Starbucks-goers who have their cards set on auto-reload might want to rethink the minor convenience: According to journalist Bob Sullivan and several folks who’ve posted stories to Reddit, hackers who get a username and password can basically steal ad infinitum until the customer or a credit-card company stops them. Their trick is to transfer the balance to a card they hold, wait for it to auto-reload, then repeat over and over. (Some nefarious users have even upped the auto-reload amount.)
Sullivan talked to one customer who lost $134.77 through three transfers in seven minutes. “In effect,” Sullivan explains, “the hackers stole from her credit card, through her gift card loaded onto her Starbucks app, without having to touch her phone or even know what her credit card number was.”
Starbucks won’t discuss specific accounts, but a rep told Sullivan the company takes these concerns seriously and of course has “safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers.”
The rep added that anyone affected won’t be responsible for the charges, so it’s possible the attacks are just an annoyance, but then again, maybe not: Last year, a security researcher revealed major security flaws in the Starbucks app and predicted this exact thing could happen if said flaws weren’t fixed. Starbucks said it fixed them in an iOS update but has pushed mobile payments harder than ever on the app, which did about $300 million in sales last year and is the most used of its kind. Hopefully, the company will go give those safeguards another pass, because that app just keeps looking more inviting to hackers.