Digital wallets have been a hot topic for us lately. Their use is growing and like all things when it comes to cyber security, online criminals always follow the money. Kaspersky Labs said it best:
“Enthusiasm over this new payment platform (Apple Pay) is going to drive adoption through the roof and that inevitably attracts many cyber criminals looking to reap the rewards of these transactions.”
This “follow the money” mentality was exhibited this week after news came to light of a brute force attack against individual Starbucks mobile wallet accounts. Thieves have been taking advantage of two things to hack in to Starbucks app accounts: consumers’ bad password habits and the ability to try different passwords on the Starbucks app without being locked out. Thieves have been purchasing email addresses and passwords on the underground black market and then using programs to try out these passwords on high-value sites like the Starbucks app. These programs can try hundreds of login combinations in a matter of seconds, and they only need one consumer that has reused credentials to cash in.
We saw a similar process happen to Jomoco – a fictitious small business we created to see just how quickly a small business can be brought down by hackers. Fictional Jomoco employee, Rachel, was guilty of reusing email addresses and passwords across multiple accounts. When we leaked her email address and password for her personal email account on the online black market one of the first things the hackers did was try it out on other sites. They quickly discovered that they could also access her business email account, which happened to host sensitive business information. Long story short, Jomoco was compromised in every way possible in less than an hour – all because Rachel reused passwords. You can read more about Jomoco on our website.
If you use a mobile wallet – whether it’s the Starbucks app or Apple Pay – always use a unique, secure password and turn on two-factor authentication if it is offered. Similar to how we saw a rise in POS breaches in 2013 and 2014, we fully expect to see a growing number of incidents and breaches involving mobile wallets in 2015, especially as consumers and businesses continue to figure out best security practices for this new technology.