You may have seen yesterday’s article in Mobile Commerce Daily: “How To Compromise the Starbucks Rewards Card App in 90 Seconds.” It shows how easy it is to steal an image of another person’s barcode without their knowledge and use it to pay for merchandise.

This is a basic flaw in the application that fails to authenticate the identity of the person using it.  Let this be a reminder that when implementing mobile applications, security cannot be an afterthought.  These are the kind of technology loopholes that put brands and consumers at risk.

We’ve advocated the need for a central clearinghouse to provide security and privacy for 2D barcodes.  Our mobile barcode clearinghouse offers several ways to defeat this kind of security hole.

First, it could check the location of the phone registered to the particular card, and if the location where the transaction is being requested is inconsistent with the location of the phone, deny the transaction.

It could also send an alert to the customer at their registered phone number, informing them of each purchase.  While this will not stop fraud, it will expose it rapidly.

Our identity registry function for 2D barcodes allows retailers to link the user’s ID/phone with the card at registration.  Then the ID can be validated at any purchase scan to determine if the handset is the same one originally associated with the ID.

In the case of Starbucks, it is apparent that they did not implement this kind of identity schema at the handset level in their application.  In the rush to develop the newest application, many companies are sacrificing quality and could be putting consumers at risk.

According to McAfee‘s fourth-quarter threat report, “cellphone security threats grew significantly in 2010, as “a proliferation of Internet-enabled mobile devices” laid the groundwork for cybercriminals to target the increasingly popular smartphones and tablets that now thoroughly populate our world.” (Mobile Marketing Watch, February 8, 2011)

For mobile marketing to continue to succeed, consumers must feel confident that their personal information won’t be compromised. It is up to the brands ensure that their applications have the appropriate safeguards in place to prevent identity theft and deliver a secure user experience.