The Register has a story on the insecurity of the Starbucks app, the one that went nationwide (in the US) just last month. More specifically, the barcode (technically, the QR code) that’s scanned to buy coffee and other goods at Starbucks can be copied, meaning someone could buy coffee for free but at a cost to someone else (most likely a friend who’s unaware of what’s going on).
It’s not a particularly eye-opening revelation; I’ve thought of it myself. Also, pondering on it, I wonder if it makes sense to secure the app.
Static Barcode in the App
How does the scam work? Basically, take a screenshot of the barcode in the Starbucks app on someone’s smartphone and e-mail it to yourself. Since it’s a screenshot, pulling up the image on your own phone will look like you’re running the app, despite the fact that it’s only an image.
More specifically, you’ll be able to buy coffee because the Starbucks app uses a static barcode, i.e., the same barcode is always displayed. Now, if a one-time barcode was generated — train tickets are used as an example of this — the scam wouldn’t work, as pointed out in theregister.co.uk article.
The App is Just Like the Card. Should It Be Secured?
I’ve given it some thought, and it seems to me that Starbucks has literally taken the concept of the Starbucks gift card and moved it to the phone (and added some extra stuff). What happens to the money in the gift card when you lose it? It’s gone: whoever picks up or steals your card can use it at any mermaid-featured coffeeshop. The same thing is happening on the Starbucks app, in terms of security (in other words, it’s non-existent; again, except for the extra stuff).
What’s different about the app, though, is that you have no idea something has gone wrong. If you’re out a card, you know because you can’t find it. With the app, someone can continue to milk you for coffee and scones as long as you don’t notice, and as long as you keep charging the card.
And therein lies the scandal. Obviously, the thing needs better security. Or does it?
Securing the App
I’m not sure the app needs added security. Yeah, it’s a weird position to be taking when one works for AlertBoot, a disk encryption software company. I mean, you’d imagine that I’d be screaming bloody murder.
But let’s face it, it’s an app on a smartphone. Shouldn’t you have the phone secured already?
You could argue that you’ve got the password set to kick in every 5 minutes or whatever, so there is a window where someone could pull off the above scam.
Okay, fair enough. Chances are the scam’s going to be pulled off by someone you know. After all, your average thief is not going to just e-mail himself a screenshot of your Starbucks card and put your phone back where it was. Thieves don’t do that. They take the phone.
Which brings us back to securing the phone.
But all of this is moot. I’ve just installed the Starbucks mobile payments app on my iPod Touch, and I see that there is an option to setup a passcode under “settings.” (You want Version 1.5.0 of the app, so upgrade ASAP.)
I don’t like it though. Unlike the iPhone’s passcode, which introduces lockouts based on the number of wrong guesses, this Starbucks’s passcode field allows you to enter as many as you want. You could go through all 10,000 guesses, from 0000 to 9999, in less than 3 hours, assuming you attempt one passcode per second (this process of trying all guesses is known as brute-forcing).
Which brings us back to securing the phone. Again.
Related Articles and Sites: