Last month news broke about Starbucks’ loyalty cards having a security flaw. The flaw was discovered and exploited by Egor Homakov, a hacker who works for penetration testing, source code auditing, and vulnerability assessment firm Sakurity.
The loophole allowed Egor to duplicate funds on a Starbucks gift card, which then he managed to spend in a shop without being questioned nor alerting the company to his activity.
The news made headlines around the world, both for the existence of the flaw in the first place, but also for Starbucks less-than-friendly response – with the coffee giant failing to thank him and instead discussing his actions in terms of “fraud” and “malicious actions”.
Although Starbucks’ PR-fail is superficially laughable, as a consumer it should also give you cause for concern.
How Widespread Is the Problem?
As criminals look for increasingly sneaky ways to grab data and get their hands on anything with value, loyalty cards and gift cards are in danger of becoming the latest proxy in the ongoing war.
Late last year, American Airlines and United Airlines both became victims of a similar hack – with more than 10,000 flyers seeing air miles stolen. Criminals used the victims’ miles to upgrade their own flights and book free holidays, and in the cases where users have the same password for multiple sites – access other services.
Starbucks themselves have been targeted in the past. Aside from Egor Homakov’s “free coffee” hack, criminals have often been found to hijack consumers’ loyalty accounts, emptying the balance, and then using the auto-reload function to hack any associated debit and credit cards details.
Gartner security analyst Avivah Litan says the whole scheme is part of a new trend. “Fraud is moving away from banks into big e-commerce companies,” she said. “Criminals are learning how to turn rewards programs, points, and prepaid cards into cash.”
Why Are They Vulnerable?
Companies such as Starbucks often have systems and security measures that are much easier to hack than those of banks, credit cards, and other financial institutions.
Litan uses the example of bank and retailer fraud-fighting software. Such software will typically detect unusual purchase patterns (such as big-ticket purchases in a foreign country), but auto-reloads of a gift card would trigger no such warnings.
For criminals, this is a potential gold mine. The Starbucks mobile payment system has more than 16 million users and processed in excess of $2 billion in mobile transactions last year alone.
Why Do Criminals Want Access to Reward Cards?
It’s easy to understand criminals’ attraction to cards that have an auto-reload function, or are directly associated with a debit or credit card. As with the Starbucks card, these can be easily exploited for financial gain – but what about reward points?
Criminals want access to reward cards for one main reasons – consumer details.
Consumer details are actually more valuable to a criminal than your credit card details. While businesses that have been hacked always quickly move to reassure its customers that “no personal details were stolen”, in reality this is offering false comfort.
If a hacker gets hold of your credit card details, they can use them to shop online and sell them to other criminals online – that’s about the extent of the damage. However, if a hacker has your name, address, date of birth, and other official information, they can commit online fraud and apply for credit cards, loans, mobile phone contracts, and even mortgages in your name. Ultimately, they can do anything that requires an ID verification.
Should You Be Worried?
The short answer to this question is “yes”. It’s why Starbucks’ tepid response to Egor Homakov was so concerning. They should care a lot more, and be a lot more vigilant in protecting customers.
Of course, the usual online security tips of making sure all your passwords are different, being careful what you access on public networks, and running effective anti-virus software all apply – but they won’t be enough to protect you.
It’s extremely difficult to either control whether or not your personal information is stolen, and almost impossible to limit the damage if it is. People cannot change their names, addresses, and social security numbers as easily as cancelling a credit card.
Are Loyalty Cards Worth the Risks?
If you consider risk versus reward, there is an argument to suggest you should dump all your loyalty cards.
Loyalty schemes are hugely valuable to the companies that operate them. They reveal details about customers’ purchasing habits, help retain clients, create brand advocates, and reduce promotional and advertising costs.
On the other hand, there is an increasing amount of research that suggests that they are no longer such a good deal for consumers. At Costa Coffee in the UK, customers now need to buy 39 Americanos just to get the 195 points needed for a free coffee – in other words, they need to spend £76.05 (over $100) to save a mere £1.95 (just over $3).
This averages at a five pence per coffee saving. If you are a financially prudent consumer, the smartest thing would be to see if any other coffee shops in your vicinity sell coffee for less than £1.90.
The questions you ultimately need to ask yourself are these: “Are all my personal details, emails addresses, and credit cards numbers worth more than a five pence saving?”, and “Is it worth exposing myself to this growing area of cyber-crime and fraud (and handing over all my shopping preferences to corporate businesses) for such a small return?”
The answer should be no.
Do YOU Use Loyalty Cards?
What’s your experience with loyalty cards? Have you ever lost money through them? Perhaps you sit at the other end of the spectrum and have seen massive savings?
We’d love to hear your thoughts. Leave us your comments and feedback in the box below.
Image Credits: Thief carrying a bag via Shutterstock