'Tis the season for data breaches. And rumors of data breaches. And data breaches that didn’t really happen but could have happened.
Such is the state of security and privacy. These are issues so new and unclear to most consumers and journalists that threats real and imagined are sometimes reported uncritically. There are the very real incidents of both Target and Neiman Marcus stores getting hit by a similar card hijacking scheme. But then there are the follow-on reports of the author of the software used for the scheme reportedly being a Russian teen. And then there were even more intimations that the same software had been downloaded on the black hacker market scores of times, with the suggestion that more stores will have to 'fess up to breaches.
someone who has covered data, PCs and software utilities for a number of publications over the year, I am accustomed to the regular security firm “warnings” about new threats to users.
Anti-virus software companies have been doing this for years. It is a form of PR for this sub-segment of the industry.
The public alerts of software, OS or browser vulnerabilities are branding exercises. They underscore the vigilance of the company in its detection routines and at the same time promote the category of software security. In many cases, the vulnerabilities detected in things like Flash, Internet Explorer or Windows are theoretical holes at best. They get publicized even if they haven’t actually been exploited yet. Journalists find themselves in a bit of a bind, because the threats may be real theoretically, but the story often is being driven by security firms that stand to benefit from heightened concern about security.
Starbucks found itself
in a security dust-up this past week when a security researcher at Seclists.org discovered that the coffee brand’s widely used app did not hash or encrypt users’ loyal account information
and even geo-location history. According to the researcher, the app, which stores loyalty points and gift cards used for payment at Starbucks locations, was keeping usernames and passwords in plain
text in an area of the device accessible to a third party.
I have to admit, I tried to follow the site’s map of where I could find the data myself, but had no success. This is a case where someone would have to have your smartphone, hook it up to a PC, and root around pretty deeply to get the data. Indeed, before the disclosure of the issue, a thief wouldn’t even know where to look for such data.
Starbucks was quick to say it was aware data was being stored this way, but that no theft of accounts had been reported. The company promised that a future update would address the weakness. The story started trending, however. I reported it myself last week, less as a warning about a commonly used app, and more as an example of how technology and e-commerce has made all brands stewards of people’s most precious data.
Actually the most negative part of this story for Starbucks was that the security researcher who uncovered the issue tried in vain for two months to alert the company and couldn’t get past customer service. Starbucks, which admits it already knew about the username and password storage issue, only addressed it as a problem when the researcher’s blog post got picked up by the IT press.
Starbucks was quick to issue an app revision over the weekend and a blog post. The artfully worded statement acknowledges the reports but denies any real threat to users, noting that the company made revisions to its processing procedures and, soon after, to the app out of what was labeled “an abundance of caution.”
This is a minor incident that is surely going to become commonplace for companies in coming months and years. Reading between the lines of Starbucks’ announcement, you can sense uncertainly about how seriously and loudly to address a theoretical vulnerability.
Personally, I think Starbucks responded reasonably and quickly to what may have been a non-issue. If the security researcher who found the flaw is correct,
the app developer was probably wrong in leaving personal information in plain text on a device. But Starbucks is in a position where it has to address a “concern” rather than a
demonstrated security breach. You can’t ignore the concern because it can be perceived as treating consumers cavalierly.
On the other hand, over-responding elevates what the company likely regards as a minor threat to a scale it doesn’t deserve. And all of this is driven by consumer and reporters’ limited understanding of what really constitutes a threat to security. Like it or not, we are in world where perception of providing security may be at least as important as actually providing it.