Not as easy as it sounds...
Your coffee-grabbing thief first has to get hold of the iPhone... I always thought iPhone users had them surgically attached to their hands in the Apple store...
Someone has noticed that the Starbucks' iPhone application can be copied with a screen grab from a neglected handset, enabling the thief to gorge themselves on free coffee*. The payment system relies on reading a bar code from the iPhone's screen, identifying the customer and debiting their account. But the barcode doesn't …
Why grab the phone when you can simply take a picture of their screen showing the barcode? A bit of photoshoping/croping later, you can have a decent picture of the screen to pull up in your picture viewer.
Makes it even worse, since the picture can come from any source, likely a covert cam being palmed by someone near the checkout stand.
I can't see many people doing this scam. If a crook sees an iPhone laying around unattended, surely they will just nick the phone?
Having stolen the bar code (with or without the phone) how many times can they risk using it? Only a few times, otherwise they might get caught out. Then what - wait until they get opportunistic access to another person's iPhone?
The marginal costs to Starbucks is the cost price of the cup of coffee, not the sale price. That is assuming the customer notices, and can be bothered to seek a refund (if not, Starbucks have made a profit on the deal).
Against this is the benefit of being first in the market to accept payment by iPhone, and the media coverage that gets.
A bit lazy not implementing transaction counting, but all in all the level of scurity matches the risk.
The cost to Starbucks is negative.
The cost to the customer is the price of the coffee.
If Starbucks has a method to provide refunds, then the cost to them is the cost of administering the program plus the cost of fraudulent refunds processed.
The solution would be to make each barcode single-use, and develop crypto to generate a large number of possible barcodes. If someone gets your phone and grabs a code, they can buy one drink with it, just like if they walked to the counter and bought it there. Optionally, the codes could be time-limited.
Option two would be to make the barcode animated, or otherwise interactive. It would then require a slightly more sophisticated attack. Slightly.
With a little editing-fu, a video of the previous customer's barcode could be used to create the static image.
To paraphrase:
You failed to actually read and comprehend the comment, because the author was not positing the idea of incorporating a timestamp or counter in the barcode, because the author realizes the phone DISPLAYS THE TIME AT THE TOP OF THE DISPLAY.
Please, read the comment effectively next time.
NFC-based payment systems obviously can't be copied in this way, but even on-screen bar codes can be made more secure with the addition of simple transaction counter, or time stamp, *but it seems Starbucks eschewed either option for the sake of simplicity*.
I'm sure we can imagine how that came about ...
The only thing noteworthy is that a "replay attack" like this is just about the first example of what not to do in the very first book on designing this sort of protocol that I got my hands on. It's not like it isn't bleeding obvious.
It might be that they'll tally the number of transactions and charge-again if they see a re-used code. That's exposing the customer to abuse. Then again, maybe they'd rather run the risk of having handed out a few free <insert entirely too long name for an overly fancy coffee here> rather than deal with customers getting irate over no coffee while the machine ate their code. Same thing with implementing a too-tight time restriction on code usability.
Looked at from a technical PoV, it's indeed stupid. Looked at from a business PoV, it may be mere pragmatism. How much does a few unwillingly-on-the-house coffees cost them, anyway?
If you *really* want to see "a good example of how badly a payment system can be designed if one puts one's mind to it" then check out http://www.payoffshore.com/techdocs/send-a-paym-requ-to-payl.html#base64xordataencoding
This is a card processing company which admits to their merchants that one of the options they support "is not secure". How insecure is it? It leaks the private key which is used to "sign" the response to the merchant - so a customer who knows how to break Vigenère can get stuff at the merchant's expense.
... why on earth would you settle for a free coffee, when you could (if your that type of wanker) just nick the phone?
Lets face it, if your hanging around someones unattended iphone in the time it takes for this exploit - 20 seconds or so - if you get caught doing it and the owner doesn't know you, they'll think your trying to half-inch the phone anyway!
The phone is worth a LOT of coffee and the data on it could potentially be worth more.
I think Starbucks made the right choice - keep it simple - why add a huge amount of extra dev time and inconvenience for a very slight chance someone will try and nick a few cups of coffee?
It seems fairly evident to me they will have considered this potential 'flaw' and decided the risk didn't merit the extra cost in dev time.
The only reason you'd leave your phone unattended is your either stupid/drunk/tired or your mates/family/partner are at the table.
...breeze into Starbucks, skip past the till straight to the other end of the counter, swipe the first beverage proffered up by the "barista" and breeze on out. Seen it happen twice; it's a great trick as long as you're not too choosy. As an added bonus, you don't even have to own an iphone for it to work.
They should add an order function as well as making it a one time payment code.
Then one person can go to starbucks and pick up everyones order on the way to work
and not need to pay for anything or make sure they got it right. We do this on Fridays at work
with a volunteer going out and paying taking orders etc.
Or someone could wave their phone and order while paying.
Surely, if all the bar code is is the customer account number, you don't even need to faff about with a screen grab from the victim's phone - you just need the number that the barcode translates to. If you can find that number, you can generate your own barcode, paste it into an image of the app, and present that. You wouldn't need the source phone..
To grab somebody else's number you would only need to be able to see the victim's barcode for long enough to, say, take a photograph - if you are ready with a camera (or another phone!!) you may only need a second or two while stood behind them in the queue... pay for your coffee that time, go home, extract the barcode from the photo, read it yourself to get the account number, etc., etc..
Now if only I dared be seen visiting a Starbucks..
What's with all the snide remarks about starbucks coffee, calling it "coffee" (note the inverts) and the footnote in the article.
As much as anyone might hate their business ethics, you can hardly accuse it of not being real coffee. They grind it in front of you from beans, into two or three shots of espresso.
It's your choice to then down that in 40 fl oz of milk.
I drink my coffee how I like my men, strong and without milk.
On the rare occassion that I'm in the branch near work, I get confused looks from the staff when I ask for an extra shot of espresso (I like my latte to taste of coffee, not hot milk); even then, it's still piss weak. Kevin Day described their coffee as "homeopathic," and I'm inclined to agree with him.
Don't even think about getting an iced coffee from them, either, as that really is brown milk (but mixed with ice!) - they don't even brew a shot to put in, just pull a bottle of pre-flavoured milk from the fridge. Yuk.
I personally love having this app on my phone and using it. To me this comes down to holding the consumer responsible for their own actions. Personally I would never leave my iphone laying around - as stated by many, this just means your phone will be stolen, and I highly doubt the thief will buying coffee with it. One point that is totally missed by this articles and other posters here, is that all of this can be easily avoided by activating the pin lock code on the app itself. Again, making the consumer responsible for the security of their phone and their account. Personally I have my phone locked with a pin at the log in screen, and now you can also have the app locked by activating this function. Not sure how much more secure you need to be..........
I have to say I totally disagree with this.
Starbucks have deliberately designed a system with minimal security, but quick and easy to use, for small transactions. They presumably did this to get customers through quicker at busy times, maybe lose a member of staff, reduce costs of taking card payments or handling lots of small change, and to offer a perceived better service. ie to make more money.
Against that they calculated the fraud losses would be tiny. Their decision, their risk. If someone complains of misuse, unless there is a specific reason to not believe them, they should refund no questions. Thats the deal, as far as I am concerned.
Throw the posh keys on the bar.
Throw the posh phone on the bar.
I don't throw either on the bar or for that matter my wallet with the credit cards and cash visible. People need to understand what their smartphones are. They are a link into their accounts, and soon they will be more than that. The least valuable part is the hardware.
With the impending release wave of NFC enabled phones this year, people should become more wary, but I am still amazed at how many people just don't care about electronic security.
It's an American thing I'm afraid, just being rolled out across the USA but still not available on this side of the pond:
http://www.theregister.co.uk/2011/01/21/mcdonalds_starbucks/
'course, we'll all be using network-branded NFC phones before it spreads over here.
Bill.
For all the comments about how they might as well steal the phone - that's also a far more significant crime, for which the person will be calling the police straight away, and you've got the evidence on you if you get caught. If there's any CCTV there too, you may be found.
But it's going to take a lot longer before they notice a mistake on their account, if they notice it at all - plus they'll first of all likely blame Starbucks thinking they did it by mistake, and will have no way of knowing that someone else did this.
that the barcodes are sequentially generated too, so assuming you can identify the numeric/alphanumeric code that makes the barcode of one of these, you could just add 1 to it, generate a new barcode, repeat ad nauseum as each one of them stops working when someone identifies a problem..
And while Starbucks coffee is pretty dire, I've had a lot worse. And if you make sure only to order the drip coffee, and then at the end of the day, then you get a proper cup of stand-a-teaspoon-up dirt. Tastes like hot shit, but damn does it get you flying... and feeling rather sick..
Watch for "Free Coffee" apps appearing in the Apple Store, and probably quickly disappearing.
Or, try it on a plastic toy phone - print in colour then apply using double-sided Scotch tape.
I suggest: have the customer's portrait/passport photo stored in Starbucks computer and displayed when they order. lf the face that's flashing the (?) QR code is not the face on the screen, then get inqUisitive.
why can't they have a website; "sign up here to get a barcode that you can print out and buy coffee with".
Most people have access to a printer, most people do not have access to an iPhone.
It seems to me that every time I read about some new iPhone app its just a crappy implementation of something you could already do (10 years ago) without an iPhone.