Coffee giant Dunkin' Donuts announced a security incident involving its mobile app yesterday, but I am afraid the firm isn’t telling quite the whole story. I’m hard at work trying to figure that out right now. The incident reminds me of what happened to Starbucks consumers, when criminals armed with login information managed to use the app to attack customers’ bank accounts.
In its announcement, Dunkin' said consumers’ emails, names and loyalty account numbers might have been viewed by criminals armed with login credentials stolen from *other* places. Not a big deal. Were Dunkin' Donuts app merely a loyalty card tool there wouldn’t be much to attack.
But, like the Starbucks app, and many others now, the Dunkin' app can also be used to pay at retail outlets—it’s a “stored value” app. A mobile phone gift card, and more. That means compromised credentials open the door for various fraud schemes. A criminal who logged into a Dunkin' account could use the stored value to buy coffee, for example, or more important, sell the value on a criminal exchange. Theft of $10 or $20 worth of coffee isn’t much to worry about. The real issue arises because users can load their credit, debit or Google Pay account information onto the app, and some chose to auto-reload value. That creates a big opportunity for criminals. In the Starbucks situations, hackers managed to steal hundreds of dollars from consumers, one $100 auto-reload after another.
Dunkin’s announcement makes no mention of fraud.
“We also have taken steps to replace any DD Perks stored value cards with a new account number, but retaining the same value that was previously present on those cards,” it said. The firm also says “our security vendor was successful in stopping most of these attempts,” but says criminals were successful in some cases. How many? There’s no information.
When the Starbucks incident occurred, Twitter was flooded with complaints from consumers, and Starbucks’ customer service center was bombarded with complaints. I don’t see that level of complaints about Dunkin' fraud, but there are some. Like this one three days ago:
“@dunkindonuts I discovered fraud on my app today. I called. I sent an email. You’re closed for the holiday. How is this helpful? I have to contact you 3 times for fraud. #nothelpful. Happy Thanksgiving. Loyalty gets me ???”
It’s not uncommon for fraud rings like this to spring to action during holiday weekends, when fraud staff gets thin and consumers are less likely to notice.
About a year ago, there was a larger flurry of fraud complaints lodged against Dunkin' Donuts.
“Three cards have been purchased and set to auto reload for $99 before being flagged by my banking establishment,” wrote one victim on Reddit, generating plenty of “me too” responses. Here’s one: “Same thing with me I had a charge last night for $95 then a charge for $99 today I just went on the website change my password and took my bank card information off the website.”
Dunkin' Donuts hasn’t responded to my questions about the incident yet; nor have any of the alleged victim consumers. I’ll update this story if and when that happens. Meanwhile, it’s important to know that someone with access to your stored value mobile phone app accounts—like Dunkin' DD Rewards, or your Starbucks app—has a route to hack your bank accounts. So use bank-account-worthy passwords on them. Try to avoid re-using passwords, so hacks at other sites won’t let someone break into your stored value app accounts. And, as much as feasible, avoid loading your banking details onto apps like this. It’s convenient, but it can lead to unexpected risks. You can’t expect a coffee company to have security that’s as strong as a financial company.
This article appeared originally here on BobSullivan.net.
