7-Eleven Japan’s weak app security led to a $500,000 customer loss

7-Eleven Japan’s mobile payment app had such poor security measures, the company had to shut it down just a couple of days after its release. On Thursday, 7-Eleven Japan suspended a recently-launched mobile payments feature on its 7Pay app after a flaw allowed a third party to make bogus charges on hundreds of customer accounts.

In an announcement explaining the issue, the company admitted that hackers were able to break into 900 users’ accounts and to charge 55 million yen ($507,000) in illegal purchases to their debit and credit cards on file within that period, from July 1st when the 7pay app rolled out to July 3rd when the service was shut down. It allowed customers to scan a barcode with the app and charge a linked credit or debit card. However, the company received a complaint the next day a customer noticed a charge that they didn’t make.

According to ZDNet, the app’s poorly designed password retrieval method was to blame. Instead of automatically sending an email to the address users had on file, the app allowed them to retrieve their passwords using any email address. A hacker would only need to know a user’s date of birth, their email, and phone number, and could send a password reset request to another email address. The app also defaulted people’s birth dates to January 1st, 2019 in instances where they didn’t fill out the field, making it even easier for someone to break into an account.

The company promises to compensate everyone who fell victim to the breach. Japanese authorities arrested a couple of Chinese men who attempted to pay for purchases amounting to thousands of dollars using stolen 7pay IDs. They now believe that an international group, which includes a hacker, might be involved. While the incident is still under investigation, the country’s Ministry of Economy, Trade and Industry has determined that company failed to follow guidelines to prevent unauthorized access. The agency is urging the company boost its security measures if it wants to re-launch 7pay in the future.

(Visited 65 times, 1 visits today)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.