Researchers have discovered a security flaw in the new Starbucks Rewards Card iPhone app that could let someone else rack up a bunch of free coffees on your dime. All someone has to do is take a picture of your barcode and then they can use it to buy all the delicious black swill they want, draining your account to the last drop.
“If companies accept the representation of the card without verifying the device through some of the other contactless, RFID or other proximity methods,” Kelley Langford, vice president of sales and marketing at System Innovators, told Mobile Commerce Daily, “then they are naive and will be victimized.”
The hack depends on someone getting access to your phone, so just don’t let it out of your sight and you’ll probably be fine. You can also make sure to password-protect your iPhone and/or use the password protection feature on the Starbucks app. Unless of course someone hides a camera in the Starbucks near the point of purchase and uses it to capture customers’ barcodes…
In fact, I can picture the story now…. “Russian Gangs use spycams to harvest Starbucks barcodes, resell on the black (coffee) market….a full starbucks card goes for $1, they’re sold in bulk over secret online IRC chatrooms…Savvy criminals know to only slowly drain the accounts, buying a macchiato here, a rice krispie treat there…Lisa Tampanelli first began to suspect that she was a victim of Starbucks card theft after she checked her statement and saw charges for items she would never buy…”Chocolate frappacino blasts? Black and white cookies? I’m a strict no-drip cafe au lait girl.”
We’ve reached out to Starbucks for comment.
How to compromise the Starbucks Rewards Card app in 90 seconds [Mobile Commerce Daily]