back to article Starbucks' iPhone barcode app easily scammed by screengrab

Someone has noticed that the Starbucks' iPhone application can be copied with a screen grab from a neglected handset, enabling the thief to gorge themselves on free coffee*. The payment system relies on reading a bar code from the iPhone's screen, identifying the customer and debiting their account. But the barcode doesn't …

COMMENTS

This topic is closed for new posts.
  1. thesykes

    Not as easy as it sounds...

    Your coffee-grabbing thief first has to get hold of the iPhone... I always thought iPhone users had them surgically attached to their hands in the Apple store...

  2. Andy Christ
    WTF?

    If you leave your iPhone unattended,

    isn't it more likely that the phone itself will be swiped, rather than just a few cups of swill?

    1. ian 22
      Coat

      My thinking also

      To hell with the latte, the phone's the high-value proposition here!

      Pick-pocket icon, o'course.

      1. Anonymous Coward
        Happy

        Missing the big picture!

        The phone comes with free lattes!

    2. Ammaross Danan
      FAIL

      Why grab the phone?

      Why grab the phone when you can simply take a picture of their screen showing the barcode? A bit of photoshoping/croping later, you can have a decent picture of the screen to pull up in your picture viewer.

      Makes it even worse, since the picture can come from any source, likely a covert cam being palmed by someone near the checkout stand.

      1. Anonymous Coward
        FAIL

        Exactly what I was thinking...

        just stand at the checkout with cam in hand a snap the code as customer x presents it to the code reader. job done.

        Even easier if you have a good slr and lens can sit across the room enjoying your brown milk...

      2. Wize

        Don't some phones have bar code scanning apps?

        Write your own app to scan someone else's bar code and display it on your screen with all the Starbucks logo stuff round the sides.

  3. Some Beggar
    Alert

    Apple Panic Helpline.

    If I start using cashless iPayment for my hot milkshakes and an iReader for my Harry Potter books and an iBarcode for my cinema tickets then what am I going to keep in all the other pockets of my beige Gap cargo pants??

    Help me Jobi Wan, you're my only hope.

  4. Anonymous Coward
    Joke

    The irony is

    Think how much coffee he had to pay for and drink while he coded this!

  5. Martin 19
    Coat

    In other news...

    Library cards are inherently insecure. If someone steals the wallet of a library user, the thief will be able to borrow books in the victim's name. This is definitely the worst possible outcome of the theft of a wallet.

  6. Anonymous Coward
    Anonymous Coward

    Free coffee?

    Free coffee is about as attractive as the prospect of free vomit.* But is smells a lot worse. And isn't so pretentiously prepared.

    *Granted, not everybody will share this opinion.

    1. James Hughes 1

      I share it.

      Disgusting stuff.

      Why people drink coffee in preference to beer is beyond me.

    2. Code Monkey

      Coffee is lovely...

      ...ss long as you're careful not to buy Starbucks' vile cups of over-roasted pish.

  7. Naughtyhorse

    Mactrd gets ripped off...

    surely they are used to that already

  8. NoneSuch
    Stop

    Security...

    ...like encryption does not stop access; it only delays access to information or secrets.

    No system, process, procedure or software will keep criminals out 100% effectively, 100% of the time if they want in.

    1. Goat Jam
      Pint

      Well, OK

      But you really have to consider the amount of effort a would be crim is likely to expend in order to obtain a couple of bucks worth of bad coffee though.

  9. Just Thinking

    Reasonable-ish security

    I can't see many people doing this scam. If a crook sees an iPhone laying around unattended, surely they will just nick the phone?

    Having stolen the bar code (with or without the phone) how many times can they risk using it? Only a few times, otherwise they might get caught out. Then what - wait until they get opportunistic access to another person's iPhone?

    The marginal costs to Starbucks is the cost price of the cup of coffee, not the sale price. That is assuming the customer notices, and can be bothered to seek a refund (if not, Starbucks have made a profit on the deal).

    Against this is the benefit of being first in the market to accept payment by iPhone, and the media coverage that gets.

    A bit lazy not implementing transaction counting, but all in all the level of scurity matches the risk.

  10. Anonymous Coward
    Pint

    Coffee?

    This assumes you'd want to get more Starbucks 'coffee'.

  11. colin79666

    Timestamp

    The article mentions timestamping. Eh the screenshot will include the time at the top. So only useful for ordering coffee once a day (assuming an eagle eyed Barista)

    1. The Indomitable Gall

      Right....

      A) the barcode is viewed by MACHINE.

      B) ever heard of cut-and-paste?

    2. Decius

      Unreasonable security:

      The cost to Starbucks is negative.

      The cost to the customer is the price of the coffee.

      If Starbucks has a method to provide refunds, then the cost to them is the cost of administering the program plus the cost of fraudulent refunds processed.

      The solution would be to make each barcode single-use, and develop crypto to generate a large number of possible barcodes. If someone gets your phone and grabs a code, they can buy one drink with it, just like if they walked to the counter and bought it there. Optionally, the codes could be time-limited.

      Option two would be to make the barcode animated, or otherwise interactive. It would then require a slightly more sophisticated attack. Slightly.

      With a little editing-fu, a video of the previous customer's barcode could be used to create the static image.

    3. Annihilator
      Stop

      No timestamp

      Erm, it won't - the time doesn't appear at the top of many apps. Besides, having the time set wrong is hardly noteworthy - could be wrong by accident, or could be wrong deliberately (operating on a different timezone). Would barely get a "ooh, your clock is wrong".

    4. Ammaross Danan
      Headmaster

      Fail

      You failed to actually read and comprehend the article, because the author was positing the idea of incorporating a timestamp or counter in the barcode, because the app DOES NOT DO IT ALREADY.

      Please, read the article effectively next time.

      1. Anonymous Coward
        FAIL

        Re: Fail

        To paraphrase:

        You failed to actually read and comprehend the comment, because the author was not positing the idea of incorporating a timestamp or counter in the barcode, because the author realizes the phone DISPLAYS THE TIME AT THE TOP OF THE DISPLAY.

        Please, read the comment effectively next time.

  12. Anonymous Coward
    Anonymous Coward

    Insecure

    I've also found that thieves can use the grab method to buy coffee if I leave cash lying around in Starbucks.

  13. Anonymous Coward
    Anonymous Coward

    Yay!

    I said this at the time - in the NFC or Barcodes article and suggested that NFC was safer because you could do just this. I also got about ten downvotes for my trouble.

    1. Anonymous Coward
      Stop

      nobody likes it

      nobody likes it when someone says, " I told you so"... therefore the down vote !!

  14. Graham Bartlett

    Failed assumption

    It assumes that anyone wants to drink Starbucks coffee. Given a choice between Starbucks coffee or stale ditchwater, I'd rather share the ditch with the tadpoles.

  15. Anonymous Coward
    FAIL

    I'd love to hear that meeting ...

    NFC-based payment systems obviously can't be copied in this way, but even on-screen bar codes can be made more secure with the addition of simple transaction counter, or time stamp, *but it seems Starbucks eschewed either option for the sake of simplicity*.

    I'm sure we can imagine how that came about ...

  16. JaitcH
    Happy

    "NFC-based payment systems obviously can't be copied in this way"

    Just give someone enough time and incentive!

  17. En_croute
    Pint

    Starbucks don't care....

    .... they still get paid

  18. Matthew 3

    "...single-use codes that only work once..."?

    As opposed to some other kind of single-use codes?

  19. Anonymous Coward
    Anonymous Coward

    Same error equally possible with NFC

    The only thing noteworthy is that a "replay attack" like this is just about the first example of what not to do in the very first book on designing this sort of protocol that I got my hands on. It's not like it isn't bleeding obvious.

    It might be that they'll tally the number of transactions and charge-again if they see a re-used code. That's exposing the customer to abuse. Then again, maybe they'd rather run the risk of having handed out a few free <insert entirely too long name for an overly fancy coffee here> rather than deal with customers getting irate over no coffee while the machine ate their code. Same thing with implementing a too-tight time restriction on code usability.

    Looked at from a technical PoV, it's indeed stupid. Looked at from a business PoV, it may be mere pragmatism. How much does a few unwillingly-on-the-house coffees cost them, anyway?

  20. Vincent Ballard
    Alert

    Badly designed payment systems

    If you *really* want to see "a good example of how badly a payment system can be designed if one puts one's mind to it" then check out http://www.payoffshore.com/techdocs/send-a-paym-requ-to-payl.html#base64xordataencoding

    This is a card processing company which admits to their merchants that one of the options they support "is not secure". How insecure is it? It leaks the private key which is used to "sign" the response to the merchant - so a customer who knows how to break Vigenère can get stuff at the merchant's expense.

  21. Anonymous Coward
    Coat

    As others have said...

    ... why on earth would you settle for a free coffee, when you could (if your that type of wanker) just nick the phone?

    Lets face it, if your hanging around someones unattended iphone in the time it takes for this exploit - 20 seconds or so - if you get caught doing it and the owner doesn't know you, they'll think your trying to half-inch the phone anyway!

    The phone is worth a LOT of coffee and the data on it could potentially be worth more.

    I think Starbucks made the right choice - keep it simple - why add a huge amount of extra dev time and inconvenience for a very slight chance someone will try and nick a few cups of coffee?

    It seems fairly evident to me they will have considered this potential 'flaw' and decided the risk didn't merit the extra cost in dev time.

    The only reason you'd leave your phone unattended is your either stupid/drunk/tired or your mates/family/partner are at the table.

  22. Chris 244
    Thumb Up

    Or you could just...

    ...breeze into Starbucks, skip past the till straight to the other end of the counter, swipe the first beverage proffered up by the "barista" and breeze on out. Seen it happen twice; it's a great trick as long as you're not too choosy. As an added bonus, you don't even have to own an iphone for it to work.

    1. wim

      ah the good ole starbuck surprise drink

      see title

  23. Anonymous Coward
    FAIL

    no need for screen grab and emailing

    just take a photo of the bar code FFS. Less than 2s requried.

    How anybody could buld such a brain dead system is beyond me. Imbeciles.

  24. Anonymous Coward
    Thumb Up

    Can anyone use this

    They should add an order function as well as making it a one time payment code.

    Then one person can go to starbucks and pick up everyones order on the way to work

    and not need to pay for anything or make sure they got it right. We do this on Fridays at work

    with a volunteer going out and paying taking orders etc.

    Or someone could wave their phone and order while paying.

  25. Chris Young 1
    WTF?

    PIN!?

    Surely most people employ some form of PIN protection? ...if they don't and aren't even prepared to attempt to try and protect themselves, what do they expect?

  26. irrelevant

    static code?

    Surely, if all the bar code is is the customer account number, you don't even need to faff about with a screen grab from the victim's phone - you just need the number that the barcode translates to. If you can find that number, you can generate your own barcode, paste it into an image of the app, and present that. You wouldn't need the source phone..

    To grab somebody else's number you would only need to be able to see the victim's barcode for long enough to, say, take a photograph - if you are ready with a camera (or another phone!!) you may only need a second or two while stood behind them in the queue... pay for your coffee that time, go home, extract the barcode from the photo, read it yourself to get the account number, etc., etc..

    Now if only I dared be seen visiting a Starbucks..

  27. Jonnyp
    Troll

    Simpler option would be...

    ... putting a pin on you iPhone (pretty dumb not to), or on the app.

    The owner of said iPhone should take a bit of responsibility here.

  28. Craig 33

    "Coffee" comments

    What's with all the snide remarks about starbucks coffee, calling it "coffee" (note the inverts) and the footnote in the article.

    As much as anyone might hate their business ethics, you can hardly accuse it of not being real coffee. They grind it in front of you from beans, into two or three shots of espresso.

    It's your choice to then down that in 40 fl oz of milk.

    I drink my coffee how I like my men, strong and without milk.

  29. Paul Harrap
    Happy

    In similar news

    People who steal my phone can earn me clubcard points, too.

  30. tigg

    responsibility

    I personally love having this app on my phone and using it. To me this comes down to holding the consumer responsible for their own actions. Personally I would never leave my iphone laying around - as stated by many, this just means your phone will be stolen, and I highly doubt the thief will buying coffee with it. One point that is totally missed by this articles and other posters here, is that all of this can be easily avoided by activating the pin lock code on the app itself. Again, making the consumer responsible for the security of their phone and their account. Personally I have my phone locked with a pin at the log in screen, and now you can also have the app locked by activating this function. Not sure how much more secure you need to be..........

  31. multipharious

    Attitude that will change...?

    Throw the posh keys on the bar.

    Throw the posh phone on the bar.

    I don't throw either on the bar or for that matter my wallet with the credit cards and cash visible. People need to understand what their smartphones are. They are a link into their accounts, and soon they will be more than that. The least valuable part is the hardware.

    With the impending release wave of NFC enabled phones this year, people should become more wary, but I am still amazed at how many people just don't care about electronic security.

  32. Andy Barker
    FAIL

    Assumes you like the same drink

    Googling the app, seems it is a 2d barcode which also includes the drink you want. So this scam only works if you like the same kind of coffee as the person who's screen you grabbed.

  33. Anonymous Coward
    Anonymous Coward

    Oh no...

    ... The Tesco Clubcard app has an insecure static barcode too. Anyone could copy it and go round racking up point on my clubcard account.

    Oh, wait..

  34. Tom 35 Silver badge

    How long until

    Someone grabs an image from a "friends" phone at work and posts it online for a joke. Call it a free coffee coupon or some such...

  35. Eddy Ito Silver badge

    Shocking

    Charbucks finally has something worth taking. Oh, you say it's only of value in their shop? Huh, security through antipathy, that's a new one to me but it just might work.

    1. Lamont Cranston
      Thumb Down

      Really?

      On the rare occassion that I'm in the branch near work, I get confused looks from the staff when I ask for an extra shot of espresso (I like my latte to taste of coffee, not hot milk); even then, it's still piss weak. Kevin Day described their coffee as "homeopathic," and I'm inclined to agree with him.

      Don't even think about getting an iced coffee from them, either, as that really is brown milk (but mixed with ice!) - they don't even brew a shot to put in, just pull a bottle of pre-flavoured milk from the fridge. Yuk.

    2. Anonymous Coward
      Anonymous Coward

      re: "Coffee" comments

      At least if you add milk you have a beverage that tastes of milk.

      Their espresso is bland, lacking depth and frequently leaves an bad aftertaste in the mouth. I really hope that's not what you look for in your men.

    3. Anonymous Coward
      Anonymous Coward

      damn straight

      none of that artisan crap for me, I'll just have about 6 heaped tablespoons worth of the instant shit in a dirty mug full of hot water please.

    4. Just Thinking

      Disagree

      I have to say I totally disagree with this.

      Starbucks have deliberately designed a system with minimal security, but quick and easy to use, for small transactions. They presumably did this to get customers through quicker at busy times, maybe lose a member of staff, reduce costs of taking card payments or handling lots of small change, and to offer a perceived better service. ie to make more money.

      Against that they calculated the fraud losses would be tiny. Their decision, their risk. If someone complains of misuse, unless there is a specific reason to not believe them, they should refund no questions. Thats the deal, as far as I am concerned.

  36. D@v3

    Which Starbucks app??

    Just had a look in the App store, and the only UK Starbucks app i could find has neither the ability to pay for coffee with the App, or use it as a reward card (Like the SubCard App does)

    Just curious....

  37. Paul 172
    Thumb Up

    There are some problems with your post.

    "* Sometimes Starbucks puts tiny amounts of this in its brown-tinged milk."

    Brilliant :)

    1. Bill Ray (Written by Reg staff)

      Re: Which Starbucks app??

      It's an American thing I'm afraid, just being rolled out across the USA but still not available on this side of the pond:

      http://www.theregister.co.uk/2011/01/21/mcdonalds_starbucks/

      'course, we'll all be using network-branded NFC phones before it spreads over here.

      Bill.

  38. Schultz
    Thumb Up

    brown milk

    ... with lots of caffeine: http://www.blackcatlogistics.com/library/guides/caffeine.jpg

  39. rv
    FAIL

    I remember thinking something similar when they invented money

    what if someone took my wallet, might they buy themselves a coffee before returning it?

  40. Winkypop Silver badge
    Thumb Down

    But first....

    ....you'd actually want to actually steal and drink Starbucks putrid muck.

  41. Mark .

    Taking the phone

    For all the comments about how they might as well steal the phone - that's also a far more significant crime, for which the person will be calling the police straight away, and you've got the evidence on you if you get caught. If there's any CCTV there too, you may be found.

    But it's going to take a lot longer before they notice a mistake on their account, if they notice it at all - plus they'll first of all likely blame Starbucks thinking they did it by mistake, and will have no way of knowing that someone else did this.

  42. Anonymous Coward
    Anonymous Coward

    I'm willing to bet..

    that the barcodes are sequentially generated too, so assuming you can identify the numeric/alphanumeric code that makes the barcode of one of these, you could just add 1 to it, generate a new barcode, repeat ad nauseum as each one of them stops working when someone identifies a problem..

    And while Starbucks coffee is pretty dire, I've had a lot worse. And if you make sure only to order the drip coffee, and then at the end of the day, then you get a proper cup of stand-a-teaspoon-up dirt. Tastes like hot shit, but damn does it get you flying... and feeling rather sick..

  43. Robert Carnegie Silver badge

    If you're bored,

    Watch for "Free Coffee" apps appearing in the Apple Store, and probably quickly disappearing.

    Or, try it on a plastic toy phone - print in colour then apply using double-sided Scotch tape.

    I suggest: have the customer's portrait/passport photo stored in Starbucks computer and displayed when they order. lf the face that's flashing the (?) QR code is not the face on the screen, then get inqUisitive.

  44. Anonymous Coward
    FAIL

    iPhone for the sake of iPhone

    why can't they have a website; "sign up here to get a barcode that you can print out and buy coffee with".

    Most people have access to a printer, most people do not have access to an iPhone.

    It seems to me that every time I read about some new iPhone app its just a crappy implementation of something you could already do (10 years ago) without an iPhone.

  45. Anteaus
    Thumb Down

    Bit like ID cards really...

    This underlines one of the key issues with the now thankfully defunct ID card scheme, and with RFID passports. If another person can easily copy and re-use your credentials, then the ID system facilitates crime instead of preventing it.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019