Starbucks Card Exploit

Started by deanwebb, May 14, 2015, 09:16:18 AM

Previous topic - Next topic

deanwebb

SPOILER ALERT: Crappy passwords on a card tied to a bank account or big-balance credit card result in tears for Starbucks customers with said crappy passwords on their auto-refill cards.

http://www.scmagazine.com/starbucks-customers-report-fraudulent-activity-on-accounts/article/414585/
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

I saw this on the news this morning. It isn't even that they have crappy passwords, but that they reuse passwords. I would love to know where the passwords are coming from, and I bet it is from a known password compromise on a site not related to Starbucks at all.

-Otanx

deanwebb

If they scraped a wordpress site or some other forum, there's a pretty good chance there's a reused password or two in there.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mmcgurty

I saw this last night and I am big Starbucks card user and app on my iPhone.  Does anyone know if this app is using SSL?  If not, I wonder if they are sniffing the wifi and getting the passwords when someone adds funds via the app since everyone logs in automatically with their phone once in range of the wifi.

deanwebb

It's storing passwords in plain text. That does not smell very SSL to me. Thieves get the password, then have access to the account, including being able to turn on auto-reload and to raise the auto-reload amount. There is no two-factor authentication, nor is there any question raised if your account is accessed from a new device. One guy had $550 taken from his PayPal account in a matter of fractions of seconds. He couldn't react fast enough to shut things down.

Starbucks can honestly claim that they were not hacked. Technically, it was poor user security on their app that was hacked, so none of *Starbucks'* internals were exposed. Of course, I HATE the word "technically", as it's a refuge for someone that should have known better.

I envision the high-level discussions at Starbucks that led to this:

"We need a MOBILE solution!"
"What's the mobile problem?"
"I don't know, but we need a SOLUTION! And it has to SCALE! And to be NEXT-GEN!"
"Internet of Things?"
"Yes, that, too. It needs lots of Internet, and things."
"Right, I'll get dev to whip something together. I'm sure the art department already has some mock-ups we can use."

And then, in dev...

"You know, this would all work a lot more smoothly for the customer if we didn't have the annoyance of two-factor authentication."
"OK, lose two-factor."
"And do we really need to set up a PKI environment in *every* store on the public wifi just so we can have SSL?"
"You're right. lose the SSL."
"Great! This app is gonna have screamin' performance!"

My advice would be to uninstall the app, cancel the card, and go back to normal POS cash transactions or use a credit card you can dispute charges on.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#5
Quote from: deanwebb on May 15, 2015, 10:38:26 AM

And then, in dev...

"You know, this would all work a lot more smoothly for the customer if we didn't have the annoyance of two-factor authentication."
"OK, lose two-factor."
"And do we really need to set up a PKI environment in *every* store on the public wifi just so we can have SSL?"
"You're right. lose the SSL."
"Great! This app is gonna have screamin' performance!"


I think more like:

DEV GUY:  Have a look at this web app concept, works petty well, eh?

MGR GUY:  Great!  Roll it out so our customers can start using it.
:professorcat:

My Moral Fibers have been cut.

deanwebb

True... I wanted to fantasize about them at least *considering* security for a moment there...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Quote from: deanwebb on May 15, 2015, 10:38:26 AM
It's storing passwords in plain text.

Where did you see this? If it is doing that I would expect Starbucks to be in big trouble. I still think it is a re-use of passwords issue. Someone is getting a list of username/passwords from another breach (like you said a Wordpress issue maybe), and just trying them against the Starbucks website.

-Otanx

deanwebb

Here we go... from https://bobsullivan.net/cybercrime/identity-theft/exclusive-hackers-target-starbucks-mobile-users-steal-from-linked-credit-cards-without-knowing-account-number/

QuoteBecause Starbucks isn't answering specific questions about the fraud, I cannot confirm precisely how it works, but I have informed speculation, based on conversations with an anonymous source who is familiar with the crime. The source said Starbucks was known to be wrestling with the problem earlier this year. Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer's stored value, and attack their linked credit card.

Hackers often manage to steal hordes of username and password combinations, the way they steal databases of credit card account numbers. Because consumers often re-use credentials, hackers take them and "brute force" thousands of potential logins at the website. Because Starbucks' mobile payment app is so popular, any large set of stolen credentials is bound to have at least a few combinations that unlock Starbucks accounts.

Criminals could also be stealing credentials in other ways — through phishing emails, or keylogging programs.

So, since people don't generally have a throwaway username/password for sites with no economic connection and usernames/passwords specific to each financially-enabled site they use, if you get someone's password for etsy, you get their password for the entire world.

But because there's no two-factor authentication with the Starbucks card, all you need is that username and password to get essentially a backdoor to a bank account. The rest of the article above goes into more details, but basically, it's a nice explanation of how gift cards and pre-loaded cards are going to get hit a lot more.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

We don't have Starbucks in this part of Australia.. Why do you need an app to buy coffee? What does it do?

deanwebb

Quote from: Dieselboy on May 16, 2015, 11:11:40 PM
We don't have Starbucks in this part of Australia.. Why do you need an app to buy coffee? What does it do?
It's more convenient.

I usually equate more convenient with "absolute deathtrap" and then do things the hard way, like use a major credit card with fraud protection.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

hizzo3

So I recently got one of those new fangled chipped credit cards (bank is upgrading). So far, about 30% of the places I shop even have the technology purchased... Of those, only one store did it even work. Sadly I can't remember which store it did work at. On the other hand, Target has the chip card readers... But they aren't set up.

Otanx

And even if they are set up it offers little to no protection because it is not mandatory to use chip and pin. Even if it works at the store, and your card has it you can still swipe the mag stripe, and it will work. Of course we need to start somewhere, and maybe some day we will be able to turn off the mag stripe. You know just like floppy disks. Everyone done patching VENOM?

-Otanx

wintermute000

Here in Oz the contactless tap-any-pay stuff is everywhere. Its now more common to have it than not. Everyone uses it without thinking. Now that I start thinking, its a bit scary. (even with a 100 dollar limit).

Dieselboy

Quote from: wintermute000 on May 23, 2015, 09:52:12 PM
Here in Oz the contactless tap-any-pay stuff is everywhere. Its now more common to have it than not. Everyone uses it without thinking. Now that I start thinking, its a bit scary. (even with a 100 dollar limit).

Our banks protect us though, it's this way in England also. Although my bank in England sent me a contactless card so I could be in the pilot scheme, I immediately cut it up and threw it in the bin because they had not asked me or informed me and I saw it as a huge risk and didn't want it. "You'll never guess what happened next" Basically, because they had sent me a new card, they cancelled my old one a short time thereafter. Even though the expiry date on my card was years in the future, it was useless. This isn't the first time Natwest had done this to me. They love sending new cards and cancelling the current ones your'e using.
Back to the contactless thingy - if you lose your card and someone runs around on a spree buying items less than $100, it is your banks responsibility entirely. Remember it's always the banks responsibility to protect your money. Most times, if they can twist and find fault with you, they will try and shirk responsibility. Saying you have neglected your card, or misused it. Don't fall for that trap.