“Hacker” shows how to crack Starbucks mobile payments app

Mobile Commerce Daily reader has shown the publication how the Starbucks coffee chain’s barcode-based mobile payments service can be hacked in just 90 seconds.

The low-tech exploit makes for amusing reading — and also throws up some important issues for mobile payments. The hack relies on the fact that consumers will often leave their phones on the table when, for instance, visiting the restroom. When they do that, the hacker needs just 90 seconds to capture their Starbucks Card barcode by simply taking a screen shot using a function built into the handset. They can then forward the image to their own handset and use this perfect reproduction of the victim’s card to make payments using their own phone. More worryingly, they can also email the image to as many other people as they like, who can then also charge their purchases to the victim’s prepaid account.

While NFC is not vulnerable to card cloning in the same way, the exploit does provide a timely reminder for those looking to bring NFC services to market. Anyone leaving their NFC phone on the table in a coffee shop — or at their desk, in the sixth form social room or any number of other places — could also have it picked up and used to make fraudulent purchases, at least for low value purchases that don’t require the entry of a PIN. Unlike the Starbucks hack, however, the fraudster wouldn’t be able to transfer the card to another phone in the same simple way.

The hacker, the VP of sales and marketing at a Florida-based POS solutions company, told Mobile Commerce Daily:

Consumers think that if their cards are in their wallet they are safe.

If I physically steal your credit card from your wallet you know it, you know you have been compromised.

Now if you do what I have described, then you have a false sense of security. Your phone is in your pocket but the damage is done.

What is worse is that in the wrong hands your card image could spread worldwide in seconds versus the traditional trafficking of stolen credit card numbers.

Companies need to get smarter about their security, plain and simple. They need to think like thieves to thwart them.

Cops do it everyday. Credit card companies are more reactive than proactive and they need to get smart about it.

Readers can find full details of how the hack is done on Mobile Commerce Daily’s website.

Next: Visit the NFCW Expo to find new suppliers and solutions

3 comments on this article

  1. My grandfather used to say, “A fool and his money are soon parted.”

    Essentially, the scenario you described is equivalent to leaving cash lying around. Both the phone and the Starbucks app have options for passwords and it sounds like this person didn’t set either. How is this a compromise in the app’s security if the user didn’t bother to take the basic steps provided by the app to protect against this exact thing from happening?

    1. Hi Michael.

      Very good points. I do think there is a difference between this situation and leaving cash on the table, though. You would be able to see that your cash was gone. But you wouldn’t know that your barcode had been copied.

      On the password front, I think this is going to be a major issue. Yes, we all know that we can and should set secure passwords for things. But consumers frequently don’t password protect their phones – it’s not something they are yet accustomed to doing.

      Will the industry be able to convince consumers to protect the contents of their mobile wallet as safely as they protect their PINs? Or will we need to integrate biometrics into NFC phones in order to give consumers real security? It’s going to be very interesting to see how this pans out…

  2. So easily hacking Starbucks mobile payment application really proves there’s plenty of work to be done in re-educating the consumer in the way they think about security, and in how m-payment providers are going to have to crack down on fraudulent activity.

    Today’s mobile phone is the equivalent of yesterday’s credit card and wallet. Yesterday, thieves wanted wallets immediately for the cash, and then more importantly for the credit cards. At that point in time, thieves also wanted mobile phones for the device only, to sell on. Today, thanks to m-banking and payments there’s a wealth of information in the mobile phone, which now makes it as valuable as the credit or debit card. In fact, more so, especially if the consumer uses the phone for mobile banking as well.

    M-banking and payments providers must take the time to educate their customers about the potential security dangers and what they must do to protect their identity and passwords. Also the devices and its applications need to have sufficient levels of authentication and authorisation built into them so people can’t simply photograph a bar code.
    If security isn’t resolved and guaranteed now, consumers will lose confidence and switch off, thus jeopardising what is a savvy technology that could rapidly reduce the volume of cash transactions in the retail market. For example, cash currently makes up two thirds of retail transactions by volume, whereas cash accounts for less than 3% of the money in use, so it makes economical sense to transfer people onto micropayment technology.

    Comment from Hemant Lamba, Banking and Capital Markets Practice, Infosys, and posted by Infosys Press Team

Comments are closed.