This past Thursday, 7-Eleven Japan suspended its recently-launched mobile payments feature on its 7pay app after a flaw gave a group of hackers the perfect opportunity to cause fraudulent charges on hundreds of customer accounts.
The company had just released the feature during this past Monday, July 1st. The new mobile feature allowed customers to scan a barcode with the app and pay with a linked credit or debit card. The first red flag came up after the company received a complaint, just the next day: a customer reported a charge that they didn’t make. Many 7pay users also tweeted about being locked out of their accounts.
According to external sources, the app’s flaw was easily exploitable. The hackers would only need to know a user’s date of birth, their email, and phone number. After that, they could simply request a password reset that would be sent to another email address. To make it worst, the app would set people’s birthdates to January 1st, 2019 by default, for any users that didn’t fill out the birth date field, making it even easier for any of the hackers to break into those accounts.
The company reported that hackers appear to have automated the attack, and around 900 individuals had their accounts targeted and charged ¥ 55 million (around $500,000). 7-Eleven Japan confirmed that it has disabled the feature by stopping the app from charging any linked cards. The company has posted a warning to the 7pay feature’s website and has disabled new user accounts registrations. The company assured that it would be compensating users who had their accounts hacked and confirmed that a support line has already been set up.
7-Eleven Japan was warned by a member of Japan’s Ministry of Economy, Trade and Industry that it needed to firmly improve its security, highlighting that it didn’t follow basic security guidelines. Japanese authorities have already arrested two individuals that were attempting to use a hacked account. The detainees might be connected to or were hired by a Chinese crime ring that’s notorious for using stolen identities online.