Keen to jump on the mobile payments bandwagon, 7-Eleven’s Japanese business recently launched 7Pay for customers looking for a quick and easy way to purchase items in-store.
But just days after the system went live at the beginning of last week, a number of customers started complaining that they were being charged for items they hadn’t bought.
The company has now suspended use of its mobile payment service while it investigates 7Pay’s security procedures, or lack thereof. In a statement released at the end of last week, 7-Eleven admitted that hackers had accessed the app and made bogus transactions affecting 900 customers to the tune of $506,000.
On Saturday, July 6, the Japan Times reported the arrest of two Chinese men who may be connected to the hack, with one of them suspected of attempted fraud after paying 730,000 yen (about $6,750) to purchase nearly 150 cartons of e-cigarette cartridges from a 7-Eleven store in Tokyo, allegedly using stolen IDs.
7Pay working using a bar code that appeared on the customer’s smartphone, with a cashier scanning it to charge the cost of the items to the customer’s linked debit or credit card.
But a report by ZDNet said the app was so poorly designed that it allowed anyone with knowledge of a customer’s email address, date of birth, and phone number to take over an account.
The hacker did this by using the data to reset an account’s password, with the reset link able to be sent to the hacker’s email address instead of the account owner’s. The hacker could then take control of the account.
The suggestion is that hackers automated the attack using information gathered in previous online security breaches targeting Japanese databases.
The alarming ease with which hackers were able to exploit 7Pay prompted the Japanese government to get involved, with the Ministry of Economy, Trade, and Industry accusing 7-Eleven of failing to properly adhere to guidelines preventing such unauthorized access. The company, which operates more than 20,000 stores in Japan, has apologized for the mishap and promised to fully reimburse those affected.
The 7Pay incident brings to mind another mobile payment breach several years ago when the now-defunct CurrentC system was targeted by hackers during its testing phase. Whether 7Pay will be resurrected with much-improved security or ends up going the same way as CurrentC remains to be seen.