Source: Gaijin Pot
7-Eleven’s much-lauded cashless payment service, 7Pay, was suspended after it was discovered that over 900 users had fallen victim to identity theft.
The app allowed users to link their credit card to the app, then use a barcode displayed on their phone to pay for items in store.
Hackers were reported to have stolen about ¥55 million in payments before further transactions and sign-ups were blocked, just four days after 7Pay launched.
However, the label “hackers” is actually barely deserved here. There was no coding or tinkering needed. Rather, the app was blighted by a pretty massive oversight: Password reset links could be sent to any email address, as long as the person requesting the reset knew the email address, phone number, and date of birth of the account owner.
To make matters worse, sometimes the date of birth wasn’t even necessary. If the user hadn’t entered anything during the registration process, the field would default to January 1st, 2019. That leaves potentially just two pieces of information needed to steal the target’s identity—the email address and phone number—both of which could be found on anything from business cards to Facebook.
The first hints that something was amiss came on July 2 when 7-Eleven received reports of unexpected transactions appearing on some people’s accounts. The app had launched just the day before. By July 4, 7-Eleven had suspended all payments and new user signups.
According to an article on The Sankei News, two Chinese nationals were arrested on Thursday, June 4, and it was confirmed the next day that they had bought ¥730,000 worth of e-cigarettes using fraudulent 7Pay accounts. Police are now investigating the involvement of a Chinese hacker ring after those arrested claimed they were following instructions and had been promised a reward.
7-Eleven has come under intense fire for this less-than-ideal start. As …continue reading