QR codes are finally coming to America with a caffeinated jolt, thanks to Starbucks’ new mobile payment system that lets you scan and pay for your drinks with an iPhone or BlackBerry pre-loaded with Starbucks Rewards account information.
And with Starbucks incredibly brand loyalty stats, the program has a huge opportunity for success. As the Seattle Times reports:
One in five Starbucks transactions is now made with the store cards, and mobile payments “will extend the way our customers experience and use their Starbucks Card,” Brady Brewer, vice president of card and brand loyalty, said in a release. “With mobile payment, the Starbucks Card platform further elevates the customer experience by delivering convenience, rewarding loyalty and continuing to build an emotional connection with our customers.”
But as Starbucks paves the way into a brave new world (for the US, at least) of QR payments, I get the sinking feeling that we’re bound to run into a “teachable moment” security lapse very soon. For one thing, the app apparently stores credit card information locally, protected with nothing more than a flimsy 4 digit PIN and no word on whether that data is encrypted, or whether it even matters if it’s encrypted because, again, it’s behind a 4-digit PIN:
One thing you should note about the Starbucks Card mobile app is that, if you choose, it can store your credit card information. This makes it easier to reload your card with just a few clicks. Your account number is protected so that only the final four digits are revealed, and as an extra precaution you can add a passcode to the app.
Starbucks is tacitly encouraging users to trade security for convenience, and while I applaud their innovation, history shows that someone will get burned here. Or more likely, thousands of someones after a clever hacker builds a trojan that scans devices for the stored data, or a way to intercept or spoof data being sent to stores. If there’s one thing black hats love more than money or a good challenge, it’s caffeine.
Already, there are reports that the gift card systems used by Starbucks and others, which the mobile app is based on, are insecure, due in large part to rushed implementations to meet holiday demand, as StoreFrontBacktalk reports:
During the last 12 or so months, pressure has sharply increased on the major chains to get in front of the mobile stampede, especially with iPhone mobile apps supporting payment. But scanning codes from mobile phones presents quite a few challenges, including early struggles with light reflecting from the screen and interfering with accurate reads.
The rollouts were accelerated with the goal of making the phone applications simple—for consumers to use, for stores to support and for chains to deploy—and keeping costs initially low. After all, no one knew what kind of revenue and profits would actually materialize.
Similar conditions – new, imminently useful and largely untrialed technology – allowed the TJX wireless router break ins, and such a scandal at Starbucks could set the company’s image, and mobile payments, back years.