On July 1, 2019, the Japanese retail holdings giant Seven & i launched a smartphone payment app called 7pay to be used country-wide in its 7-Eleven stores. The app allowed customers to do their shopping and then present a bar code on their phones to the cashier. This would then be scanned and the amount charged to the payment card linked to that account.1 If the payment app had proved successful, Seven & i planned to roll out the app across all of its retail interests.
However, the very next day, the company began to receive reports of unauthorized transactions. Money was being transferred from customer bank accounts onto the 7pay app and then spent on goods by a third party. The complaints continued to escalate during the following day – both to customer services and also across social media platforms such as Twitter. During that time, around 900 customers had a combined total of 55 million yen ($510,000) stolen from their accounts.2 Finally, on July 3rd, Seven & i was forced to suspend the service. From this date no new customers could be registered, and existing users could not load funds into their 7pay accounts. However, customers with existing balances could still make payments.
At a press conference, Tsuyoshi Kobayashi, the president of 7pay Co., apologized for the security breach and promised to compensate all those who had been affected. However, when asked why the app had not used the standard security protocol of two-step authentication, he did not seem to be aware of what it was.3 That the chief executive of a digital payment app was seemingly ignorant of something so basic was, to put it mildly, shockingly negligent according to many in the cybersecurity business. It is unknown what company developed the software for Seven & i, but it seems safe to speculate that not enough due diligence or oversight was involved in the undertaking.
On that same Thursday, two Chinese nationals were arrested attempting to fraudulently buy goods in a
Tokyo 7-Eleven store using a stolen account. They later claimed that they had been asked to go on a ‘shopping trip’ by an unnamed person on WeChat, a Chinese messaging app, and given instructions on how to use misappropriated 7pay IDs to purchase the goods. One of the men used eight different IDs to buy 146 cartons of cigarettes from one store, and another 19 cartons were later discovered in his car.4 Questions should also be asked about the involvement of the shopkeeper who must have been aware that the men’s activity and purchases were far from normal. It is thought that a Chinese crime organization was behind the attack, but no further details have been revealed on the investigation.
So how was it so easy to get access to 7pay accounts? The principal and most appalling flaw was in the password reset function. A hacker could request a password reset for an account of which they already had the email, birthdate, and phone number of the customer (easily discovered from social media). The reset form even allowed the new password to be sent to a third-party email address specified by the hacker. It was as simple as that – no need to buy stolen credit card details, clone cards, or alter the app’s code. And as if things weren’t bad enough already, if a customer’s date of birth was not entered, the reset form defaulted to January 1, 2019. With such a gaping hole of vulnerability in 7pay’s security, it is a wonder that more money wasn’t stolen5.
The beleaguered 7pay system was finally scrapped on September 30, even though it has been reported that around 400,000 account holders still have funds lying in their accounts. On October 10, Kobayashi, the man responsible for the failed payment service, resigned, and it was revealed that Seven & i’s president, Ryuichi Isaka, and vice president Katsuhiro Goto were to take a 30% pay cut as a result of the debacle.6 The company does not have any plans for a replacement payment app at present but said it did not rule out a future scheme when such digital payments were more common.
The issue with 7pay and also another pay-by-smartphone app, PayPay, in December 2018 have not inspired confidence in cashless payments in Japan. The PayPay case was slightly different in that hackers used stolen payment card details to buy goods and claim back a promotional 20% rebate, but there was a similar lack of stringent security.7 Japan has one of the lowest cashless transaction rates in the world, and the Japanese government is keen to encourage its people to change this dynamic, aiming for 40% of all payments to be cashless by the middle of the 2020s. To this end, on October 1, it raised the consumption tax rate on most goods and services (excluding food) from 8% to 10% while at the same time offering a 5% rebate in some stores to those paying by electronic methods.8 While this would prove economically advantageous for both customers and the country, it remains to be seen whether there is enough faith in the security of such systems.
- ‘Two of Japan’s biggest convenience store chains launch their own mobile payment services’, The Japan Times, 07/01/2019, accessed at https://www.japantimes.co.jp/news/2019/07/01/business/two-japans-biggest-convenience-store-chains-launch-mobile-payment-services/#.Xam9BSV7nXQ
- Catalin Cimpanu, ‘7-Eleven Japanese Customers Lose $500,000 Due to Mobile Flaw App’, ZD Net, 07/04/2019, accessed at https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/
- Patrick St. Michel, ‘Convenience Store Operator Struggles in Wake of Security Fiasco’, The Japan Times, 07/13/2019, accessed at https://www.japantimes.co.jp/news/2019/07/13/national/media-national/convenience-store-operator-struggles-wake-security-fiasco/#.XanCjCV7nXQ
- Ian Murphy, ‘Japan Arrest Over 7pay Breach’, Enterprise Times, 07/08/2019, accessed at https://www.enterprisetimes.co.uk/2019/07/08/japan-arrest-over-7pay-breach/
- ‘Seven & i Chief to Face Pay Cut Over 7pay Hack’, nippon.com, 10/10/2019, accessed at https://www.nippon.com/en/news/yjj2019101001112/seven-&-i-chief-to-face-pay-cut-over-7pay-hack.html
- Jeremy Kirk, ‘Japan’s Credit Card Fraud Debacle’, Bank Info Security, 02/13/2019, accessed at https://www.bankinfosecurity.com/japans-december-credit-card-fraud-debacle-a-12021
- Jeremy Kirk, ‘Japan’s Credit Card Fraud Debacle’, Bank Info Security, 02/13/2019, accessed at https://www.bankinfosecurity.com/japans-december-credit-card-fraud-debacle-a-12021
- ‘Seven-Eleven Mobile Pay Hack Hits Japan’s Drive to go Cashless’, Nikkei Asian Review, 07/06/2019, accessed at https://asia.nikkei.com/Business/Companies/Seven-Eleven-mobile-pay-hack-hits-Japan-s-drive-to-go-cashless