Flaw in 7-Eleven Japan mobile payment app allows hackers steal USD 500k

Monday 8 July 2019 10:20 CET | News

A flaw in the mobile payments feature on 7Pay app from 7-Eleven Japan allowed a third party to make fake charges on hundreds of customer accounts.

As a result, 7-Eleven Japan, which is Japanese-American international chain of convenience stores, posted a warning to the 7pay feature’s website, and stopped registering new users. The 7pay mobile app was designed to show a barcode on the phone’s screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the purchased goods are charged to the user’s 7pay app and the customers credit or debit cards that have been saved in the account.

The app contained a password reset function that was poorly designed, as it allowed anyone to request a password reset for other peoples accounts, but have the password reset link sent to their email address, instead of the legitimate account owner. A hacker would only need to know a user’s date of birth, their email, and phone number, and could send a password reset request to another email address.

7-Eleven users began complaining about being locked out of their 7pay accounts a day after the app launched. Hackers appear to have automated the attack, and according to the company, around 900 individuals had their accounts targeted and charged USD 500,000. Users who had their accounts hacked will be compensated by the company which will also set up a support line.

Japanese authorities have since arrested two individuals attempting to use a hacked account, and believe that they might be connected to (or had been hired by) a Chinese crime ring known for using stolen identities online, according to The Verge.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: 7-Eleven Japan, Japan, mobile app, security, fraud prevention, 7Pay, hackers, stolen funds
Countries: World

Industry Events