Recently, the venti-sized news at Starbucks wasn’t a new coffee drink, it was the news that their popular app was hacked. The Starbucks app is one of the of the most popular mobile apps on the market, and also one of the most successful mobile payment apps launched to date, accounting for nearly 20% of purchases at the coffee chain. At Passport, we regularly discuss Starbucks’ remarkable deployment of mobile payments, but unfortunately, the company’s success in attracting users had the dangerous side effect of attracting the attention of hackers aiming to gain access to the millions of credit cards uploaded to the app.

The ‘hack’ itself exploited poor app security design and weak passwords. Hackers bombarded accounts with brute force – trialing common, weak passwords until they gained access. Once the hackers had access they drained funds from compromised accounts by purchasing resellable goods at Starbucks locations. With stronger security systems in place, this whole debacle could have been avoided.

If Starbucks had the same security measures in place that we have at Passport, they would have never had an issue. All of the applications on our platform use 2-factor authentication to ensure possession of the account owner’s email or phone number. They also lock out the account after a set number of attempts. Either of these measures individually would have foiled the hackers. Both in combination would have rendered the brute force attack completely useless.

So where did Starbucks go wrong? How did they let their app get hacked?

I think it’s due to the management team and the tech team not taking security seriously enough. Any third party security audit would have revealed the brute force weakness and recommended one or both of our solutions.

Now that we know what went wrong, and what could have fixed it, what can a company do to help themselves avoid this same problem?

The answer is to focus on the 4 Tenets of Security. A more dedicated focus on security with these tenets in mind will help your company avoid application security issues facing many companies today.

The 4 Tenets of Security:

1) Leadership Should Prioritize Security 

If the firm’s leadership isn’t currently prioritizing the security of your application, security is off to a horrible start. At Passport, the management teams regularly discuss topics that “keep us up at night.” Our application security is always part of that conversation. If potential security issues aren’t receiving adequate attention from your company’s management team, it’s time to ask why.

2) Your Developers Must Be Talented and Trusted

Trust is the more important of the two. If, for any reason, the integrity of a developer comes into question, that developer should be asked to move on. External hacks are scary, but internal hacks have the potential to be devastating. Trust can go beyond the concept of intentional maliciousness here, as well. Can you trust the developer knows enough to maintain the security of your systems? If you can’t, you have a problem.

3) You Need a Dedicated Security Team

Not all small companies will have the luxury of having dedicated security personnel, but if you have the resources available, you should. In development teams of 5 or less, every person on the team is already a part of the dedicated security team. Once your development team grows, you will have to specialize – and that’s when the dedicated security team becomes crucial. This team should handle your infrastructure design and development and it should also focus on security quality assurance and code reviews. This internal audit team will help to ensure that your apps maintain security 24 hours a day, 7 days a week and 365 days a year.

4) Maintain Active 3rd Party Auditing

At Passport we are also a gateway and processor of credit cards, so we have to undergo yearly PCI Level 1 audits for our payment card security practices. We also perform a yearly SSAE 16 audit, which focuses on business processes. These processes are not as directly tied to app security issues, but they are still important to the topic. We also go one step further and hire ‘white-hat’ hackers to attack our systems in a more ad-hoc way. All three of these auditors will potentially find holes in your systems that you can patch.  They will also give you great advice on setting up and maintaining security for your systems.

Besides these hired auditors, our customers also turn out to be very good auditors as well. Our customers regularly question the security of our systems and ask us for detailed explanations. This customer vigilance is very helpful, and should be taken seriously rather than dismissed.

Looking back at the Starbucks app hack as an outsider, it’s difficult to determine which internal controls failed. But, it’s likely they had deficiencies as a company in all 4 tenets above. These internal company deficiencies at Starbucks opened the door for their security deficiencies and eventually the hack that we saw in the news.

Avoid the Starbucks App Hack. Follow the tenets listed above and you’ll find that your applications will be well secured.

Cheers to you, and sleep well now that your app is tucked away tightly.

– Charlie

PS: This article is focused on application developers. If you are reliant on a 3rd party vendor for your app security see Bob Youakim’s post on ‘Top 5 Questions To Ask before Allowing Firms to Process Credit Cards’