We reported last month that Starbucks had just instituted a nationwide mobile payment plan. Customers merely scanned their gift card barcodes in to an app to activate phone-based payment. And now, this innovative system has been undone by a brutally obvious flaw.
One unnamed user reports that he has found a way to steal another user’s account information. All he has to do is pick up the user’s phone, take a screen shot of the app while open, and email it to himself. The thief can then present the picture and have it scanned by the Barista to make a purchase.
The whole process takes less than 90 seconds. The user who found the flaw notes that the My Rewards button, which offers up no private data, requires a username and password to view. But getting to the crucial barcode screen requires no input of security information whatsoever.
So yeah, as a reminder, keep your phones close and don’t trust anyone at Starbucks.
[Via Mobile Commerce Daily]