Not as easy as it sounds...
Your coffee-grabbing thief first has to get hold of the iPhone... I always thought iPhone users had them surgically attached to their hands in the Apple store...
Someone has noticed that the Starbucks' iPhone application can be copied with a screen grab from a neglected handset, enabling the thief to gorge themselves on free coffee*. The payment system relies on reading a bar code from the iPhone's screen, identifying the customer and debiting their account. But the barcode doesn't …
Why grab the phone when you can simply take a picture of their screen showing the barcode? A bit of photoshoping/croping later, you can have a decent picture of the screen to pull up in your picture viewer.
Makes it even worse, since the picture can come from any source, likely a covert cam being palmed by someone near the checkout stand.
I can't see many people doing this scam. If a crook sees an iPhone laying around unattended, surely they will just nick the phone?
Having stolen the bar code (with or without the phone) how many times can they risk using it? Only a few times, otherwise they might get caught out. Then what - wait until they get opportunistic access to another person's iPhone?
The marginal costs to Starbucks is the cost price of the cup of coffee, not the sale price. That is assuming the customer notices, and can be bothered to seek a refund (if not, Starbucks have made a profit on the deal).
Against this is the benefit of being first in the market to accept payment by iPhone, and the media coverage that gets.
A bit lazy not implementing transaction counting, but all in all the level of scurity matches the risk.
The cost to Starbucks is negative.
The cost to the customer is the price of the coffee.
If Starbucks has a method to provide refunds, then the cost to them is the cost of administering the program plus the cost of fraudulent refunds processed.
The solution would be to make each barcode single-use, and develop crypto to generate a large number of possible barcodes. If someone gets your phone and grabs a code, they can buy one drink with it, just like if they walked to the counter and bought it there. Optionally, the codes could be time-limited.
Option two would be to make the barcode animated, or otherwise interactive. It would then require a slightly more sophisticated attack. Slightly.
With a little editing-fu, a video of the previous customer's barcode could be used to create the static image.
You failed to actually read and comprehend the comment, because the author was not positing the idea of incorporating a timestamp or counter in the barcode, because the author realizes the phone DISPLAYS THE TIME AT THE TOP OF THE DISPLAY.
Please, read the comment effectively next time.
NFC-based payment systems obviously can't be copied in this way, but even on-screen bar codes can be made more secure with the addition of simple transaction counter, or time stamp, *but it seems Starbucks eschewed either option for the sake of simplicity*.
I'm sure we can imagine how that came about ...
The only thing noteworthy is that a "replay attack" like this is just about the first example of what not to do in the very first book on designing this sort of protocol that I got my hands on. It's not like it isn't bleeding obvious.
It might be that they'll tally the number of transactions and charge-again if they see a re-used code. That's exposing the customer to abuse. Then again, maybe they'd rather run the risk of having handed out a few free <insert entirely too long name for an overly fancy coffee here> rather than deal with customers getting irate over no coffee while the machine ate their code. Same thing with implementing a too-tight time restriction on code usability.
Looked at from a technical PoV, it's indeed stupid. Looked at from a business PoV, it may be mere pragmatism. How much does a few unwillingly-on-the-house coffees cost them, anyway?
If you *really* want to see "a good example of how badly a payment system can be designed if one puts one's mind to it" then check out http://www.payoffshore.com/techdocs/send-a-paym-requ-to-payl.html#base64xordataencoding
This is a card processing company which admits to their merchants that one of the options they support "is not secure". How insecure is it? It leaks the private key which is used to "sign" the response to the merchant - so a customer who knows how to break Vigenère can get stuff at the merchant's expense.
... why on earth would you settle for a free coffee, when you could (if your that type of wanker) just nick the phone?
Lets face it, if your hanging around someones unattended iphone in the time it takes for this exploit - 20 seconds or so - if you get caught doing it and the owner doesn't know you, they'll think your trying to half-inch the phone anyway!
The phone is worth a LOT of coffee and the data on it could potentially be worth more.
I think Starbucks made the right choice - keep it simple - why add a huge amount of extra dev time and inconvenience for a very slight chance someone will try and nick a few cups of coffee?
It seems fairly evident to me they will have considered this potential 'flaw' and decided the risk didn't merit the extra cost in dev time.
The only reason you'd leave your phone unattended is your either stupid/drunk/tired or your mates/family/partner are at the table.
...breeze into Starbucks, skip past the till straight to the other end of the counter, swipe the first beverage proffered up by the "barista" and breeze on out. Seen it happen twice; it's a great trick as long as you're not too choosy. As an added bonus, you don't even have to own an iphone for it to work.
They should add an order function as well as making it a one time payment code.
Then one person can go to starbucks and pick up everyones order on the way to work
and not need to pay for anything or make sure they got it right. We do this on Fridays at work
with a volunteer going out and paying taking orders etc.
Or someone could wave their phone and order while paying.
Surely, if all the bar code is is the customer account number, you don't even need to faff about with a screen grab from the victim's phone - you just need the number that the barcode translates to. If you can find that number, you can generate your own barcode, paste it into an image of the app, and present that. You wouldn't need the source phone..
To grab somebody else's number you would only need to be able to see the victim's barcode for long enough to, say, take a photograph - if you are ready with a camera (or another phone!!) you may only need a second or two while stood behind them in the queue... pay for your coffee that time, go home, extract the barcode from the photo, read it yourself to get the account number, etc., etc..
Now if only I dared be seen visiting a Starbucks..
What's with all the snide remarks about starbucks coffee, calling it "coffee" (note the inverts) and the footnote in the article.
As much as anyone might hate their business ethics, you can hardly accuse it of not being real coffee. They grind it in front of you from beans, into two or three shots of espresso.
It's your choice to then down that in 40 fl oz of milk.
I drink my coffee how I like my men, strong and without milk.
I personally love having this app on my phone and using it. To me this comes down to holding the consumer responsible for their own actions. Personally I would never leave my iphone laying around - as stated by many, this just means your phone will be stolen, and I highly doubt the thief will buying coffee with it. One point that is totally missed by this articles and other posters here, is that all of this can be easily avoided by activating the pin lock code on the app itself. Again, making the consumer responsible for the security of their phone and their account. Personally I have my phone locked with a pin at the log in screen, and now you can also have the app locked by activating this function. Not sure how much more secure you need to be..........
Throw the posh keys on the bar.
Throw the posh phone on the bar.
I don't throw either on the bar or for that matter my wallet with the credit cards and cash visible. People need to understand what their smartphones are. They are a link into their accounts, and soon they will be more than that. The least valuable part is the hardware.
With the impending release wave of NFC enabled phones this year, people should become more wary, but I am still amazed at how many people just don't care about electronic security.
Biting the hand that feeds IT © 1998–2019