Convenience chain 7-Eleven Japan has suspended a brand new mobile cashless payment service after an authorized third party accessed approximately 900 user accounts and made fraudulent charges totally 55 million yen, or roughly $500,000 dollars.
The service, 7pay, reportedly had only been launched three days earlier, and allows participating customers to automatically charge purchased goods to a credit or debit card whenever a 7-Eleven store cashier scans a barcode that appears on their mobile devices.
In a July 4 press release, 7-Eleven Japan parent company Seven & I Holdings Co., Ltd. and
Seven Pay Co. said they became aware of the security issue on July 2 following a customer complaint regarding an unapproved transaction.
After an investigation confirmed additional illegal activity, Seven Pay Co. on July 3 disabled the card payment capabilities of the 7pay app, posted a warning on the 7pay homepage and set up a customer support center hotline. New registrations of 7pay accounts have also been suspended.
"We will compensate for all the damage to the customers who suffered from this matter," the joint press release states. "We will thoroughly investigate the cause of this issue and plan improvement measures for a drastic solution."
Per ZDNet, a July 4 Yahoo! Japan report said the attack was made possible because of the app's insecure password reset process. Reportedly, the attackers were able to request a reset of other users' passwords and then have the reset link sent to their own email address, thereby allowing them to hijack the account. To pull off such a maneuver, the attacker only needed to know a potential victim's email address, birth date and phone number. Even worse: if no birth date was entered, the app simply assigned a default birth date of January 1, 2019 – an insecure policy that made it even easier for the bad guys to acquire the data necessary for a takeover.
On July 5, the Japan Times reported that police suspect a China-based international criminal group was behind the attack on 7pay. The report goes on to state that two Chinese men – Zhang Sheng, 22, and Wang Yunfei, 25 – were arrested for allegedly defrauding a Tokyo convenience store using stolen 7pay IDs.