Take our user survey here!

7Pay Shut Down After $500,000 Is Stolen From Users

7-Eleven's cashless payment service didn’t even last a week.

By 3 min read

7-Eleven’s much-lauded cashless payment service, 7Pay, was suspended after it was discovered that over 900 users had fallen victim to identity theft.

The app allowed users to link their credit card to the app, then use a barcode displayed on their phone to pay for items in store.

Hackers were reported to have stolen about ¥55 million in payments before further transactions and sign-ups were blocked, just four days after 7Pay launched.

However, the label “hackers” is actually barely deserved here. There was no coding or tinkering needed. Rather, the app was blighted by a pretty massive oversight: Password reset links could be sent to any email address, as long as the person requesting the reset knew the email address, phone number, and date of birth of the account owner.

To make matters worse, sometimes the date of birth wasn’t even necessary. If the user hadn’t entered anything during the registration process, the field would default to January 1st, 2019. That leaves potentially just two pieces of information needed to steal the target’s identity—the email address and phone number—both of which could be found on anything from business cards to Facebook.

The first hints that something was amiss came on July 2 when 7-Eleven received reports of unexpected transactions appearing on some people’s accounts. The app had launched just the day before. By July 4, 7-Eleven had suspended all payments and new user signups.

According to an article on The Sankei News, two Chinese nationals were arrested on Thursday, June 4, and it was confirmed the next day that they had bought ¥730,000 worth of e-cigarettes using fraudulent 7Pay accounts. Police are now investigating the involvement of a Chinese hacker ring after those arrested claimed they were following instructions and had been promised a reward.

7-Eleven has come under intense fire for this less-than-ideal start. As 7Pay launched as part of an existing app, it didn’t include two-factor authentication like a text message sent to confirm a password change.

In a video shared by @Mulboyne on Twitter, the president of Seven Pay Co., seems not to even recognize the term.

“That is a typical Japanese executive,” tweeted another user @zmioga.

The Japan Times also reported on July 6 that Seven & i Holdings Co., the parent company, have also been criticized by the Ministry of Economy, Trade, and Industry for not following sufficient security guidelines. Payments Association Japan, who promote cashless transactions, require payment operators to confirm the linkage of a user’s device and the app downloaded on it in order to prevent exactly this sort of identity theft.

Alongside the understandable anger and incredulity of users is the awareness that this isn’t the first time something like this has happened in Japan.

Japan ranks behind many other Asian countries when it comes to cashless payments, and the incongruity between its outwardly futuristic image and technologically backward reality is very apparent. Remember the cybersecurity minister who’d never used a computer?

As software engineer @mrgxflrs tweeted:

7-Eleven has pledged to tighten security and compensate the users affected.

Topics: /

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA - Privacy Policy - Terms of Service



How To Remove Your Middle Name and Register a Legal Alias in Japan

Is your middle name making life difficult? Remove it with an official legal alias in Japan for banking and online registration.

By 6 min read


Is Fukuoka the Best Place to Live in Japan?

Looking to live somewhere new? Try Fukuoka Prefecture, the best place to live in Japan.

By 5 min read


What Is The Best Payment App For Foreigners in Japan?

Are you looking for the beat payment app for foreigners in Japan? Here are some of the most popular apps and their features.

By 6 min read