Someone has noticed that the Starbucks' iPhone application can be copied with a screen grab from a neglected handset, enabling the thief to gorge themselves on free coffee*. The payment system relies on reading a bar code from the iPhone's screen, identifying the customer and debiting their account. But the barcode doesn't …
If you leave your iPhone unattended,
isn't it more likely that the phone itself will be swiped, rather than just a few cups of swill?
My thinking also
To hell with the latte, the phone's the high-value proposition here!
Pick-pocket icon, o'course.
Missing the big picture!
The phone comes with free lattes!
Not as easy as it sounds...
Your coffee-grabbing thief first has to get hold of the iPhone... I always thought iPhone users had them surgically attached to their hands in the Apple store...
Why grab the phone?
Why grab the phone when you can simply take a picture of their screen showing the barcode? A bit of photoshoping/croping later, you can have a decent picture of the screen to pull up in your picture viewer.
Makes it even worse, since the picture can come from any source, likely a covert cam being palmed by someone near the checkout stand.
Exactly what I was thinking...
just stand at the checkout with cam in hand a snap the code as customer x presents it to the code reader. job done.
Even easier if you have a good slr and lens can sit across the room enjoying your brown milk...
Don't some phones have bar code scanning apps?
Write your own app to scan someone else's bar code and display it on your screen with all the Starbucks logo stuff round the sides.
Free coffee is about as attractive as the prospect of free vomit.* But is smells a lot worse. And isn't so pretentiously prepared.
*Granted, not everybody will share this opinion.
I share it.
Why people drink coffee in preference to beer is beyond me.
Coffee is lovely...
...ss long as you're careful not to buy Starbucks' vile cups of over-roasted pish.
The irony is
Think how much coffee he had to pay for and drink while he coded this!
Apple Panic Helpline.
If I start using cashless iPayment for my hot milkshakes and an iReader for my Harry Potter books and an iBarcode for my cinema tickets then what am I going to keep in all the other pockets of my beige Gap cargo pants??
Help me Jobi Wan, you're my only hope.
In other news...
Library cards are inherently insecure. If someone steals the wallet of a library user, the thief will be able to borrow books in the victim's name. This is definitely the worst possible outcome of the theft of a wallet.
Mactrd gets ripped off...
surely they are used to that already
...like encryption does not stop access; it only delays access to information or secrets.
No system, process, procedure or software will keep criminals out 100% effectively, 100% of the time if they want in.
But you really have to consider the amount of effort a would be crim is likely to expend in order to obtain a couple of bucks worth of bad coffee though.
This assumes you'd want to get more Starbucks 'coffee'.
The article mentions timestamping. Eh the screenshot will include the time at the top. So only useful for ordering coffee once a day (assuming an eagle eyed Barista)
Erm, it won't - the time doesn't appear at the top of many apps. Besides, having the time set wrong is hardly noteworthy - could be wrong by accident, or could be wrong deliberately (operating on a different timezone). Would barely get a "ooh, your clock is wrong".
A) the barcode is viewed by MACHINE.
B) ever heard of cut-and-paste?
You failed to actually read and comprehend the article, because the author was positing the idea of incorporating a timestamp or counter in the barcode, because the app DOES NOT DO IT ALREADY.
Please, read the article effectively next time.
You failed to actually read and comprehend the comment, because the author was not positing the idea of incorporating a timestamp or counter in the barcode, because the author realizes the phone DISPLAYS THE TIME AT THE TOP OF THE DISPLAY.
Please, read the comment effectively next time.
I can't see many people doing this scam. If a crook sees an iPhone laying around unattended, surely they will just nick the phone?
Having stolen the bar code (with or without the phone) how many times can they risk using it? Only a few times, otherwise they might get caught out. Then what - wait until they get opportunistic access to another person's iPhone?
The marginal costs to Starbucks is the cost price of the cup of coffee, not the sale price. That is assuming the customer notices, and can be bothered to seek a refund (if not, Starbucks have made a profit on the deal).
Against this is the benefit of being first in the market to accept payment by iPhone, and the media coverage that gets.
A bit lazy not implementing transaction counting, but all in all the level of scurity matches the risk.
The cost to Starbucks is negative.
The cost to the customer is the price of the coffee.
If Starbucks has a method to provide refunds, then the cost to them is the cost of administering the program plus the cost of fraudulent refunds processed.
The solution would be to make each barcode single-use, and develop crypto to generate a large number of possible barcodes. If someone gets your phone and grabs a code, they can buy one drink with it, just like if they walked to the counter and bought it there. Optionally, the codes could be time-limited.
Option two would be to make the barcode animated, or otherwise interactive. It would then require a slightly more sophisticated attack. Slightly.
With a little editing-fu, a video of the previous customer's barcode could be used to create the static image.
I've also found that thieves can use the grab method to buy coffee if I leave cash lying around in Starbucks.
I said this at the time - in the NFC or Barcodes article and suggested that NFC was safer because you could do just this. I also got about ten downvotes for my trouble.
nobody likes it
nobody likes it when someone says, " I told you so"... therefore the down vote !!
It assumes that anyone wants to drink Starbucks coffee. Given a choice between Starbucks coffee or stale ditchwater, I'd rather share the ditch with the tadpoles.
Starbucks don't care....
.... they still get paid
I'd love to hear that meeting ...
NFC-based payment systems obviously can't be copied in this way, but even on-screen bar codes can be made more secure with the addition of simple transaction counter, or time stamp, *but it seems Starbucks eschewed either option for the sake of simplicity*.
I'm sure we can imagine how that came about ...
"NFC-based payment systems obviously can't be copied in this way"
Just give someone enough time and incentive!
"...single-use codes that only work once..."?
As opposed to some other kind of single-use codes?
Same error equally possible with NFC
The only thing noteworthy is that a "replay attack" like this is just about the first example of what not to do in the very first book on designing this sort of protocol that I got my hands on. It's not like it isn't bleeding obvious.
It might be that they'll tally the number of transactions and charge-again if they see a re-used code. That's exposing the customer to abuse. Then again, maybe they'd rather run the risk of having handed out a few free <insert entirely too long name for an overly fancy coffee here> rather than deal with customers getting irate over no coffee while the machine ate their code. Same thing with implementing a too-tight time restriction on code usability.
Looked at from a technical PoV, it's indeed stupid. Looked at from a business PoV, it may be mere pragmatism. How much does a few unwillingly-on-the-house coffees cost them, anyway?
Badly designed payment systems
If you *really* want to see "a good example of how badly a payment system can be designed if one puts one's mind to it" then check out http://www.payoffshore.com/techdocs/send-a-paym-requ-to-payl.html#base64xordataencoding
This is a card processing company which admits to their merchants that one of the options they support "is not secure". How insecure is it? It leaks the private key which is used to "sign" the response to the merchant - so a customer who knows how to break Vigenère can get stuff at the merchant's expense.
As others have said...
... why on earth would you settle for a free coffee, when you could (if your that type of wanker) just nick the phone?
Lets face it, if your hanging around someones unattended iphone in the time it takes for this exploit - 20 seconds or so - if you get caught doing it and the owner doesn't know you, they'll think your trying to half-inch the phone anyway!
The phone is worth a LOT of coffee and the data on it could potentially be worth more.
I think Starbucks made the right choice - keep it simple - why add a huge amount of extra dev time and inconvenience for a very slight chance someone will try and nick a few cups of coffee?
It seems fairly evident to me they will have considered this potential 'flaw' and decided the risk didn't merit the extra cost in dev time.
The only reason you'd leave your phone unattended is your either stupid/drunk/tired or your mates/family/partner are at the table.
Or you could just...
...breeze into Starbucks, skip past the till straight to the other end of the counter, swipe the first beverage proffered up by the "barista" and breeze on out. Seen it happen twice; it's a great trick as long as you're not too choosy. As an added bonus, you don't even have to own an iphone for it to work.
ah the good ole starbuck surprise drink
no need for screen grab and emailing
just take a photo of the bar code FFS. Less than 2s requried.
How anybody could buld such a brain dead system is beyond me. Imbeciles.
Can anyone use this
They should add an order function as well as making it a one time payment code.
Then one person can go to starbucks and pick up everyones order on the way to work
and not need to pay for anything or make sure they got it right. We do this on Fridays at work
with a volunteer going out and paying taking orders etc.
Or someone could wave their phone and order while paying.
Surely most people employ some form of PIN protection? ...if they don't and aren't even prepared to attempt to try and protect themselves, what do they expect?
Surely, if all the bar code is is the customer account number, you don't even need to faff about with a screen grab from the victim's phone - you just need the number that the barcode translates to. If you can find that number, you can generate your own barcode, paste it into an image of the app, and present that. You wouldn't need the source phone..
To grab somebody else's number you would only need to be able to see the victim's barcode for long enough to, say, take a photograph - if you are ready with a camera (or another phone!!) you may only need a second or two while stood behind them in the queue... pay for your coffee that time, go home, extract the barcode from the photo, read it yourself to get the account number, etc., etc..
Now if only I dared be seen visiting a Starbucks..
... The Tesco Clubcard app has an insecure static barcode too. Anyone could copy it and go round racking up point on my clubcard account.
In similar news
People who steal my phone can earn me clubcard points, too.
Simpler option would be...
... putting a pin on you iPhone (pretty dumb not to), or on the app.
The owner of said iPhone should take a bit of responsibility here.
Charbucks finally has something worth taking. Oh, you say it's only of value in their shop? Huh, security through antipathy, that's a new one to me but it just might work.
How long until
Someone grabs an image from a "friends" phone at work and posts it online for a joke. Call it a free coffee coupon or some such...
What's with all the snide remarks about starbucks coffee, calling it "coffee" (note the inverts) and the footnote in the article.
As much as anyone might hate their business ethics, you can hardly accuse it of not being real coffee. They grind it in front of you from beans, into two or three shots of espresso.
It's your choice to then down that in 40 fl oz of milk.
I drink my coffee how I like my men, strong and without milk.
On the rare occassion that I'm in the branch near work, I get confused looks from the staff when I ask for an extra shot of espresso (I like my latte to taste of coffee, not hot milk); even then, it's still piss weak. Kevin Day described their coffee as "homeopathic," and I'm inclined to agree with him.
Don't even think about getting an iced coffee from them, either, as that really is brown milk (but mixed with ice!) - they don't even brew a shot to put in, just pull a bottle of pre-flavoured milk from the fridge. Yuk.
re: "Coffee" comments
At least if you add milk you have a beverage that tastes of milk.
Their espresso is bland, lacking depth and frequently leaves an bad aftertaste in the mouth. I really hope that's not what you look for in your men.
none of that artisan crap for me, I'll just have about 6 heaped tablespoons worth of the instant shit in a dirty mug full of hot water please.