Starbucks launched a new iPhone app recently which allows users to load their Starbucks gift cards onto the device and use it to pay for their coffees and lattes without the need for the physical card. The app works by displaying a barcode that the barista scans in order to charge your account.
The problem is that the Starbucks Card Mobile app uses the same Barcode everytime which means that someone can use a screen capture of your barcode to get free coffee and lattes.
Normally a payment system like this would use a different barcode everytime you want to make a payment so that someone can’t take your barcode and make purchase from your account, but that security isn’t present with the Starbucks Mobile Card iPhone app.
This means that someone could take a screengrab of your barcode by pushing the power and home button on your iPhone, email it to their phone and use it to pay for their own Starbucks treats. Obviously if you keep your iPhone protected you are pretty safe from this attack, but if you leave your iPhone unlocked around untrustworthy “friends” or coworkers you may be in for a surprise when you look at your Starbucks purchases.
The silver lining in this cloud is that users without an iPhone could borrow a friends iPhone or iPad to set up the Starbucks Card Mobile app and take a screenshot of the barcode. Once this barcode is emailed to your Android smartphone you’ll be ready to go in and pay at your local Starbucks. Just keep it in your gallery and open the screen up before you pay.Just make sure you have cash with you the first time since not all phone’s screens will work with the scanners like those used at Starbucks.
If the barista wants to know why you don’t have an iPhone, just tell him that you’re testing a new Android version for corporate and enjoy your latte.
Here’s a demo of the Starbuck’s Mobile Card app for iPhone: