Stay on Top of Enterprise Technology Trends
Get updates impacting your industry from our GigaOm Research Community
I don’t know about you, but I find bank-account hacking the ultimate bogeyman. As a 20-something living in the uber-expensive New York City, the thought of a late-night ATM run for taco-truck money turning into an avenue for crooks to take my hard-earned cash always keeps me on alert. To say I’m diligent about checking my account, especially around paydays, is an understatement.
And that vigilance has paid off, because this past weekend hackers walked away with roughly $1,800 from my account — and my bank did nothing to alert me or stop it.
That sounds crazy, right? That somehow $1,800 would slip out of my account, under the radar from a financial institution that’s known to ring me when I buy subway passes from station vending machine. But scammers are taking advantage of modern conveniences to rapidly drain and launder money, utilizing some of the places we commonly shop — online and offline.
But let’s rewind to Sunday, Aug. 4, when an email from Mint.com entitled “Unusual Spending on Coffee Shops” hit my inbox. Mint, which I use as a budget and spending tracker, normally sends me annoying emails telling me I’m spending too much money on Chipotle. But they typically arrive at the end of the month, when my budget hits its limit — not four days into it.
So I clicked on the email and was shocked to see that someone had spent $470 on coffee in my name. To see how that was possible, I went directly to my bank account. This (below) is what I found.
There, in $30 and $60 increments (and denoted with the phrase “STARBUCKS CARD RELOAD 800-782-7”), was the answer. Although the charges had been made days earlier, they had not posted to my account immediately, and no fraud alert had been triggered. I only saw the charges when they finally began rolling in and posting to my online account.
That $470 in damages that Mint caught was just the tip of the iceberg. In fact, the person or people responsible had put a total of $1,700 in charges on Starbucks cards. All of this prompted my bank’s fraud agent to let out a protracted “Wow” when I spoke with her 10 minutes later.
I also called the Starbucks hotline, and the rep there gave me enough details to figure out exactly how it all went down.
After the perpetrators skimmed my debit-card number (perhaps at a subway-station vending machine or a local merchant), they made a purchase that might have attracted notice with some banks: $15 charge to an e-waste store in Columbus, Ohio.
When that didn’t trigger the card to shut down, the fraudsters went to work. Starbucks uses a system called “Auto Reload,” which allows anyone with a registered card to automatically assign a flat reload rate once the card has a balance under $10. Cardholders don’t have to bother speaking to customer service or verifying the ID, so credit-card or Paypal numbers can be changed out quickly with no suspicion.
It’s easy enough to do online, and the charges show up as if they were directly added via the toll-free number — which actually does use a customer-service rep to verify fund transactions.
Loading up separate cards and paying for them in $30 or $60 increments makes it appear as if multiple cards are being issued — almost like I had decided to buy 33 Starbucks cards for my extended family. The transaction log — which shows rapid transactions in three-minute intervals — indicate that Auto-Reload fields could be accomplished with a simple macro. Log in, click to the card, input new credit card, reload, repeat.
In total, they siphoned $1,671 from my bank, spread out over two half-hour sessions using the Starbucks cards. (They also took $90 from my account to pay for premium server hosting on another website– just for fun, I guess.)
The Starbucks rep said that the company watches out for major purchases all done at once — like $300 to a single card — but that smaller increments assigned over many usernames can be hard to track for fraud.
The rep indicated that this is a common problem, and that the company tries to shut down suspicious reload activity when representatives see it. Money gets laundered through these cards and then often sold on eBay at some discount to the face value. The scammer profits, of course, and the buyer doesn’t realize what has happened until he or she is unable to register the card for Starbucks’ rewards service.
After reporting the situation to my bank, the bank ultimately credited the funds back to my account. The best way to avoid having your debit-card number grabbed, the bank said, is to be vigilant about card skimming — including fake card readers and “suspicious activity” from store merchants (whatever that means).