The Starbucks Breach That Wasn’t (And Other Lessons In Security)

One of the many merits of the World Wide Web is its ability to assist in the near instantaneous transmission of vital information around the world – almost at the speed of light. While the 24-hour news cycle cannot fairly be counted as a product of the digital information age, the 24-second news cycle almost certainly can be. Information is constantly refreshing in the great data stream, being discovered and being shared – around the world, hundreds of millions of times a day.

Which leads to the recent tempest over the “data breach” at Starbucks. The story got its legs with a story on former MSNBC reporter Bob Sullivan’s blog, which described the experiences of several Starbucks customers who allegedly noticed unauthorized access to their accounts. That access was reportedly followed by thieves using the auto-reload feature to rapidly rack up hundreds of dollars in charges.

Sullivan’s article did not state how the accounts were compromised, but since Starbucks processed $2 billion mobile payments transactions last year, and 1 out of 6 of its transactions are done through the app — the story got a lot of traction.

And it morphed, pretty significantly — with many media outlets assuming that consumer accounts had been accessed through a breach of Starbucks system. And while a weekend’s worth of “Starbucks Breached!” headlines made for interesting reading — and were probably good for Dunkin’ Donuts’ sales — there was just one small problem.

There was no breach, as Starbucks explained on its website.

“News reports that the Starbucks mobile app has been hacked are false…Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”

Starbucks wasn’t hacked, and the data which fraudsters used to gain entry to its systems didn’t come from a breach of Starbucks’ system. And while it might be easy to write off the great media miss on the coverage to getting excited and jumping the gun, there is also a problem of understanding, Mike Vergara, VP of Consumer Risk at PayPal, told MPD CEO Karen Webster in a recent conversation.

“When it comes to things like ‘hacks’ or ‘breaches,’ there is not a good industry-wide definition that everybody uses,” Vergara noted. “Traditionally with a hack or a breach, the fraudster’s focus is really to penetrate a system to steal a large number of credentials.”

Those credentials could be any number of things – though they are usually passwords, personal data or vital numbers (credit cards, social security, etc). That, Vergara notes, is distinct from fraud – which is when a criminal attempts to monetize that stolen data by using it.

“If you look at the criminal underworld, there is amazing specialization in these areas,” Vergara told Webster. “Different people specialize in credential capturing and hacking – that might be through malware or through phishing campaigns. But what they do exclusively is capture data they shouldn’t have. They then sell those credentials to people who are better at monetizing through fraud.”

The good news, such as there is any, Vergara says, is that fraud is generally inefficient – which means many more credentials are captured than actually used. But before we all get too giddy with excitement, the bad news is that consumers are using a lot of the same passwords to establish digital credentials, which can increase the fraud monetization opportunity exponentially.

“People use the same password across multiple sites,” Vergara told Webster. “There are a lot of account credentials that people give up unknowingly, or they may have malware on their computer. A lot of those accounts have cards associated with them.”

That means that a fraudster doesn’t have to break into or hack a system to “steal” credentials. They can just try the same password in lots of different places. That means that accounts can get compromised because a fraudster used the same password on a site that did get compromised in some way.

Which points to a much larger issue: What to do in the face of so many passwords? The number of online channels that all consumers use is expanding, and remembering 32 different passwords for 32 different sites is dizzying – thus why so many consumers use the same password for everything. But in an answer that might seem surprising for an information security expert, Vergara said that an old-school, paper-and-pen solution might actually do the trick.

“Write it down and put it on a sticky note.”

Why didn’t we think of that?

Vergara goes on to explain.

“It may seem scary, but for consumer use — and what I am about to say is absolutely not what you’d do in the enterprise world – but it is the advice I give my Mom. No one is going to break into your house, I tell her, and steal your password on a sticky note. So it’s much lower risk than just using the same password over and over again.”

But since sticky notes aren’t exactly going to stop fraud in the enterprise environment. Webster asked Vergara for advice on helping merchants balance the “cost of doing business in payments” and accepting some element of fraud to remove friction from the system, and enable customers to transact with them.

“The security mindset overall is ‘we have to try for zero fraud.’ But that’s not the way you look at it from a payments or commerce perspective,” Vergara said. “There’s always shrinkage – even all the way down to a Mom and Pop shop, it’s something you deal with. You aren’t going to shut down your store because someone steals Twinkies; you manage that, and as long as you’re making money you’re OK. And that’s what a lot of people from the security background don’t get.”

This doesn’t mean that security isn’t a serious issue – which Vergara says it certainly is, and one that keeps his team busy “all day, every day, trying to stay one step ahead.” But, he says that effort and action happens behind PayPal’s main attraction: allowing buyers and sellers to transact. This, he said, is what makes payments security a little different from security in general.

The challenge on the good-guys’ side of the isle is to lock the bad guys out, or find them before they can do anything, every time.

The hackers’ challenge, on the other hand, is to fail every time but once – and if they get in once (and get enough data), they win.

“Our adversary has more funding, a lot of resources and is scarily efficient in their understanding of systems and how they respond to changes to them. It’s an arms race – and it hasn’t gotten worse. But the eCommerce economy is growing and so, even held down to their current levels, these bad guys are making lots of money.”

Billions, in fact. And that amount of money will motivate them to stay around. The point, Vergara said, is not to try to eliminate them all, but to get so good at detecting them and making it hard for them to monetize their crimes efficiently, that they move on to easier targets.

“Around the globe everyday we are trying to make our customers stay protected in almost 200 countries.  Whenever we see stolen credentials, we stop them.  Hopefully these folks will be arrested, but that probably won’t happen if they are outside U.S. jurisdiction. So the other option is you can convince the guys who are doing this that it isn’t worth their time because the economics aren’t there. It makes them more likely to move on to something else.”

That is a daunting task.

But not an impossible one – just one that needs to be undertaken with the right systems and risk management tools to keep fraud at a minimum, even if fraudsters manage to breach systems.

And, of course, it also helps if no one panics and reports a breach where there wasn’t one, but even the biggest firms can’t control everything.