Starbucks customer Chris Ewing told CTV Canada that the 16-digit pin number found on the back of unactivated gift cards at the register can be entered into the Starbucks app to generate a barcode. That barcode can later be scanned by baristas in place of the physical card when buying items at Starbucks.
The flaw is the card doesn't need to be activated right away in order for a barcode, known as a Quick Reference code, to be generated by the application, meaning once the card is activated, a thief could use the already-generated QR code on his or her phone to make purchases.
Starbucks gift cards contain PIN numbers that are hidden on the back, but the PIN number doesn't need to be used at the register when paying for beverages through the mobile QR code.
CTV reports it was able to replicate the issue when the station purchased a gift card for its story.
Possible fixes include placing the gift cards behind the counter where customers can't readily access them until purchased, or only allowing the Starbucks app to generate barcodes for cards that have been activated by a cashier.