Starbucks card users beware: A scam has hackers using Starbucks loyalty cards and mobile payments to steal hundreds, and even thousands, of dollars from victims' credit cards in a scheme one consumer advocate calls "so ingenious they don’t even need to know the account number of the card they are hacking."
While it's unclear how much criminals have stolen so far, the problem is widespread and the potential for scammers is significant: Starbucks said it processed $2 billion in mobile payment transactions last year, according to reports.
The key to the Starbucks scam is the auto-reload function, which allows Starbucks gift card or mobile payment users to automatically reload their Starbucks card from a linked credit or debit card once the Starbucks card dips below $10.
As such, criminals are able to steal money from bank accounts – without knowing a consumer's account number, username, or password – by using Starbucks cards linked to those accounts.
In the case of one victim, who wrote about her experience in an article for the now-defunct blog Gigaom titled, "How scammers drained $1,700 from my bank account using Starbucks cards," scammers repeatedly transferred her automatically-reloaded Starbucks card balance onto a card of their own in $30 and $60 increments until they had depleted $1,700 from her account.
In a statement, Starbucks said, "We have safeguards in place to constantly monitor for fraudulent activity and work closely with financial institutions to make sure our customers are protected."
But consumer advocates like Bob Sullivan are suggesting Starbucks card users immediately disable the auto-reload function on their Starbucks cards and mobile payments.
The scam is representative of a recent shift in consumer hacking. Criminals have begun focusing less on banks and financial institutions, which now have more protections in place and are therefore harder to hack, and more on third-party retailers.
“Fraud is moving away from banks into big ecommerce companies,” Avivah Litan, a fraud analyst at consultancy Gartner, told Mr. Sullivan. “Criminals are learning how to turn rewards programs, points, and prepaid cards into cash.”
Cardholders can control their security, however. Consumer advocates are advising those who use merchant cards to use strong passwords, change passwords often, monitor their accounts closely, and turn off auto reload options on their accounts.
Meanwhile, Starbucks has assured consumers that it is aware of the problem, and that card users won't be on the hook for unauthorized charges.
"[C]ustomers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks," spokeswoman Maggie Jantzen said in a statement. "As soon as we were contacted by the customer of this activity, we worked quickly to resolve her concerns."