Hackers target Starbucks mobile users, steal from linked credit cards without knowing account number

https://bobsullivan.net/cybercrime/identity-theft/exclusive-hackers-target-starbucks-mobile-users-steal-from-linked-credit-cards-without-knowing-account-number/

by Bob Sullivan on May 11, 2015

Credit card hackers are targeting Starbucks gift card and mobile payment users around the country – and stealing from consumers’ credit cards — with a new scam so ingenious they don’t even need to know the account number of the card they are hacking.

Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.

The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.

Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes.

“I don’t know why Starbucks would recommend people do auto-reload when this crime is so easy,” she said.

•••••