7-Eleven Japan’s weak app security led to a $500,000 customer loss

Image credit: 7-Eleven

The 7pay app was deactivated after just a couple of days.

7-Eleven Japan’s mobile payment app had such poor security measures, the company had to shut it down just a couple of days after its release. In an announcement explaining the issue, the company admitted that hackers were able to break into 900 users’ accounts and to charge 55 million yen ($507,000) in illegal purchases to their debit and credit cards on file within that period, from July 1st when the 7pay app rolled out to July 3rd when the service was shut down.

The app was troubled from the start, with customers complaining of illegal transactions made through their accounts since day one. According to ZDNet, the app’s poorly designed password retrieval method was to blame. Instead of automatically sending an email to the address users had on file, the app allowed them to retrieve their passwords using any email address.

In other words, the high-tech thieves didn’t even have to make the extra effort of infiltrating users’ inboxes: they only had to find out people’s email addresses, their dates of birth and their phone numbers. And we all know how easy it is to look those up these days, with almost everyone having social media accounts. The fact that the app used January 1st, 2019 as the default birthday of everyone who signed up without specifying their own made it much easier for the bad players, as well. All they needed to do after they gained entry to an account was to generate a barcode with the app every time they paid at a 7-Eleven outlet.

The company promises to compensate everyone who fell victim to the breach. Japanese authorities arrested a couple of Chinese men who attempted to pay for purchases amounting to thousands of dollars using stolen 7pay IDs. They now believe that an international group, which includes a hacker, might be involved. While the incident is still under investigation, the country’s Ministry of Economy, Trade and Industry has determined that company failed to follow guidelines to prevent unauthorized access. The agency is urging the company boost its security measures if it wants to re-launch 7pay in the future.

Reference: engadget

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.