Live

7Pay Shut Down After $500,000 Is Stolen From Users

7-Eleven's cashless payment service didn’t even last a week.

By 3 min read

7-Eleven’s much-lauded cashless payment service, 7Pay, was suspended after it was discovered that over 900 users had fallen victim to identity theft.

The app allowed users to link their credit card to the app, then use a barcode displayed on their phone to pay for items in store.

Hackers were reported to have stolen about ¥55 million in payments before further transactions and sign-ups were blocked, just four days after 7Pay launched.

However, the label “hackers” is actually barely deserved here. There was no coding or tinkering needed. Rather, the app was blighted by a pretty massive oversight: Password reset links could be sent to any email address, as long as the person requesting the reset knew the email address, phone number, and date of birth of the account owner.

To make matters worse, sometimes the date of birth wasn’t even necessary. If the user hadn’t entered anything during the registration process, the field would default to January 1st, 2019. That leaves potentially just two pieces of information needed to steal the target’s identity—the email address and phone number—both of which could be found on anything from business cards to Facebook.

The first hints that something was amiss came on July 2 when 7-Eleven received reports of unexpected transactions appearing on some people’s accounts. The app had launched just the day before. By July 4, 7-Eleven had suspended all payments and new user signups.

According to an article on The Sankei News, two Chinese nationals were arrested on Thursday, June 4, and it was confirmed the next day that they had bought ¥730,000 worth of e-cigarettes using fraudulent 7Pay accounts. Police are now investigating the involvement of a Chinese hacker ring after those arrested claimed they were following instructions and had been promised a reward.

7-Eleven has come under intense fire for this less-than-ideal start. As 7Pay launched as part of an existing app, it didn’t include two-factor authentication like a text message sent to confirm a password change.

In a video shared by @Mulboyne on Twitter, the president of Seven Pay Co., seems not to even recognize the term.

“That is a typical Japanese executive,” tweeted another user @zmioga.

The Japan Times also reported on July 6 that Seven & i Holdings Co., the parent company, have also been criticized by the Ministry of Economy, Trade, and Industry for not following sufficient security guidelines. Payments Association Japan, who promote cashless transactions, require payment operators to confirm the linkage of a user’s device and the app downloaded on it in order to prevent exactly this sort of identity theft.

Alongside the understandable anger and incredulity of users is the awareness that this isn’t the first time something like this has happened in Japan.

Japan ranks behind many other Asian countries when it comes to cashless payments, and the incongruity between its outwardly futuristic image and technologically backward reality is very apparent. Remember the cybersecurity minister who’d never used a computer?

As software engineer @mrgxflrs tweeted:

7-Eleven has pledged to tighten security and compensate the users affected.

Topics: /

Related

Culture

7 Terrifying Japanese Urban Legends That Are Based on True Stories

From human sacrifices to abandoned villages, these real Japanese legends give us the creeps.

By 7 min read

Live

8 Halloween Treats You Can Get at the Convenience Store in Japan

Save the tricks and give us all the spooky fall-flavored treats.

By 5 min read

Culture

Netflix’s The Naked Director: A Dodgy Dive into Japanese Porn and “Real” Sex

This semi-biographical ode to Japanese AV does little more than maintain the status quo—but it makes us think while doing so.

By 9 min read