Starbucks breach shows that all accounts can be targets
If you’re useless in the morning without your venti, soy, caramel macchiato with no whip, we may have some bad news for you. Your favorite beverage may be sans whipped cream, but it could come with a serving of security vulnerability.
Last month, Bob Sullivan – a consumer reporter and author – exposed a data breach that impacted Starbucks drinkers. The vulnerability specifically targeted Starbucks customers that utilize the company’s gift card and mobile payment systems.
How did these thieves get access to these customer accounts? According to Mr. Sullivan, “Hackers often manage to steal hordes of username and password combinations, the way they steal databases of credit card account numbers. Because consumers often re-use credentials, hackers take them and “brute force” thousands of potential logins at the website. Because Starbucks’ mobile payment app is so popular, any large set of stolen credentials is bound to have at least a few combinations that unlock Starbucks accounts.”
This is exactly the type of scenario that we discussed previously on Access Granted. End users have a tendency to re-use their passwords since it’s simply easier to remember one set of credentials for all of their online accounts. But this means that compromising one of their accounts could equal all of their accounts becoming compromised.
This is especially disastrous in the case of the Starbucks breach, since the potential to do immediate harm to the end user was so great.
Taking advantage of the “auto-load” feature that many Starbucks customers have enabled on their accounts, hackers would drain account balances onto a card that they controlled, and then watch as the money would be replenished via the connection to a bank account or credit card. They would then keep taking the replenished balance for themselves – effectively creating an almost unlimited well of illicit coffee that they could either imbibe on their own leisure or sell on the black market.
All told, some Starbucks customers were out hundreds of dollars when the dust settled. And a new precedent was established – it’s not just financial services companies and government agencies that are targets for hackers anymore. Now, every system – including the loyalty and gift card systems run by retail companies – can fall victim to a breach.
Considering this increasingly pervasive cyber threat, I don’t envy companies like Starbucks when it comes to securing their networks. It can be daunting just thinking about securing the almost infinite number of POS systems and endpoints at the innumerable Starbucks retail locations. Add in the customer-facing Web presence, online retail, gift cards and mobile apps, and the complexity increases tremendously. And with that complexity comes more security vulnerabilities.
In a previous post, I discussed the game of “cybersecurity whack-a-mole” that many companies find themselves playing. As they identify one vulnerability – a single-factor customer login, for example – plug it and work to mitigate the damage, hackers are scouring their networks finding another. Exposure of the first breach costs the company customer loyalty and money to mitigate and fix. Subsequent breaches only exacerbate these costs.
This is further evidence why enterprises need to stop the cycle that is created by implementing spot multifactor authentication and security solutions at the site of each, individual security breach. Instead, they need to think more holistically and implement security solutions across the enterprise that function to protect all systems. This will effectively end the game of “cybersecurity-whack-a-mole,” protect customer and company data and save them money in the long run.
However, they do need to be sensitive to their customer needs as well. The reason why customers utilized the Starbucks gift card and mobile payment systems in the first place was because they were fast and simple to use. The “auto-load” functionality – which turned a bad breach into a nightmarish one – was popular because it was a more convenient way to refill customer cards.
Making these processes difficult simply to make them more secure will alienate customers and effectively eliminate the convenience that drove them to adopt them in the first place.
This is why enterprise-wide multifactor authentication solutions need to be strong, eliminate all attack vectors and be simple to use. By delivering strong security that doesn’t require too many additional steps for the customer, companies like Starbucks can better avoid breaches like this in the future, while ensuring customers still get the experience they crave – and that keeps them coming through the door.