Starbucks' App Targeted

Criminals are hijacking consumers' coffee accounts, draining the stored value of their cards, and then using Starbucks' auto-reload function to hack consumers' associated debit and credit cards.

The scheme is part of a new fraud trend, said Gartner security analyst Avivah Litan: Credit card hackers are targeting third-party firms that create alternative payment systems and attacking them, finding they are often easier to hack than financial institutions.

"Fraud is moving away from banks into big e-commerce companies," she said. "Criminals are learning how to turn rewards programs, points and prepaid cards into cash."

Traditional bank and retailer fraud-fighting software typically detects unusual purchase patterns but auto-reload purchases at Starbucks don't trigger such warnings.

The company said it processed more than $2 billion in mobile transactions last year, and that 16 percent of purchases are made with phones. The app is important to Starbucks because it reduces its interchange transaction fees while at the same time enhancing customer loyalty.

The company issued an additional statement on Wednesday, claiming that any reports that the mobile app itself has been hacked are "false."

This isn't the first time Starbucks users have been targeted. In 2013, a victim who had $1,700 drained from her bank account explained how the small increments involved in auto-reload allow the fraudulent transactions to go under the radar, even when they follow in rapid succession. 

Such attacks are common at any large e-commerce site, and they work because many consumers unwisely use the same username and password across multiple sites. When hackers pilfer a large database of usernames and passwords from any site, they often run the list through other large sites, looking for "hits."

Starbucks recommends customers take precautionary steps including using unique user names, changing passwords frequently and monitoring account activity. Those who spot suspicious activity in their accounts should contact the company's customer service line immediately.

Consumers who link credit cards to third-party firm apps, like the Starbucks mobile payment app, would be wise to treat their accounts with as much care as their online banking accounts, since criminals have discovered a direct route from one to the other.