This week, the media has brought to light a major issue with the Starbucks application after a number of customers had their Starbucks Payment App accounts broken into and money stolen directly from their bank and PayPal accounts.
This hack underscores a major misconception about mobile security today: that the only threat on mobile is malware.
Not true. Cybercriminals are rational economic actors who look for the easiest way to make money. Your mobile device is often their target because it has turned into your digital wallet, with access to your bank accounts and many other forms of payment.
Thankfully, the world has the technology today to solve a lot of those issues.
In the case of the Starbucks app debacle, the Seattle company allows people to use its mobile app to pay for purchases. The app uses money loaded onto a Starbucks gift card, but it also offers the option to auto-load cash straight from your bank or PayPal account. Attackers likely used one of two very simple methods of attack. In one method, attackers can “brute force” passwords, guessing thousands or millions of passcodes using an automated tool that can test them faster than humans can. Starbucks likely doesn’t limit the number of times you can enter a passcode before it locks the account. I downloaded the app, made an account, and tried to enter a passcode incorrectly more than 10 times and nothing happened.
In a second method, attackers can use a phishing attack, tricking a person into entering their login and password on a fake form. Then the attacker can get into the account, turn on the autoload feature, and gift themselves Starbucks gift cards over and over and over.
So, what happens to that money? The attackers are likely reselling the gift cards on the Internet for face value or less, eventually turning those Starbucks dollars into real dollars.
Thankfully, there are a couple simple ways to deal with the Starbucks issue technologically. It seems that Starbucks, PayPal, and other financial entities are reimbursing victims, which is a great start. What could have made a huge difference in this scenario, however, is if Starbucks had instituted two-factor authentication into its application, requiring a person to enter a separate code before making changes to the account. That way a person would have to validate those changes and would otherwise be tipped off to activity in their account. Third, if they have not already done it, it’s important that sites block access to accounts after too many incorrect password attempts (to prevent brute forcing).
On the whole, the world needs businesses to start taking mobile seriously as a vector for attack. We are tied to mobile devices, and as technology develops, we are trusting them ever more with our money, access to our homes through digital locks and thermometers, our photos, our social lives, and more. If we do this right, we can make mobile devices far more secure than the PC collecting dust on your desk.
Kevin Mahaffey is an entrepreneur and technologist with a background in security, wireless, and web applications. He is CTO and cofounder of Lookout. Kevin is a frequent speaker on security, mobile and other topics, and has recently spoken at Black Hat Technical Security Conference, DEFCON, Yahoo Security Week, and Microsoft’s Bluehat Security Conference.