It turns out the poster
child for app-based mobile payment success is also an object lesson in how not to handle the sensitive personal data that actually makes m-payments work. Respected IT trade journal ComputerWorld reports that the Starbucks app -- the most used
mobile payment app in the U.S. -- stores user passwords, usernames, and email addresses in unencrypted text.
“The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC,” reports Evan Schuman. Worse, the text file including the sensitive information also stores geolocation data recorded by the app. The vulnerability was discovered first by a security researcher, Daniel Wood, who published the information online Monday after two months trying to alert Starbucks of the problem.
Starbucks confirmed the issue to ComputerWorld. The report contends that the passwords and usernames are stored in the app
to streamline payment and to save the user the trouble of having to input one or both to make a payment. The Starbucks executives interviewed in the piece were not taken by surprise by the lack of
security in the app. They told Schuman they had been aware for some time that the personal information was stored in plain text in the app itself.
Starbucks dismissed concerns about the security of the app by claiming that usernames and passwords are protected by new and additional layers of security. But Computerworld reports that Wood was still able to access usernames and passwords on the Starbucks app, including location records of where the app had been activated.
While Starbucks insists that it has other measures in place to protect consumers again fraudulent uses of the apps and accounts, security experts warn in the piece that the risk is larger than that. Exposing any password opens up larger problems because so many of us reuse the same or similar passwords in other accounts.
To be fair to Starbucks, accessing data from the app is not as simple as plugging it into the PC. I had no luck accessing more than photos using standard
Windows directory and file management tools. Still, the incident underscores the new set of risks that brands face as they move deeper into the world of m-commerce and m-payments. Everyone is a bank,
and with this comes all the same expectations and responsibilities. This is an especially noteworthy case because, by some measures, Starbucks is the most-used form of mobile payment in the U.S.
Research firm Berg Insight last year contended that mobile payment activity is actually quite low relative to the hype and number of startups vying for attention here. Starbucks was the notable exception. Berg insists that of the 7.5 million people who used a phone to pay for a physical good at retail, 7 million of them were using the Starbucks app to pay for small items at those outlets.