On Thursday, 7-Eleven Japan suspended a recently launched mobile payment feature in its 7Pay application after a flaw allowed a third party to make false charges on hundreds of customer accounts.
The company launched the function on Monday, July 1: it allowed customers to scan a barcode with the application and load a linked credit or debit card. However, the company received a complaint the following day: a customer noticed a charge he did not make. The application had a defect, according to Yahoo News Japan (through ZDnet ) . A hacker would only have to know the user's date of birth, his e-mail address and his telephone number, and could send a password reset request to another e-mail address. The application also omitted people's birth dates until January 1, 2019 in cases where they did not complete the field, which makes it even easier for someone to log into an account.
In this case, the hackers seem to have automated the attack and, according to the company, about 900 people had their accounts directed and charged 55 million yuan ($ 500,000). 7-Eleven Japan says that it has suspended the function preventing the application from loading linked cards, posted a warning on the website of the 7pay function and stopped registering new users. The company also says that it will compensate users who have pirated their accounts and establish a support line.
A member of the Ministry of Economy, Trade and Industry of Japan told the company that it should strengthen its security, according to Japan Times and that it did not follow safety guidelines. Since then, Japanese authorities have arrested two people who try to use a pirated account, and believe they may be connected (or have been hired by) a Chinese criminal network known to use identities stolen online.