7-Eleven’s much-lauded cashless payment service, 7Pay, was suspended after it was discovered that over 900 users had fallen victim to identity theft.
The app allowed users to link their credit card to the app, then use a barcode displayed on their phone to pay for items in store.
Hackers were reported to have stolen about ¥55 million in payments before further transactions and sign-ups were blocked, just four days after 7Pay launched.
However, the label “hackers” is actually barely deserved here. There was no coding or tinkering needed. Rather, the app was blighted by a pretty massive oversight: Password reset links could be sent to any email address, as long as the person requesting the reset knew the email address, phone number, and date of birth of the account owner.
To make matters worse, sometimes the date of birth wasn’t even necessary. If the user hadn’t entered anything during the registration process, the field would default to January 1st, 2019. That leaves potentially just two pieces of information needed to steal the target’s identity—the email address and phone number—both of which could be found on anything from business cards to Facebook.
The first hints that something was amiss came on July 2 when 7-Eleven received reports of unexpected transactions appearing on some people’s accounts. The app had launched just the day before. By July 4, 7-Eleven had suspended all payments and new user signups.
According to an article on The Sankei News, two Chinese nationals were arrested on Thursday, June 4, and it was confirmed the next day that they had bought ¥730,000 worth of e-cigarettes using fraudulent 7Pay accounts. Police are now investigating the involvement of a Chinese hacker ring after those arrested claimed they were following instructions and had been promised a reward.
7-Eleven has come under intense fire for this less-than-ideal start. As 7Pay launched as part of an existing app, it didn’t include two-factor authentication like a text message sent to confirm a password change.
In a video shared by @Mulboyne on Twitter, the president of Seven Pay Co., seems not to even recognize the term.
This reaction by 7Pay boss Tsuyoshi Kobayashi has been widely noted as a sign of how inadequate management oversight must have been. He's asked about 二段階認証 (nidankai ninsho – two factor authentication) and repeats the term as if it's the first time he's ever heard it. pic.twitter.com/EXqKRFoIco
— Mulboyne (@Mulboyne) July 5, 2019
“That is a typical Japanese executive,” tweeted another user @zmioga.
The Japan Times also reported on July 6 that Seven & i Holdings Co., the parent company, have also been criticized by the Ministry of Economy, Trade, and Industry for not following sufficient security guidelines. Payments Association Japan, who promote cashless transactions, require payment operators to confirm the linkage of a user’s device and the app downloaded on it in order to prevent exactly this sort of identity theft.
Alongside the understandable anger and incredulity of users is the awareness that this isn’t the first time something like this has happened in Japan.
Japan ranks behind many other Asian countries when it comes to cashless payments, and the incongruity between its outwardly futuristic image and technologically backward reality is very apparent. Remember the cybersecurity minister who’d never used a computer?
As software engineer @mrgxflrs tweeted:
Anyone who's working in tech in Japan isn't surprised at all over the 7Pay fiasco.
— Margaux Flores (@mrgxflrs) July 5, 2019
7-Eleven has pledged to tighten security and compensate the users affected.