How scammers drained $1,700 from my bank account using Starbucks cards

31 Comments

I don’t know about you, but I find bank-account hacking the ultimate bogeyman. As a 20-something living in the uber-expensive New York City, the thought of a late-night ATM run for taco-truck money turning into an avenue for crooks to take my hard-earned cash always keeps me on alert. To say I’m diligent about checking my account, especially around paydays, is an understatement.

And that vigilance has paid off, because this past weekend hackers walked away with roughly $1,800 from my account — and my bank did nothing to alert me or stop it.

That sounds crazy, right? That somehow $1,800 would slip out of my account, under the radar from a financial institution that’s known to ring me when I buy subway passes from station vending machine. But scammers are taking advantage of modern conveniences to rapidly drain and launder money, utilizing some of the places we commonly shop — online and offline.

But let’s rewind to Sunday, Aug. 4, when an email from Mint.com entitled “Unusual Spending on Coffee Shops” hit my inbox. Mint, which I use as a budget and spending tracker, normally sends me annoying emails telling me I’m spending too much money on Chipotle. But they typically arrive at the end of the month, when my budget hits its limit — not four days into it.

So I clicked on the email and was shocked to see that someone had spent $470 on coffee in my name. To see how that was possible, I went directly to my bank account. This (below) is what I found.

StarbucksCitibank

There, in $30 and $60 increments (and denoted with the phrase “STARBUCKS CARD RELOAD 800-782-7”), was the answer. Although the charges had been made days earlier, they had not posted to my account immediately, and no fraud alert had been triggered. I only saw the charges when they finally began rolling in and posting to my online account.

That $470 in damages that Mint caught was just the tip of the iceberg. In fact, the person or people responsible had put a total of $1,700 in charges on Starbucks cards. All of this prompted my bank’s fraud agent to let out a protracted “Wow” when I spoke with her 10 minutes later. 

I also called the Starbucks hotline, and the rep there gave me enough details to figure out exactly how it all went down.

After the perpetrators skimmed my debit-card number (perhaps at a subway-station vending machine or a local merchant), they made a purchase that might have attracted notice with some banks: $15 charge to an e-waste store in Columbus, Ohio. 

When that didn’t trigger the card to shut down, the fraudsters went to work. Starbucks uses a system called “Auto Reload,” which allows anyone with a registered card to automatically assign a flat reload rate once the card has a balance under $10. Cardholders don’t have to bother speaking to customer service or verifying the ID, so credit-card or Paypal numbers can be changed out quickly with no suspicion.

It’s easy enough to do online, and the charges show up as if they were directly added via the toll-free number — which actually does use a customer-service rep to verify fund transactions.

Loading up separate cards and paying for them in $30 or $60 increments makes it appear as if multiple cards are being issued — almost like I had decided to buy 33 Starbucks cards for my extended family. The transaction log — which shows rapid transactions in three-minute intervals — indicate that Auto-Reload fields could be accomplished with a simple macro. Log in, click to the card, input new credit card, reload, repeat.

In total, they siphoned $1,671 from my bank, spread out over two half-hour sessions using the Starbucks cards. (They also took $90 from my account to pay for premium server hosting on another website– just for fun, I guess.)

The Starbucks rep said that the company watches out for major purchases all done at once — like $300 to a single card — but that smaller increments assigned over many usernames can be hard to track for fraud. 

The rep indicated that this is a common problem, and that the company tries to shut down suspicious reload activity when representatives see it. Money gets laundered through these cards and then often sold on eBay at some discount to the face value. The scammer profits, of course, and the buyer doesn’t realize what has happened until he or she is unable to register the card for Starbucks’ rewards service.

After reporting the situation to my bank, the bank ultimately credited the funds back to my account. The best way to avoid having your debit-card number grabbed, the bank said, is to be vigilant about card skimming — including fake card readers and “suspicious activity” from store merchants (whatever that means).

31 Comments

Paul

why use a debit card at all? A credit card does the same thing with more protection. If someone runs up fraudulent charges on
1) your CC, you only have an outstanding balance that you can deal with at your leisure.
2) your Debit card, you have LOST YOUR MONEY and need to work with the bank to see if they will give you back the money.
IF IT TAKES 2 DAYS FOR YOUR BANK TO GIVE YOU BACK YOUR LOST MONEY, THAT IS 2 DAYS THAT YOU DO NOT HAVE THAT CASH.

This is quite a huge difference. However, if you don’t see the difference, good luck to you in the future…..

Ben Jones

I had two $100 fraudulent transactions with STARBUCKS CARD RELOAD 800-782-7 last week, 2 minutes apart – the second case of card fraud I’ve had in 3 months.

Can relate.

luis

I have quick story using CHASE, about 2-3 years ago Chase was promoting using your debit card on every day purchases, gas, groceries etc. I did exactly that and someone copy my number within a few weeks, I guess it was at Gas Station because I drove a lot. they did an atm withdrawal of 500.00, because it was the daily limit. I called saying it wasn’t me because I was out of town, it was hard to prove it because I didn’t use my card after that gas purchased. I talked to someone over the phone and they said I needed some receipt of other transactions proving that I was out of town. Well I couldn’t come up with any, next day I called and a second person told me I had to file a police report and get a lawyer. He was angry I was angry so after hanging up I waiting 5 minutes, practicing patience I re dialed and talked to a 3rd person, this person was friendly and understood my situation, within minutes I had the 500.00 back in my account, the next week I went into the bank and closed the account. I share my story to the banker that was closing my account and this person was oh don’t worry we got you cover, in my mind I was thinking I almost had to go get a lawyer, and they said they had me cover for any fraud. that’s my story, seems like all banks are the same. Log in daily to check your account, never use your card, debit or credit if your not sure of your balance. transactions can take day or minutes, it’s all programmed so you fall behind, always have a balance, prepare to get fees, if you want 100% of your money use cash. good luck

Jennifer

I have been a victim to Ghana scam but with assistance from the cyber crime unit: info.ghanapolice at consultant . com ..scammers are arrested.

chris sly

FROM THE OFFICE OF THE E.F.C.C NIGERIA

The economic and financial crime commission of nigeria(E.F.C.C) is a legally constituted anti crime commision aim at fighting crime and restoring nigeria image globally.

all victims of nigerian internet scam and other related offences are advise to consult efcc on nigeriaefcc.scamdept@yahoo.com with a detailed report and a concrete evidence such as payment receipt for immediate arrest of the culprits and refund of victims money.

you can click on the links below to verify.

http://en.wikipedia.org/wiki/Economic_and_Financial_Crimes_Commission

http://www.efccnigeria.org/efcc

the victims are required to send the below information

Name : ……..
Country: ……….
State: ……
Phone: ………
Sex: …
Marital status: …..
Occupation: …….
Detail Complaint with evidence of payment ………..

to nigeriaefcc.scamdept@yahoo.com or an official letter to

THE ECONOMIC AND FINANCIAL CRIMES COMMISSION ( EFCC )
ADDRESS: No.5 Fomella Street, OffAdetokunbo Ademola Crescent, Wuse II, Abuja NIGERIA.
http://www.efccnigeria.org/efcc
http://en.wikipedia.org/wiki/Economic_and_Financial_Crimes_Commission

tcstixx

Yeah, I like the idea of using a credit card instead. So did they catch the people using these cards with the stolen money?

Ron Paulfan

Haha.. So funny.

I do have to laugh at these types of articles. Every one of those purchases shows DEBIT CARD purchase. That means that someone stole your pin number and used it.

Well, how on earth did they steal your pin number? Financial Institutions have for decades told their customers to never share their pin number with anyone.

Some people are just too stupid and just can’t resist entering their pin number into the little POS systems that request such information.

Apparently people like you learned little from the TJMax hack which cost hundreds of millions of dollars. Just as in your situation, dumbasses used their pin number and smart people hung out in the parking lot swooping up on those numbers. They in turn recreate your debit card and use it as if it were their own.

And since banks have told their customers for years not to share their pin number, they won’t refund stolen money that was obtained using a pin number.

Now, had you only swiped your card and hit the little ‘credit’ button, all of your transactions would have been protected by the merchant whose name appears on the front of the card and in turn you would not have had this nice little blog to post which shows your true intelligence.

So way to go moron. You are the cream of the crop.

Oh, and by the way, my Great-Uncle just died and left me 100 Million dollars. The money is tied up in Customs and I only need a small fee of $1000 to get it out. If you help me with this fee, I’ll give you millions for your effort.

Feel free to email me at: OnlyStupidEffinMoronsUseTheirPinNumber@merchants.com

Kevin Dethlefs

o.O Did you seriously waste your time typing all of that? This is maybe a 1 in idk, I’ll say worse case scenario, 100k chance you’re going to use a device that’s compromised. Oh, let’s say he does use credit… typically requires signature… guess what, that’s in the swipe pad too… Now they have his signature. Easy to replicate as well. I’m not sure what’s better, but PIN vs PINless is not the debate here.

I, for one, say castrate thieves and rapists… At least this way they can’t produce more kids than the 5 they already pay child support for.

Ben Jones

Look up card skimming. These are elaborate schemes utilizing cameras positioned above or near ATM’s which are then used to match PIN’s to cards information. I learnt a process when I was 3 that might help you: 1) Think, 2) Speak. Moron.

Bunky D

If I understand this right, the real problem is that they got your debit card number and PIN, and the Starbucks card was merely a way to steal money from that bank account in a way that raises less automated suspicion.

Keith

You say they got the card number. Okay, but how did they get the pin? How did they make that initial purchase in Columbus?

gracieempower

Sobering stuff. Bravo to the bank for making you whole again.

Yesterday, I declined to fund my health insurance with an automatic debit because I don’t trust that kind of system. Are automatic withdrawals safe? I don’t think so…

I had recently written a story about how a Gold’s Gym in Palm Springs had siphoned off up to $10,000 from some of their members’ accounts in an accidental computer error. It shut down accounts for people who were in the midst of buying gas or groceries, leaving them penniless for the moment. http://bit.ly/19eiGn3

fredhstein

Thanks. Very helpful. Now.. one wonders why doesn’t Starbucks put in an automatic 24 hour limit, the way banks do for ATM transactions?

paul vixie

“Starbucks uses a system called “Auto Reload,” which allows anyone with a registered card to automatically assign a flat reload rate once the card has a balance under $10. Cardholders don’t have to bother speaking to customer service or verifying the ID, so credit-card or Paypal numbers can be changed out quickly with no suspicion.”

Seriously? And you signed up for this why?

Kevin Dethlefs

They may not have, the attackers used it, however, to “reload” fraudulent cards and still on Ebay because most Americans can’t live without their daily dose of coffee and don’t want to pay the 5 bucks for it.

Let’s say I were to do something like this, reload a card with 60 dollars, sell it on Ebay for 30 “because it was a gift I don’t want”… You’re getting 50% off your 5 dollar coffee every morning. What you don’t know that you’re lucky if that card isn’t disabled by the time you get your hands on it, because the money was acquired through fraud like this.

Mike Smullin

this almost happened to me today but American Express blocked it and called me immediately

Kevin Dethlefs

AmEx I think is known for their paranoia. I also know some businesses refuse to accept AmEx so it’s not as convenient. Could be worse, though. Could be Discover.

jon

Debit cards come directly out of your account.

In the old days, the robbers stole from the bank because “that’s where the money is”. Now days, they steal from the customers directly.

My understanding is that debit card issuers promise to give your money back, but with a credit card it is federal law that your only liable for $50 assuming you act responsibly and review your bills. plus, you don’t send the money until you have had a chance of reviewing the bill.

You should read brian krebs blog. he has story after story about card skimming devices and automatic fund transfer scams amounting to hundreds of thousands of dollars. basically these are businesses and they have to sue their banks to get their money back and they don’t always get their money back.

So you are just putting yourself at risk of having an argument with your bank while a third party actually has possession of your money.

Mandee

That must have been an awful experience. I’m glad you were able to get it back. A lot of banks would have blamed you for carelessness and not refunded. If only other were as vigilant as you! But the hassle must have messed up your day. I spend a lot of time tracking myself because I’ve been scammed as well. I can’t stop using convenient methods of shopping and loading, but I found that I can do most of it away from shady ATMs and vending machines. I do it online, protected by a VPN. I started following http://vpnexpress.net for the reports they have on different scams and tips for staying safe from them. So far I haven’t had any incidents and I think it’s a good option once you find reliable vendors online and get used to the change.

JRD

Federal and State chartered banks are required by law to cover any fraudulent activity that results in a loss over $50. Customers are not on the hook. Also, 99.9% of banks would not blame you for “carelessness” in this case because it is obviously, with out a doubt, fraudulent activity. I would recommend that you educate yourself on the way banks handle fraud, as it would most likely ease your harsh opinion that all banks are evil and out to get you. Many banks are small and medium sized businesses that have great intentions.

athensoh

“The best way to avoid having your debit-card number grabbed…” is to use a credit card for purchases at restaurants, subway stations, etc. Then pay it in full at the end of the month to avoid any interest, besides credit card spending usually earns better rewards: miles or cash back. And if a credit card number should get stolen, your bank account is safe.

eddie ski

You should read some of krebsonsecurity dot com stories… he’s pretty good about digging even further on these dregs…

Robin

This is why debit cards are a bad idea! Really, anything your bank promotes should be viewed with deep suspicion.

JRD

As a community banker I realize the hesitation some customers have when using debit cards. It should be noted, however, that the vast majority (it isn’t even close) of bank fraud is attributed to paper trails and a lack of knowledge and precautionary measures when using your account info online for purchases and payments. Scanners and complicated systems like the one is this article are a fraction of the overall fraud. Also, most banks can easily implement more strict parameters for debit card purchases but the customers fight against this since it can cause consciences issues.

Micheal

Don’t use your direct deposit checking account as your primary checking, move the funds from the DD account into your spend account as needed, only use the DD account numbers for setting up DD and then shred all that documentation. A account that you do not use for real world transactions to hold your DD while you split it into checking for bills and savings etc you will drastically reduce your financial target footprint.

Pat

Or to use cash more and leave the “convenience” at home. Also a good idea to avoid credit cards linked to bank accounts.

TechIan

Whoa, that is quite the interesting story. I am glad I have avoided this kind of things for the most part.. other than a few video game accounts being hacked.. but nothing that hit me in the wallet. It is scary to think about how easy it can be, and how it doesn’t happen more than it does

Comments are closed.