7Pay Shut Down After $500,000 Is Stolen From Users

7-Eleven's cashless payment service didn’t even last a week.

By 3 min read

7-Eleven’s much-lauded cashless payment service, 7Pay, was suspended after it was discovered that over 900 users had fallen victim to identity theft.

The app allowed users to link their credit card to the app, then use a barcode displayed on their phone to pay for items in store.

Hackers were reported to have stolen about ¥55 million in payments before further transactions and sign-ups were blocked, just four days after 7Pay launched.

However, the label “hackers” is actually barely deserved here. There was no coding or tinkering needed. Rather, the app was blighted by a pretty massive oversight: Password reset links could be sent to any email address, as long as the person requesting the reset knew the email address, phone number, and date of birth of the account owner.

To make matters worse, sometimes the date of birth wasn’t even necessary. If the user hadn’t entered anything during the registration process, the field would default to January 1st, 2019. That leaves potentially just two pieces of information needed to steal the target’s identity—the email address and phone number—both of which could be found on anything from business cards to Facebook.

The first hints that something was amiss came on July 2 when 7-Eleven received reports of unexpected transactions appearing on some people’s accounts. The app had launched just the day before. By July 4, 7-Eleven had suspended all payments and new user signups.

According to an article on The Sankei News, two Chinese nationals were arrested on Thursday, June 4, and it was confirmed the next day that they had bought ¥730,000 worth of e-cigarettes using fraudulent 7Pay accounts. Police are now investigating the involvement of a Chinese hacker ring after those arrested claimed they were following instructions and had been promised a reward.

7-Eleven has come under intense fire for this less-than-ideal start. As 7Pay launched as part of an existing app, it didn’t include two-factor authentication like a text message sent to confirm a password change.

In a video shared by @Mulboyne on Twitter, the president of Seven Pay Co., seems not to even recognize the term.

“That is a typical Japanese executive,” tweeted another user @zmioga.

The Japan Times also reported on July 6 that Seven & i Holdings Co., the parent company, have also been criticized by the Ministry of Economy, Trade, and Industry for not following sufficient security guidelines. Payments Association Japan, who promote cashless transactions, require payment operators to confirm the linkage of a user’s device and the app downloaded on it in order to prevent exactly this sort of identity theft.

Alongside the understandable anger and incredulity of users is the awareness that this isn’t the first time something like this has happened in Japan.

Japan ranks behind many other Asian countries when it comes to cashless payments, and the incongruity between its outwardly futuristic image and technologically backward reality is very apparent. Remember the cybersecurity minister who’d never used a computer?

As software engineer @mrgxflrs tweeted:

7-Eleven has pledged to tighten security and compensate the users affected.

Topics: /



Japan Ranked No. 2 Study Abroad Destination in Asia

It's official, studying in Japan is awesome.

By 2 min read


Tenki No Ko (Weathering with You): The Story, Themes, and Music Revealed So Far

Your Name director Makoto Shinkai's new film hits theaters next Friday. So what can we expect?

By 4 min read


How Much Is the Average Rent in Tokyo in 2019?

Learn why rent in Adachi Ward is half of that in Chiyoda Ward, why the size of your apartment might matter more than the location, and who's driving up rent prices in the capital.

By 10 min read