Mobile Commerce Daily is now Retail Dive: Mobile Commerce! Click here to learn more!

How to compromise the Starbucks Rewards Card app in 90 seconds

According to the reader, the Starbucks application, which lets consumers pay for in-store purchases via their smartphones in 6,800 stores, lacks the simple protections that should be there. Additionally, the reader points out that in a rush to market and a desire to be first, companies are building massive assumptions into their mobile commerce initiatives.

Mobile Commerce Daily’s Rimma Kats interviewed Kelley Langford, vice president of sales and marketing at System Innovators, Jacksonville, FL. Here is what he said.

How is the rewards card not effective?
The card is affected. Except it is not my card. I digitally steal or compromise the card of the person across from me. I buy a drink on his card.

How are you able to compromise the card?
Before I [say] more about this, I want you to think of a magic trick you have seen.

Before the magician reveals the trick you are amazed, in awe. You wonder how he did it.

Then if you are lucky and the magician shows how it is done, you say to yourself “That’s it? It is that simple?”

But up until the reveal, you are geniunely impressed with what you saw and cannot wait to learn the secret.

People I have told are intrigued and I then take them to Starbucks. I buy a drink with their card and they are amazed.

Then, I tell them and it is painfully obvious and they feel like a fool. I say that because it is simple but effective. So here is the simple truth of how to do it.

1. I meet a friend at Starbucks and tell him we are going to do this theft to prove a point. My friend David has known me for 20-plus years and eagerly agrees to participate.

I tell him to do everything he normally does.

After about 30 minutes he excuses himself to the restroom. He innocently leaves his iPhone on the end table between us where our coffees and phones have been sitting as we talk.

2. I pick up his phone, open his Starbucks app. I press the “Press to Pay” button and see his bar code.

3. I press the two buttons on the iPhone to take a screen capture of his card.

4. I go to photos, find the card capture and select “Email Photo” and send it to myself.

5. I delete the photo from his phone.

6. I remove the email from his sent folder.

7. I open my phone and save the email photo.

8.  In less than 90 seconds his phone is back on the table and a few minutes later he returns to the table. I go up and buy another drink and hand them my phone but with the photo of his card, not mine. They scan it and his account is debited $4.

So there you have the magician’s trick.

If companies accept the representation of the card without verifying the device through some of the other contactless, RFID or other proximity methods, then they are naive and will be victimized.

What do you think this will mean for the company and consumers?
Consumers think that if their cards are in their wallet they are safe.

If I physically steal your credit card from your wallet you know it, you know you have been compromised.

Now if you do what I have described, then you have a false sense of security. Your phone is in your pocket but the damage is done.

What is worse is that in the wrong hands your card image could spread worldwide in seconds versus the traditonal trafficking of stolen credit card numbers.

Companies need to get smarter about their security, plain and simple. They need to think like thieves to thwart them.

Cops do it everyday. Credit card companies are more reactive than proactive and they need to get smart about it.

Is there any advice that you can give Starbucks?
Starbucks is just an example but sure, they have an embarassing story.

Why embarassing? I will tell you.

In their mobile app Starbucks lets you track your rewards.

You can press the “MyRewards” button and see animation of tiny gold stars falling into your imaginary cup of rewards.

Starbucks also has a “Touch To Pay” option [as mentioned above].

When I touch that it automatically reveals my bar code ready to scan. So what is different about these two features? Security.

I must type in my username and password to see animation of stars falling into a cup, but I do not have to do anything to spend the $75 balance on my Starbucks card. It is hard for me to wrap my head around the fact that I must verify my identity to see stars fall into an imaginary cup, but I am not challenged to spend real money.

Final Take
Here is a demo of the Starbucks app.