The app lets consumers pay for drinks and food through their mobile phone. It can also reload Starbucks gift cards by drawing funds from a bank account, credit card or PayPal. Hackers have found a way to get into the app, buy a new gift card and transfer the funds to themselves.
There have been a number of hacks recently around Apple Pay and now Starbucks’ mobile application. People love to write about these stories and make them bigger than they are.
The reality is that Apple Pay wasn’t hacked, and neither was the Starbucks app. What was attacked in both cases was enrollment into the system.
This doesn’t make it ok, or a non-issue, but it should refresh us on the fact that sensitive workflows function like chains under stress, and they break on the weakest link. For Apple Pay it was the enrollment procedure for adding cards, and for this Starbucks it had to do with adding gift cards.
The takeaway should be that we are judged on the security of the entire security workflow, not just the parts we’re in charge of. To the user/business/outside there’s no distinction. So when we build a security system we have to also consider the pieces that we don’t directly control.
- Two other points that are related are 1) supply chain security, and 2) casting a wide enough net in terms of security scope when doing a vulnerability assessment or penetration test.