
How scammers drained $1,700 from a bank account using Starbucks cards - shakes
http://gigaom.com/2013/08/07/how-scammers-drained-1700-from-my-bank-account-using-starbucks-cards/
======
Pyramids
Contrary to what the article states, this is almost definitely not due to
skimming of any kind. It is most likely related to a database leak or breach,
whether it is documented or not is another question.

Also, typically these are not "actual" (card-present, pin entered) debit
transactions. Starbucks, much like Amazon, authorizes some online purchases as
pinless debit card transactions, due to the lower processing rate incurred by
the merchant. This can all be done completely online, for example, via
Starbucks Online Reload system.[1]

This is truly nothing new, Gift card fraud has been booming since 2006-2007,
when companies (starting with Starbucks, followed by Subway, Walmart[2], Whole
Foods, etc.) began offering reloads to existing cards. Unfortunately, most of
these companies have laughably bad fraud detection.

For example, Whole Foods uses a platform formerly known as "Giftango", which
was rebranded as "InComm" in the last couple weeks. They quite literally will
let a credit card thief reload hundreds of dollars from an IP anywhere in the
world, to any gift card powered by their platform. No fraud scoring, velocity
checks, geolocation, etc. You can imagine how easy this would be just by
taking a look at their default gift card management portal, used by Whole
Foods.[3]

Conveniently for credit card theives, WalMart even offers an option to reload
a spreadsheet, or a CSV list of cards off a single credit card, easy right?[4]

Overall, I think this problem is only going to grow, especially with Cardpool
acquired by Safeway, and now offering instant cash for gift cards in stores.
This is an extremely easy method to cash out these fraudulently created gift
cards, conveniently located at your local grocery store.

[1] [https://www.starbucks.com/card/reload/one-
time](https://www.starbucks.com/card/reload/one-time)

[2] [http://www.walmart.com/cp/Reload-Gift-
Card/1097444](http://www.walmart.com/cp/Reload-Gift-Card/1097444)

[3]
[https://app.giftango.com/GiftCardPortal/WholeFoods/GiftCardP...](https://app.giftango.com/GiftCardPortal/WholeFoods/GiftCardPortal.aspx)

[4] [http://www.walmart.com/cp/Reload-Gift-
Cards/416242](http://www.walmart.com/cp/Reload-Gift-Cards/416242)

~~~
martingordon
You would think that pinless debit card transactions would carry higher fees
since there is a higher risk of fraud. Any thoughts as to why it's the
opposite?

~~~
Pyramids
I wouldn't say there is any higher potential for fraud, as they're essentially
verifying the same about of data. It may make it _slightly_ more difficult to
recover funds if your card is used without your permission, however.

The processing rate is typically lower because of agreements between issuing
banks and debit processing networks, and is a somewhat hot topic at the moment
as technically pinless online debit transactions are only intended for when
the customers identity has been "confirmed", such as individuals with running
accounts at a wireless carrier.

However, for whatever reason, some big companies are being allowed to use the
MasterCard Debit/Maestro/Visa Debit/STAR/PULSE networks in this manner. In
this case that company is Starbucks.

I'd estimate the rate paid by Amazon/Starbucks for processing pinless debit is
0.8% or less. Compare this with the 0.9 - 2.2% interchange fee (depending on
card type) they'd incur if they processed these transactions as credit. It
might not sound like a lot, but at that scale it probably ends up being
millions per day saved.

------
buuda
This is why I refuse to use debit cards.

Also, the authorization that merchants do to make sure you have the money will
tie up that money on your account even if you cancel the purchase before being
charged. On a credit card it will tie up the equivalent credit, but at least
it is not cash being locked up.

------
noxryan
My understanding is that one way to reduce the impact of card skimming would
be to use a credit card for general purchases rather than a debit card. I
would especially avoid pin-based transactions whenever possible.

~~~
sliverstorm
One thing that helps about credit cards - credit card companies extend you
more protection, which means they assume more liability. From what I've
seen/heard, this translates (as you would hope) to increased vigilance on
their part.

Personal example - driving cross country, I filled up maybe 4-5 times across
several states. Got a call from my credit card company after the 4th fill-up.
It had been less than 24 hours since the "spree" started, and I got the call
in the middle of the night, _from a human_! (I was driving through the night)

~~~
pbhjpbhj
> _credit card companies extend you more protection, which means they assume
> more liability_ //

I thought it meant they placed more liability with retailers &c.

------
mathattack
It's a pain in the *ss when this happens.

I had a credit card # stolen from a locked hotel safe. (It was overseas, I
hadn't used the card on the trip, and there were charges to a sporting goods
store down the street.)

If someone wants the #, they can get it. The nice thing is that the data
analysis seems to be getting better and better. It gets caught very quickly
nowadays (the current story being a poor counterexample) and it's been a few
years since I had a false positive.

~~~
jordanthoms
On the other hand, Chase has false positive fraud alerts on my debit card 2-3
times a month.

~~~
aroch
My favorite, before online banking was like it is today, was the "please
verify the last 10 (or 20) transactions" ordeal.

~~~
jordanthoms
I still get this - they call with an automated system, give vague descriptions
of the transactions which I can't actually recognise them from, then I go
online and actually check the transactions.

~~~
mathattack
I always assume that the inbound call is someone spamming...

------
eli
_> After the perpetrators skimmed my debit-card number (perhaps at a subway-
station vending machine or a local merchant)_

Incidentally, someone cloned one of my credit cards and tried to buy gas with
it in NY (not a big deal -- AmEx caught it when they tried to use it). I'd
recently traveled to NYC and the only times I used the card were the subway
ticket machine and an LIRR ticket machine. I think they need to keep a more
careful eye on those machines.

~~~
eksith
Those MTA machines usually have security cameras pointed at them and (at least
at the stations I frequent) cops are abound. Of course, I don't know exactly
to what degree the readers are tamper-resistant.

This is another reason I try not to use my card in any machines, especially
when I'm travelling. Cash can be risky, but it's good to keep a small amount
on you at all times just in case.

------
brey
what surprises me most is the high amount these cards sell for on ebay, when
they presumably get electronically wiped pretty quickly once reported.

the link from the article has many of these, eg currently a $10 card with 5
bids at $9.39 - surely there's more than 7% of risk that the card ends up
worthless for a buyer?

[http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.T...](http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.TR0.TRC0.Xstarbucks+card&_nkw=starbucks+card&_sacat=0&_from=R40)

[http://www.ebay.com/itm/Starbucks-10-Gift-Card-FREE-
SHIPPING...](http://www.ebay.com/itm/Starbucks-10-Gift-Card-FREE-
SHIPPING-/321176617067?pt=US_Gift_Certificates&hash=item4ac79e406b)

or is the answer just that some people on ebay are stupid? ...

~~~
dangrossman
* None of the sellers of auctions ending today with bids has less than a 100% feedback rating and a long feedback history. There does not appear to be a population of newly created accounts selling only gift cards.

* Should an account sell a worthless gift card, the auction would be disputed through eBay and PayPal, and if lost there, possibly through the credit card issuer too. One or two scams and the accounts would be locked.

* eBay, PayPal, and the buyer's credit cards all separately promise full reimbursement protection against fraud on eBay, so the risk to the buyer is small even if fraud were to occur.

* If a listing category on eBay were generating >7% chargebacks for PayPal, which is owned by eBay, they'd restrict or eliminate that category the same as they've done with others. The fact that it's available as a category is evidence that there is not widespread fraud.

I don't think there's a 7% chance of buying a worthless gift card on eBay. I
don't think eBay buyers paying 93% face value of gift cards are stupid.

~~~
ChuckMcM
So having had the experience of having a 'starbucks card' get charged to a
compromised account, I asked Starbucks about this and at that time (a bit over
a year ago) they didn't invalidate the card because it was causing a lot of
customer service complaints. Given the prevalence of the fraud I wonder if
that was a wise choice, perhaps they have changed since then.

------
rickyc091
My question is why would the scammers launder the money through Starbucks then
to eBay or some third party service... there seems to be too many points of
failures... Starbucks can easily deactivate all the cards once they have been
notified... eBay restricts the number of gift cards you can list, plus there
are the fees and the credit card charge back, etc... Seems there are better
ways to do this...

~~~
nemothekid
Most likely one of the easier ways to "cashout" on stolen credit cards. There
is nothing to pick up/ship, its fairly anonymous and if you have the volume it
can easily be worth it.

------
efkowalchyk
From the article the original debit card #, exp date and cvv could have been
stolen online or via physical card skim. Online via database hack (this is a
serious PCI-DSS violation if the perpetrator has the encryption keys or the
system storing the info isn't protecting the data), could have been stored in
her browser cache and someone sneaked a peak at starbucks when she went to the
bathroom. Or a physical card skim which typically happens from skimming
devices appended to gas station and atm card readers, or a server at a
restaurant quickly skims the card data while taking your card away to pay for
the meal.

Either way they got the card #. I don't think it's feasible to completely
prevent card info from being compromised, too many possibilities for human
error on behalf of the cardholder or merchants/processors trying to protect
the data, which face a seemingly never ending list of people willing to steal
card info for a quick buck.

Part of what makes thefts like this hard to track down is the fact that there
are numerous parties and systems involved in the transaction. There's
starbucks website, and I'm sure they use and outsourced provider to manage
their stored value accounts, who in turn uses an outsourced payment provided
to process the credit/debit card payments, who plugs into MC or Visa rails to
hit the cardholder's bank. In my mind all of these parties are at fault for
not catching this, but I admit it's easier said than done when processing
billions of electronic transactions every day.

The easiest way to prevent identify this type of fraud would have landed on
her bank's shoulders. First recognizing the initial test txn in Ohio was
questionable, and then they should have had a velocity trigger on the same
account # being used at the same merchant numerous times. Starbucks (and their
partners) should have a similar velocity trigger looking for repeat purchases
from the same card# within a certain time frame regardless of dollar amount.

In the end the crooks learn the fraud rules, adjust their practices, and the
good guys have to play catchup while trying not to prevent good transactions
from getting stopped.

Maybe the best way to protect yourself as a consumer is to routinely (daily,
twice a week, etc) review the purchases made on your accounts. It's clear you
can't depend on the companies making money off your spending (i.e. electronic
payment providers and your bank) as they get paid when you spend more, and
they'll only go so far to protect you before the ROI isn't there.

------
free652
Don't use a debit cards.

I destroyed most of my debit cards and the rest is locked away. I carry an ATM
card (no expiration also, I had to request it from Chase to replace the debit
card) and few credit cards. With a credit card I can charge back any
transaction up to 180 days later.

~~~
specialp
I am not sure if there is any advantage at all of using a debit card over a
credit card. Bottom line is that debit card fraud comes straight from your
bank account and can cause problems with other payments etc. These days it is
not possible to escape fraud even if you are very vigilant. You cannot assure
that merchants are handling this data properly. For this reason I specifically
requested that Chase stop sending me debit cards as my ATM card, and now I
have a plain blue card that just says "ATM card" If you have a credit card use
that and pay it off every month, far easier and safer.

------
mey
One of the simpler fraud checks is velocity (rapid orders) and flag them. In
this scenario, he should do a charge back (through his bank) to recover the
funds.

~~~
eli
I'm not sure it's possible to do a "charge back" on a PIN-based debit
transaction.

It was years ago, but someone once stole my debit card number once and it took
a few weeks to get my money back ("provisionally") from my local community
bank.

~~~
mey
Assuming this was setup on a website/phone app, it was not a pin-based
transaction, most likely run over the credit or debit rails as a card not
present or pre-approved transaction.

The customer should be able to request chargebacks through their bank without
issue.

I would suggest you investigate getting a better local bank, as this is
something any bank should be able to easily do.

------
sliverstorm
_“suspicious activity” from store merchants (whatever that means)_

To my understanding, the concern is a store merchant who is palming a card
scanner and sneaking a swipe of your card through their scanner.

~~~
mistercow
They wouldn't necessarily even need to do that. With a camera just below the
counter, and a little practice, they could capture the front and back of the
card easily without appearing to do anything unusual. That would contain all
the information they need to make a copy.

