Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Inconvenience stores: Thieves steal $500K from users of 7-Eleven Japan’s new payment app

Convenience chain 7-Eleven Japan has suspended a brand new mobile cashless payment service after an authorized third party accessed approximately 900 user accounts and made fraudulent charges totally 55 million yen, or roughly $500,000 dollars.

The service, 7pay, reportedly had only been launched three days earlier, and allows participating customers to automatically charge purchased goods to a credit or debit card whenever a 7-Eleven store cashier scans a barcode that appears on their mobile devices.

In a July 4 press release, 7-Eleven Japan parent company Seven & I Holdings Co., Ltd. and
Seven Pay Co. said they became aware of the security issue on July 2 following a customer complaint regarding an unapproved transaction.

After an investigation confirmed additional illegal activity, Seven Pay Co. on July 3 disabled the card payment capabilities of the 7pay app, posted a warning on the 7pay homepage and set up a customer support center hotline. New registrations of 7pay accounts have also been suspended.

"We will compensate for all the damage to the customers who suffered from this matter," the joint press release states. "We will thoroughly investigate the cause of this issue and plan improvement measures for a drastic solution."

Per ZDNet, a July 4 Yahoo! Japan report said the attack was made possible because of the app's insecure password reset process. Reportedly, the attackers were able to request a reset of other users' passwords and then have the reset link sent to their own email address, thereby allowing them to hijack the account. To pull off such a maneuver, the attacker only needed to know a potential victim's email address, birth date and phone number. Even worse: if no birth date was entered, the app simply assigned a default birth date of January 1, 2019 – an insecure policy that made it even easier for the bad guys to acquire the data necessary for a takeover.

On July 5, the Japan Times reported that police suspect a China-based international criminal group was behind the attack on 7pay. The report goes on to state that two Chinese men – Zhang Sheng, 22, and Wang Yunfei, 25 – were arrested for allegedly defrauding a Tokyo convenience store using stolen 7pay IDs.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.