Security Fails at the Weakest Link

Source: Starbucks app used to hack into bank accounts, credit cards – Business – CBC News

There have been a number of hacks recently around Apple Pay and now Starbucks’ mobile application. People love to write about these stories and make them bigger than they are.

The reality is that Apple Pay wasn’t hacked, and neither was the Starbucks app. What was attacked in both cases was enrollment into the system.

This doesn’t make it ok, or a non-issue, but it should refresh us on the fact that sensitive workflows function like chains under stress, and they break on the weakest link. For Apple Pay it was the enrollment procedure for adding cards, and for this Starbucks it had to do with adding gift cards.

The takeaway should be that we are judged on the security of the entire security workflow, not just the parts we’re in charge of. To the user/business/outside there’s no distinction. So when we build a security system we have to also consider the pieces that we don’t directly control.

Notes

1. Two other points that are related are 1) supply chain security, and 2) casting a wide enough net in terms of security scope when doing a vulnerability assessment or penetration test.

Related posts:

1. Everyday Threat Modeling

2. The Polarization of the Bay Area’s Quality of Life

3. The Difference Between Security and Privacy

4. FaceID Adds a Step for Apple Pay, and For Good Reason