Should You Dump Your Loyalty Cards After the Starbucks Hack?

Dan Price 09-06-2015

Last month news broke about Starbucks’ loyalty cards having a security flaw. The flaw was discovered and exploited by Egor Homakov, a hacker who works for penetration testing, source code auditing, and vulnerability assessment firm Sakurity.


The loophole allowed Egor to duplicate funds on a Starbucks gift card, which then he managed to spend in a shop without being questioned nor alerting the company to his activity.

The news made headlines around the world, both for the existence of the flaw in the first place, but also for Starbucks less-than-friendly response – with the coffee giant failing to thank him and instead discussing his actions in terms of “fraud” and “malicious actions”.

Although Starbucks’ PR-fail is superficially laughable, as a consumer it should also give you cause for concern.

How Widespread Is the Problem?

As criminals look for increasingly sneaky ways to grab data and get their hands on anything with value, loyalty cards and gift cards are in danger of becoming the latest proxy in the ongoing war.

Late last year, American Airlines and United Airlines both became victims of a similar hack – with more than 10,000 flyers seeing air miles stolen. Criminals used the victims’ miles to upgrade their own flights and book free holidays How to Save Money on Your Next Vacation Package We all need a proper vacation now and then. If a holiday is on your horizon, you consider booking a vacation package. Here are some options. Read More , and in the cases where users have the same password for multiple sites – access other services.


Starbucks themselves have been targeted in the past. Aside from Egor Homakov’s “free coffee” hack, criminals have often been found to hijack consumers’ loyalty accounts, emptying the balance, and then using the auto-reload function to hack any associated debit and credit cards details.

Gartner security analyst Avivah Litan says the whole scheme is part of a new trend. “Fraud is moving away from banks into big e-commerce companies,” she said. “Criminals are learning how to turn rewards programs, points, and prepaid cards into cash.”

Why Are They Vulnerable?

Companies such as Starbucks often have systems and security measures that are much easier to hack than those of banks, credit cards, and other financial institutions.

Litan uses the example of bank and retailer fraud-fighting software. Such software will typically detect unusual purchase patterns (such as big-ticket purchases in a foreign country), but auto-reloads of a gift card would trigger no such warnings.


For criminals, this is a potential gold mine. The Starbucks mobile payment system 7 Services For Taking Mobile Payment On Your Phone Tired of dropping off checks and cash at the bank? Good news - you don't have to. Read More has more than 16 million users and processed in excess of $2 billion in mobile transactions last year alone.

Why Do Criminals Want Access to Reward Cards?

It’s easy to understand criminals’ attraction to cards that have an auto-reload function, or are directly associated with a debit or credit card. As with the Starbucks card, these can be easily exploited for financial gain – but what about reward points?

Criminals want access to reward cards for one main reasons – consumer details.

Consumer details are actually more valuable to a criminal than your credit card details. While businesses that have been hacked always quickly move to reassure its customers that “no personal details were stolen”, in reality this is offering false comfort.


If a hacker gets hold of your credit card details, they can use them to shop online Automate Deals and Save Time Shopping Online Every Time! You don't need to spend hours researching prices, hunting down coupon codes, and signing up for emails you don't want in order to get good deals online. Read More and sell them to other criminals online – that’s about the extent of the damage. However, if a hacker has your name, address, date of birth, and other official information, they can commit online fraud Who Are The Scammers? Following The Money Stolen as Online Fraud Who are the people profiting from online fraud? Where is the money going? Look beyond the "Nigerian advance fee fraud" - you'd be surprised where the money really leads. Read More and apply for credit cards, loans, mobile phone contracts, and even mortgages in your name. Ultimately, they can do anything that requires an ID verification.

Should You Be Worried?

The short answer to this question is “yes”. It’s why Starbucks’ tepid response to Egor Homakov was so concerning. They should care a lot more, and be a lot more vigilant in protecting customers.

Of course, the usual online security tips The Paranoid Conspiracy-Theorist's Guide To Online Privacy & Security Can you stay anonymous online? With not too much and the use of easy to use web-based encryption, security and privacy tools, we believe you can. Let us show you how. Read More of making sure all your passwords are different, being careful what you access on public networks, and running effective anti-virus software all apply – but they won’t be enough to protect you.

It’s extremely difficult to either control whether or not your personal information is stolen, and almost impossible to limit the damage if it is. People cannot change their names, addresses, and social security numbers as easily as cancelling a credit card.


Are Loyalty Cards Worth the Risks?

If you consider risk versus reward, there is an argument to suggest you should dump all your loyalty cards.

Loyalty schemes are hugely valuable to the companies that operate them. They reveal details about customers’ purchasing habits, help retain clients, create brand advocates, and reduce promotional and advertising costs.

On the other hand, there is an increasing amount of research that suggests that they are no longer such a good deal for consumers. At Costa Coffee in the UK, customers now need to buy 39 Americanos just to get the 195 points needed for a free coffee – in other words, they need to spend £76.05 (over $100) to save a mere £1.95 (just over $3).

This averages at a five pence per coffee saving. If you are a financially prudent consumer, the smartest thing would be to see if any other coffee shops in your vicinity sell coffee for less than £1.90.

The questions you ultimately need to ask yourself are these: “Are all my personal details, emails addresses, and credit cards numbers worth more than a five pence saving?”, and “Is it worth exposing myself to this growing area of cyber-crime and fraud (and handing over all my shopping preferences to corporate businesses) for such a small return?”

The answer should be no.

Do YOU Use Loyalty Cards?

What’s your experience with loyalty cards? Have you ever lost money through them? Perhaps you sit at the other end of the spectrum and have seen massive savings?

We’d love to hear your thoughts. Leave us your comments and feedback in the box below.

Image Credits: Thief carrying a bag via Shutterstock

Related topics: Credit Card, Online Privacy.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    June 12, 2015 at 3:52 pm

    Of course, if you like the product and are going to deal with that retailer anyway. Then get their Loyalty Card ... but sign up with a one-time email address and a creative mailing address / phone. Who says that it's wrong ? They are giving you the discount because of your loyalty (repeated business); not because you want them to send you unrequested solicitations. That's what I did here to allow me to "register" to write comments on MakeUseOf

  2. Anonymous
    June 9, 2015 at 10:40 pm

    "If you are a financially prudent consumer, the smartest thing would be to see if any other coffee shops in your vicinity sell coffee for less than £1.90."
    NO. If you really are a "financially prudent consumer", the smartest thing would be to not buy coffee at Starbucks or other specialty coffee purveyors. Either limit yourself to places like Dunkin' Donuts or make your own coffee. This way there is no need to worry about your loyalty card being hacked and you don't waste money on over-priced coffee.