Once again, there is a battle between security and convenience. Unfortunately this time it affects anyone who enjoys the simplicity of buying a latté with their smartphone. Bob Sullivan, an investigative journalist, reported that Starbucks consumers are being victimized by criminals who transfer funds leveraging the auto-reload capability of the mobile app. The theft starts with a username and password change outside of business hours, followed by a series of increasing account fund reloads – all within a matter of minutes. Criminals can steal hundreds of dollars without the victim realizing that it’s already too late.
This was a relatively low-tech “hack”. It could have been avoided if the users had taken some care and followed some good password management practices. So what do you do? Well for starters let’s list the things that you should never do:
- Don’t share your password with other people.
- As tempting as it may be, don’t use an easy password!
- Don’t reuse passwords! Don’t even change them by a digit. If one gets compromised, they all get compromised.
So how do you improve your password vigilance?
- Use strong passwords. They should be lengthy strings with upper and lower case letters, numbers, and special characters.
- Use unique passwords for each of your accounts since your usernames are often the same, especially in the case of email addresses.
- Use 2 Factor Authentication whenever the application offers it.
- Answer security questions with strong passwords because this greatly decreases a criminal’s ability to guess answers with details from your social profiles.
- Change passwords periodically. You never know if your password has been compromised so periodic changes eliminates this risk.
How do you keep track of all of these passwords? How do you come up with new random strings of characters? Use a password manager!
There is no shortage of password manager app options. There are good options for all platforms (Windows, Mac, Linux, iOS, Android) in both free and paid versions.
Who is surviving this attack unscathed?
- Users who have unique passwords for their e-mail and other online systems.
- Users who change their passwords on a relatively short schedule.
- Users who use 2-factor authentication on their e-mail.
In the end, this was not really a Starbucks issue. It was a user issue. Follow the guidelines above and keep an eye out for surprising e-mails about password resets. Don’t be the next victim. Your bank account will thank you.