Your User Data Is More Valuable Than Ever. Why Not Protect It?
With all the recent headlines about identity theft, it's more important than ever to ensure your users' data is secure. You may not be Target or Starbucks, but that doesn't mean you're not a target.
With all the recent headlines about identity theft, it’s more important than ever to ensure your users’ data is secure. You may not be Target or Starbucks, but that doesn’t mean you’re not a target.
It was an email I was not looking forward to getting, though I’m sure I was far from the only one.
Late last week, I got a message from Target saying that I was likely one of the lucky 70 million people who had their information stolen as part of a disastrous hacking incident that affected as much as 22 percent of the U.S. population, based on my back-of-the-napkin math. I’ve covered this whole saga a couple times for AN already, including last week, but I still think the response reflects how porous our share-alike culture is, and how information we think nothing of handing out can easily end up in the wrong hands.
All this is despite the fact that I had not walked into a Target store during the holiday season. I checked: not a single purchase from a mega-chain. Maybe a few from Amazon and a couple from Apple, but nothing from Target.
But the situation with Target, as dangerous and frustrating as it is, isn’t the reason I’m writing this article. My issue is with Starbucks.
See, Starbucks does a lot of amazing things right—and it’s doing things that associations are actively trying to ape. The way it handles payments and the way it rewards active customers are way beyond what anyone else is doing in the retail space. Whatever your opinion on its coffee or its decor (at least in D.C., it’s improving), its taste in software is impeccable.
But Starbucks screwed up something really basic on its app, and it needs to be called out for it.
Lax Latte Security
Last week, security researcher Daniel Wood discovered something pretty problematic with the Starbucks mobile app: It stored user information in plain text. That means it lacked encryption, allowing potential hackers to easily gain access to passwords and other basic information about users—including where the user is as he or she loads up the app, as the program uses geolocation.
“If you grab someone’s phone, you can effectively go through this log and see effectively where this person has been,” Wood told Computerworld. “It’s a bad thing for user privacy.”
Now, granted, there are a bunch of factors at play here. For one thing, Starbucks’ goal with its app is to make the process of buying something as streamlined as possible and to tell you things you wouldn’t necessarily know if you simply used a card. It’s clearly focusing on the user experience—which means it doesn’t want users to have to log in every single time they want to buy a Valencia Orange Refresher. But there are plenty of ways to secure this data without requiring your phone to be locked up like Fort Knox. One of those ways? Encrypting user data.
For a company of Starbucks’ scale to screw up something so basic is just maddening—especially since it was such an easy thing to fix, as proven by the fact that it already fixed it. (Though, as Computerworld‘s Evan Schuman notes, the problem was known for at least nine months.)
While it’s not clear that anyone actually got nailed by the security issue, there’s something a little more fundamental at play here, as AVG security evangelist Tony Anscombe spoke to in a recent blog post.
“The larger issue is more about the principle at stake rather than the number of victims,” he says. “Companies should be designing apps and online services with their customer’s best interests at heart. I believe that consumer choice when it comes to data privacy and security should be a major factor in all app design and development.”
This is incredibly key, and a point that shouldn’t be ignored. Starbucks is the way we’re going as an industry: We’re increasingly going to rely on mobile payments, check-ins, and geolocation in carrying out activities and transactions. I’m sure app developers focused on the association field are asking how they can do more things like the Starbucks app. As they should: It’s an amazing app and the textbook example of how technology can improve the consumer experience. But we have to take care to not let convenience come at the cost of user trust, because they’re trusting us with a lot.
Stuff like the Target hack can happen, and there’s only so much you can do to prevent it—especially if, as has been reported in recent days, sophisticated Russian hackers were behind the data breach.
Stuff like the Starbucks situation? It’s low-hanging fruit. We shouldn’t let it hang so long.
Starbucks is great at mobile payments, but when does convenience trump security? (Apple press photo)