On Thursday, 7-Eleven Japan suspended a recently-launched mobile payments feature on its 7Pay app after a flaw allowed a third party to make bogus charges on hundreds of customer accounts.
The company released the feature on Monday, July 1st: it allowed customers to scan a barcode with the app and charge a linked credit or debit card. However, the company received a complaint the next day: a customer noticed a charge that they didn’t make. The app had a flaw, according to Yahoo News Japan (via ZDnet). A hacker would only need to know a user’s date of birth, their email, and phone number, and could send a password reset request to another email address. The app also defaulted people’s birthdates to January 1st, 2019 in instances where they didn’t fill out the field, making it even easier for someone to break into an account.
In this instance, hackers appear to have automated the attack, and according to the company, around 900 individuals had their accounts targeted and charged ¥ 55 million ($500,000). 7-Eleven Japan says that it has suspended the feature by stopping the app from charging linked cards, posted a warning to the 7pay feature’s website, and has stopped registering new users. The company also says that it will be compensating users who had their accounts hacked, and set up a support line.
A member of Japan’s Ministry of Economy, Trade and Industry told the company that it needs to bolster its security, according to Japan Times, and that it didn’t follow security guidelines. Japanese authorities have since arrested two individuals attempting to use a hacked account, and believe that they might be connected to (or had been hired by) a Chinese crime ring known for using stolen identities online.