Evan Schuman: Starbucks caught storing mobile passwords in clear text

In a case of convenience for users trumping security, Starbucks has been storing the passwords for its mobile-payment app, along with geolocation data, in clear text

The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

The issue appears to be an example of convenience trumping security. One of the reasons for the Starbucks mobile app's popularity is its extreme ease of use. Customers need only enter their password once when activating the payment portion of the app and then use the app to make unlimited purchases without having to key in the password or username again. (Only when adding money to the app is the password required.)

Starbucks could have chosen not to store the password on the phone, but users would then be forced to key in their username and password every time they wanted to use the app to make a purchase.

"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."

"Yes, it does surprise me," said Gartner security analyst Avivah Litan. "I would have expected more out of Starbucks. At least they should have informed consumers."

And apparently Starbucks could have done that. Two executives -- Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman -- said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. "We were aware," Brotman said. "That was not something that was news to us."

The easy visibility of passwords was first discovered by security researcher Daniel Wood, who said he tried contacting Starbucks in mid-November. After repeatedly being transferred to customer service in the course of almost two months, he published some of his research for the security community on Monday (Jan. 13).

Starbucks is downplaying the potential for customers to be victimized and claims that it has made (vague and unspecified) changes that alleviate the problem. Brotman said the issue should no longer be a concern because "we have security measures in place now related to that" and "we have adequate security measures in place now." He declined to say what those security measures were, but said that customers' "usernames and passwords are safe," because Starbucks has added "extra layers of security."

Brotman didn't specifically say that the passwords are no longer appearing in clear text. About two hours after Brotman and Garner discussed the security hole, Wood reran his tests on an updated Starbucks app, using the current iOS version, and passwords and usernames were still fully visible in clear text. This time, though, he also noticed a geolocation history file, detailing his latitude and longitude numbers for every time he asked the app to find a store.

"If you grab someone's phone, you can effectively go through this log and see effectively where this person has been," Wood said. "It's a bad thing for user privacy."

Although it is certain that Starbucks' policies permitted the clear text, the file that displayed is actually part of a capture done by a third-party crash analysis app from a company called Crashlytics, which was purchased by Twitter last year. Neither Crashlytics nor Twitter returned emails and voicemail messages seeking comment.

How do the clear-text passwords endanger shoppers? A thief would need to first steal -- or at the very least borrow for 30 minutes or so -- a victim's phone. If the thief could access the phone's data, either because it had no PIN protection or the thief knew the PIN, he could easily get the victim's Starbucks username and password. With those in hand, the thief could charge items to the victim's account, until all the stored value is used up.

The thief could potentially steal far more if the victim had activated an auto-replenish option, which would allow the app to repeatedly access the victim's bank account to continually add more money to the Starbucks account. Brotman said that any request for more bank funds would trigger a message to the victim -- he said it would probably be an email -- which could alert the victim to the fraud. If the victim then contacted Starbucks, the account would be shut down.

But any victim who is traveling and has email access only on her phone would not receive that fraud alert from Starbucks, and that might give the thief plenty of time to run up big charges.

Asked about that particular scenario, Garner, the Starbucks CIO, said, "What you've described is fair, at a high level. From a design perspective, this could have potentially happened." He declined commenting on more specifics because "we're getting into security measures."

I know it has to be frustrating to mount a defense in those terms. Executives like Garner are forced to say, in effect, "We've got this all taken care of, but I can't tell you how we've done that because we can't talk about our specific security measures." But Gartner's Litan isn't buying Starbucks' soft soap. "They can come up with any rationale that they want to," she said. "It's just bad security practice. You don't store passwords in the clear. Ever."

Litan added that, for many consumers, the Starbucks security fumble endangers more than the money they have loaded onto their Starbucks stored-value cards. That's because many consumers reuse passwords. "In about 20% of the cases, the password is the same as for their banks," she said. "Consumers reuse their passwords whenever they can." That's a security failing on the consumer end, and not Starbucks' responsibility, of course. But any consumer whose bank account is compromised because of Starbucks' clear-text password storage isn't going to have warm feelings toward the coffee chain. Mozido's Wiggs voiced concern that Starbucks' mobile password carelessness will hurt other mobile-payment efforts. "I don't think that the financial exposure to the consumer or to Starbucks is really material in this case," he said. "The real damage is to consumer perception. On the heels of Target, are fewer consumers going to choose to embrace mobile devices for payment because of this?"

In a column on Tuesday, Jan. 14, I encouraged companies to look at Starbucks and to emulate it's slow-go approach to mobile commerce. I still would argue that that is a good idea, but on this clear-text password thing -- not so much.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags starbucksmobile paymentssecurity

More about GartnerStarbucksTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts