Password Lessons from Starbucks

By May 15, 2015May 14th, 2021Cybersecurity

Once again, there is a battle between security and convenience. Unfortunately this time it affects anyone who enjoys the simplicity of buying a latté with their smartphone. Bob Sullivan, an investigative journalist, reported that Starbucks consumers are being victimized by criminals who transfer funds leveraging the auto-reload capability of the mobile app. The theft starts with a username and password change outside of business hours, followed by a series of increasing account fund reloads – all within a matter of minutes. Criminals can steal hundreds of dollars without the victim realizing that it’s already too late.

This was a relatively low-tech “hack”.  It could have been avoided if the users had taken some care and followed some good password management practices.  So what do you do? Well for starters let’s list the things that you should never do:

  • Don’t share your password with other people.
  • As tempting as it may be, don’t use an easy password!
  • Don’t reuse passwords!  Don’t even change them by a digit.  If one gets compromised, they all get compromised.

So how do you improve your password vigilance?

  • Use strong passwords. They should be lengthy strings with upper and lower case letters, numbers, and special characters.
  • Use unique passwords for each of your accounts since your usernames are often the same, especially in the case of email addresses.
  • Use 2 Factor Authentication whenever the application offers it.
  • Answer security questions with strong passwords because this greatly decreases a criminal’s ability to guess answers with details from your social profiles.
  • Change passwords periodically. You never know if your password has been compromised so periodic changes eliminates this risk.

How do you keep track of all of these passwords?  How do you come up with new random strings of characters?  Use a password manager!

There is no shortage of password manager app options. There are good options for all platforms (Windows, Mac, Linux, iOS, Android) in both free and paid versions.

Who is surviving this attack unscathed?

  • Users who have unique passwords for their e-mail and other online systems.
  • Users who change their passwords on a relatively short schedule.
  • Users who use 2-factor authentication on their e-mail.

In the end, this was not really a Starbucks issue.  It was a user issue.  Follow the guidelines above and keep an eye out for surprising e-mails about password resets.  Don’t be the next victim.  Your bank account will thank you.

Jeremy Wheeler

Author Jeremy Wheeler

Jeremy is a self-motivated and engaging information technology solutions leader with 16+ years of extensive experience spanning government systems engineering, cloud architecture, big data analysis, HR systems management, network analysis, system administration, information/cyber security assessments, penetration testing, agile project management, custom application/database development, and technical business development/sales. He currently possesses the AWS solutions architect associate, sysops administrator associate, and developer associate certifications in addition is trained and certified with a SANS GPEN accreditation. Jeremy oversees Alpine's Cloud & IT Services division and is an energetic, team-focused professional who values fostering strong customer relationships to ensure client satisfaction with comprehensive, high quality and time-bound deliverables.

More posts by Jeremy Wheeler

Join the discussion 5 Comments

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.