Data breaches reveal payments security still needs work

This week, news broke of a hack on the Starbucks payment app and Sally Beauty Holdings releasing a press release confirming a second data breach in one year. Two breaches; two technologies separated by several decades; same concern– security.

Cyber criminals broke into Starbucks customers’ payment apps. The app lets customers pay at checkout with their phones. Users can also transfer money on to their gift card by transferring money from their PayPal and bank accounts, or credit card.

And that was the path the criminals used. They broke into the app, added a new gift card and transfer money to it. Victims said Starbucks didn’t confirm or check the transactions with them.

Starbucks actually released a statement denying the hack was their fault.

“Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions.”

Instead, the company said weak passwords were to blame:

“This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.” 

Sally Beauty is the old story of credit card fraud that has plagued the US for decades. However, that will only probably continue to plague US until autumn, when the liability shift kicks in. Sally beauty issued a press release today, which said:

“We believe it is in the best interests of our customers to alert them that we now have sufficient evidence to confirm that an illegal intrusion into our payment card systems has indeed occurred,” said Chris Brickman, president and CEO of Sally Beauty Holdings.

This is the second data breach in over a year for the company. The US-based retailer, which has just under 5,000 stores around the world, revealed in March 2014 that  it suffered a data breach. It was reported that the criminals were the same ones who also targeted another major US retailer – Target.

What does all of this tell us? First, that the customer is always right. A survey conducted by Chase, part of JP Morgan Chase bank, revealed that 80 per cent of US consumers are concerned about security on credit and debit cards. This week will do little to assuage their fears.

Second, that security on payment platforms needs work. It is foolish to assume that simply because the payments industry is going through a technological revolution criminality will not be able to keep up – quite the opposite. That is their livelihood, if the payments industry is upgrading, you can bet your bottom dollar cyber criminals are already ahead of the industry – or at the very least striving to be.

Finally, where does it leave the consumers? Well, if we follow Starbucks’s advice: just drop a few extra exclamation marks and capitalised letters into your password.

Somehow we doubt this will placate consumers. If anything, it will annoy them greatly.

However, there is light at the end of the tunnel. Fujitsu has just released a phone that allows users to make payments by scanning their irises. There are even rumours swirling about a PayPal password pill – that’s right pill – we know, it may be a little bit hard to swallow believe.





Related reading

Leave a comment