Starbucks executives dismissed as “far-fetched” the possibility that customer data could be stolen from smartphones running its popular mobile-payment app, which stores logins and other sensitive data on the phone in clear text with no password or other security protections.
The Starbucks Card app (the most widely used mobile-payment app in the U.S., with an estimated 10 million users) displays a bar-code that baristas can scan to identify the customer and charge a purchase to their pre-paid Starbucks Card stored-value accounts. It also stores all the customer’s pertinent information on the phone itself, in clear text, with no additional security requirement, meaning anyone who steals a phone (or even grabs one left on a table while the owner is in line or in the restroom) can read the login data without entering a PIN, password, or any other form of authentication data, according to an Computerworld story Jan. 15.
The gaffe was discovered in mid-November 2013 by security researcher Daniel E. Wood, who tried repeatedly to notify Starbucks by phone about the problem. Each time he called over the course of two months, he was transferred to customer service, he told Computerworld. Frustrated at the lack of response, Wood posted his results Jan. 13 on a bug-tracking forum at Seclists.org. “There are multiple instances of the storage of clear-text credentials that can be recovered an leveraged for unauthorized usage of a user’s account on the malicious user’s own device or online at https://www.starbucks.com/account/signin,” he wrote.
The revelation may have surprised the 10 million or so Starbucks customers using the app on Android or iOS devices, but not to Starbucks executives, who appear to have left customer data exposed to make the app more convenient to use rather than due to a mistake or oversight. “We were aware” the data was stored in clear text, Starbucks Chief Digital Officer Adam Brotman told Computerworld in a telephone interview.
Brotman offered bland reassurances that “usernames and passwords are now safe” because the company had added security measures, but didn’t say what they were. Encrypting user logins on the phones themselves, requiring passwords to read them, or making them more difficult to find were apparently not among the added security measures, according to Wood, who downloaded the latest update of the iOS version of Starbucks app only to find the security unchanged.
It is possible that customer accounts could be compromised due to the lack of security, but the chance of a successful exploit is “very far fetched,” Starbucks spokesperson Linda Mills told CNN. Starbucks knows of no customers who have been damaged by the exposure, but any attack would be limited to funds in the customer’s Starbucks Card account, executives insist.
That would be true if people didn’t consistently use the same passwords for several accounts, according to Gartner analyst Avivah Litanj, who was quoted in Computerworld. About 20 percent of consumers using stored-value cards from retailers use the same passwords for those accounts that they use for their banks, vastly increasing the potential for abuse, she said.
The biggest problem may not be the bad decision to store login data in clear text on an insecure device, however. Starbucks has been more successful at promoting mobile payment systems than almost any other retailer in the U.S., according to Evan Schuman, the retail-technology analyst who touted Starbucks Jan. 14 for the way it marketed its mobile app, and slammed it Jan. 15 after learning about the password issue. The larger issue is that the owner of the most widely used mobile-payment app is so lax about security that it leaves passwords exposed on purpose, and brushes off the potential they might be abused as “far-fetched.”
It would be hard to exploit data stored on a phone because a thief would require at least 30 minutes of access to the phone to get it, according to Starbucks.
While it would more likely take a thief no more than five minutes to skim through a misplaced smartphone and take snapshots of the data screen using his or her own phone, if nothing else, it’s not at all unlikely that a thief would have unlimited time and access.
More than 40 percent of robberies in major cities involve the theft of a smartphone, according to the FCC. More than 1.6 million smartphones were stolen in the U.S. during 2012, according to a June report from Consumer Reports. The theft of iPhones and iPads alone accounts for 14 percent of all reported thefts in New York City, according to a May 2013 story in the New York Times that slammed phone-makers for not installing kill switches or other measures to make it more difficult for thieves to steal phones either for resale or to exploit the data on them.
The risk of identity theft involving mobile technology increased 350 percent between 2010 and 2012, according to the FCC, which cited the statistic while announcing a Smartphone Security Checker designed to help consumers avoid losing either phones or data. It recommends, among other things, that smartphone users secure personal data stored on a phone with passwords and encryption, and that they be aware of the types of information their apps store and the types of information they store. Neither the FCC nor any of the dozens of analyst reports sketching the size of the market for stolen smartphones and consumer data use the term “far-fetched” to describe the possibility that clear-text login data might be stolen or exploited after being stored, unsecured, on an easily stolen consumer device.