Whenever news of a hacking event or data breach comes out, there’s always the logical question: what will a thief actually do with the information? Whether it’s just accessing your name or email address or actually infiltrating the files that contain more sensitive information like credit card numbers or Social Security numbers, the real threat is in how that information can be used.
Depending on who caused the attack and what information was gleaned, there are a lot of options. It might be a simple matter of selling batches of information on black market internet sites, or it could be opening accounts in the victims’ names. If SSNs were stolen, it could lead to tax refund or employment and benefits fraud. It really all depends on what the thieves were able to find out.
But a new issue has cropped up involving Starbucks’ gift cards and its mobile payment app, and this one is so twisted that it takes a map to keep track of the aftermath. Basically, many consumers who have these payment methods set up to auto-reload—meaning their credit cards are associated with the gift card or app via the Starbucks website, and their mobile accounts will automatically refill off that credit card once a pre-determined balance is reached—are finding their cards charged, drained, and reloaded over and over. One customer who spoke to industry watcher Bob Sullivan actually watched this process happen on her phone in real time, although Starbucks has formally stated that there’s no evidence that the mobile app for payment has been breached.
Since Starbucks gift cards are a common gift or promotional item, the Starbucks site also lets you combine different gift cards. If you’re carrying a card in your wallet with six dollars left on it and you receive a new card from your boss for employee appreciation day, you can combine the cards into one balance right there on the website. Since using your same registered gift card and refilling it gives you rewards points, many people choose to transfer the balance from a new gift card to the one that they have stored in the Starbucks computer… and it’s also the one they have set to auto-reload off their credit cards.
That’s where hackers step in. They simply log into your Starbucks account, change the email address associated with your account to one that they control, and then link all of your gift cards to a new one that they have possession of. Then when they drain your gift card balance and put it on their own cards, your credit card kicks in and adds money automatically without the thief ever having to know your credit card details. Then they simply repeat the cycle, as many times as they want, all in a matter of a few minutes.
What can the hacker do with a fully-loaded gift card? Use it himself or sell it on the black market. Gift card fraud has grown in recent years, and in some cases thieves simply use the gift card to purchase high-end items which they then sell online, pawn, or return for cash, depending on the store’s policies.
In order to protect yourself from this and other similar types of gift card fraud you must have strong, unique passwords on all of your online accounts; make sure your password is a long combination of letters, numbers, and symbols, and do not use the same password on multiple websites and accounts.