Starbucks, The Epitome of Mobile Payments Success, Falls To Fraud

Fraud reports have been emerging around Starbucks’ gift cards, rewards accounts and mobile payment systems as reported by CNN Money. Cybercriminals are targeting consumers’ accounts, emptying the stored value in the cards and leveraging Starbucks’ auto-reload function to further target consumers’ debit and credit cards. A recent case emerged last week where a customer faced a theft of around $150 through the stored value in the mobile app and the gift card. Last year, another case took place in December where a customer witnessed the gift card being reloaded and used multiple times within minutes. That customers had lost $550.

Considering the recent case, a Starbucks spokesperson denied that the gift card could be linked to the mobile payment system. The spokesperson instead suggested about customers changing their passwords from time to time. The spokesperson assured that constant monitoring is done for fraudulent activity. However, the Starbucks app’s auto-reload feature is scrutinized as it is directly linked to credit card information and many customers might not be able to track the frauds that might take place.

The Starbucks case highlights the need to bring more effective measures to counter gift card frauds. Gift cards seem more vulnerable compared to credit cards. Depending on the kind of structure and how they are distributed, gift cards become easier targets for criminals. Some possible scenarios of gift card frauds could be:

  • It is usually the case that gift cards are sold stacked up in racks at merchant sites. Thieves can easily record gift card numbers that are stacked on a rack and use these numbers beforehand on online portals even before they are actually bought by customers.
  • Some larger gift card manufacturers provide a PIN label on the cards and enclose cards in special packages. Thieves can simply scratch off such PIN labels and steal the information. When kept in bulk in merchant sites, it becomes difficult to trace damaged packages.
  • There are some online gift card resellers who sell unused gift cards at discounted prices. Usually, these resellers simply provide gift card numbers instead of mailing the actual physical card. Hackers target such websites and steal the database of unused gift card numbers and exploit them.

The biggest disadvantage that gift cards have compared to credit cards is the backing of the manufacturers. Credit cards are developed by payments giants like Visa and MasterCard, and are issued by authenticated issuer banks. Banks and credit card processors themselves possess robust fraud detection and monitoring tools that bring a much higher level of protection to credit cards when compared to gift cards. Different gift cards are issued by different merchants and it’s not necessary that each gift card issuer would place a fraud-monitoring system. As one of its core operations, a bank would be more focused on maintaining a fraud detection system. This might not be the case for a merchant, especially for those of lower grade.

With gift cards becoming closer in nature to core payment cards, the ideal scenario should be to incorporate the security measures used by payment cards for gift cards as well:

  • Gift cards need to be upgraded with more effective form factors such as encrypted magnetic stripes and even new age technology like in chip cards
  • Moreover, a two-factor authentication can be a highly effective tool in preventing gift card frauds. This multiple-factor authentication system would be more ideal in case of digital gift cards
  • At the point-of-sale, an ideal scenario would entail the gift card number being activated only when the sale is logged. A fraud-monitoring system running at the POS side would be ideal to detect this