in convincing merchants and consumers to change their payment habits; the team behind the original Starbucks Card app credits its performance to the unique perspective Starbucks has as a retailer instead of being a bank or technology company.

"Retailer and service provider apps have started to show promise that they might ignite mobile payments, many of which would rely on consumers having trust and confidence to store their payment credentials and other details with the retailers," says Zil Bareisis, a senior analyst at Celent's banking group. "These [security vulnerability] announcements are not really helping to shore up that trust."

Google, for example, had some prominent security issues with an earlier version of its Google Wallet app.  The company quickly fixed those bugs and has revised its approach to mobile payments on many occasions.

Storing passwords in clear text, as opposed to encrypting them, creates several risks if a fraudster is able to access that data. However, Starbucks account credentials would not provide unlimited access to a user's linked bank account.

"Luckily access to a Starbucks account will not reveal the underlying payment credentials," says Al Pascual, a senior analyst and security specialist at Javelin Strategy & Research, who says the real implication is the use of compromised credentials to reload cards and subsequently use them by installing a Starbucks app on the criminal's device or ordering a replacement plastic card, where the crook can "purchase gift cards or merchandise such as coffee makers for resale."

A users' credentials would allow a fraudster to use the Starbucks app's auto replenish function to access the victim's bank account and add money to the Starbucks account, though Starbucks told Computerworld that some of these actions would prompt an email alert to the victim. Fraudsters could also potentially view geolocation data that displays when and where the account's owner had accessed the Starbucks app.

Starbucks is familiar with the issues that arise when accounts are used by more than one person. In 2011, a consultant named Jonathan Stark published his Starbucks Card app's bar code online, allowing anyone to add funds to the account or spend funds at Starbucks stores. The end result was a "social" card that even had a linked Twitter account to update all users on the card's balance.

Starbucks at first encouraged Stark's activities as an experiment, but it soon shut down Stark's card out of fraud concerns.

There is also a risk that a Starbucks customer used the same password for other accounts. "This is not just putting Starbucks at risk, but if the consumers are using it in a corporate environment and passwords and emails are getting stolen, you are putting the user's company at risk as well," says Dave Jevans, the chairman and chief technology officer at Marble Security.

Beyond encryption, there are other measures that can protect users from unauthorized access or use of the mobile app without compromising user experience, Pascual says. Starbucks could request additional authentication for online reloads, for example.

"[Usernames and passwords] should not be transmitted in clear text…the user's ID could be replaced with a token, such as a serial number, or encrypted as a matter of best practice," Pascual says. "If implemented, these changes would not materially impact the app."

Retailers can also store user credentials in a remote server and generate dynamic account numbers for individual transactions. This approach is gaining prominence for corporate payments. In retail payments, this method would give the retailer the power to limit unauthorized use because transactions require a second authentication layer to access the remotely stored card, says David Disque, COO of CSI Enterprises, a payment company that sells virtual card technology.

"The actual card is never stored on the mobile device in this model, so once you do a transaction, the access to do more transactions from that phone is gone," Disque says.

The retailer could also place restrictions on the app that can limit uses beyond payments at a store, Disque says. "You can control how much people can load on the card, or when a user's session expires, you can deter certain behaviors the card."

Storing user credentials on an external server would not be more expensive, but it would post risks of its own, Jevans says. "There is a risk of a 'Target-style' breach in which you could lose everything," Jevans says.