"Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes," Sullivan wrote. "Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards."
Maria Nistri of Orlando, Florida was recently hit when criminals stole the $34.77 on her Starbucks Card, then another $25 when it was auto-reloaded into her account, then another $75 when the attackers increased her auto-reload amount -- all within seven minutes.
The issue is particularly significant, Sullivan noted, since Starbucks processed $2 billion in mobile payment transactions last year alone.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Gartner analyst Avivah Litan told Sullivan that cybercriminals are increasingly targeting e-commerce companies rather than banks, simply because they're easier to hack. "Criminals are learning how to turn rewards programs, points, and prepaid cards into cash," she said.
While it's not clear how the hackers are accessing Starbucks user names and passwords, Sullivan said they may be obtaining them through phishing attacks, or they may simply be checking passwords from other breaches against Starbucks accounts to look for reused credentials.
Brendan Rizzo, technical director at HP Security Voltage, said the attacks underscore the need for companies to protect all customer information they store. "Criminals are always looking for a way to exploit a system in a way that they can then turn into cold, hard cash," he said.
"In this case there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address," Rizzo added. "Criminals could then use this information or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks."
And it's not just about the threat to consumers -- Rizzo said companies should also be concerned about the impact attacks like these could have on their reputation and their bottom line.
"A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks," he said.