Coffee drinkers using the new Starbucks Reward Card iPhone app are vulnerable to a venti-size scam that could drain their wallets while a hacker’s cup is filled.
The app allows customers to pay for their order by scanning a bar code on their phone to the in-store register.
Convenient, yes.
Not according to Kelley Langford, vice president of sales and marketing at System Innovators.
Langford told Mobile Commerce Daily that a hacker can drain the Starbuck’s account of an unsuspecting victim in a scam that takes about 90 seconds to execute.
First, Langford said, you open the Starbucks app on someone’s iPhone (you must physically have the iPhone in hand — the scam will not work over a Wi-Fi network ). Then you click "Press to Pay," which reveals the bar code attached to the account.
After taking a quick screen grab of the bar code, you e-mail the photo to your own phone and delete it from the sent e-mails of the target phone, erasing any evidence. By the time the victim returns from the bathroom, you’re out the door and on the way to free coffee, while the sap you’ve stolen from sips away his sorrows.
Langford said the simple hack exposes an "embarrassing" hole in Starbucks’ security. All companies that accept these types of payments without any verification "need to think like thieves to thwart them," he said.
The website consumerist.com urged users of the Starbucks iPhone app to password-protect their phones and not let them out of their sight.
If you do leave your iPhone unattended, you’re leaving yourself open to several simple scams, including one in which a hacker can, in six minutes, circumvent your locked, password-protected device to access your iPhone passwords.