Hundreds of 7-Eleven customers who downloaded a new mobile payment app in Japan were robbed out of hundreds of thousands of dollars due to some staggeringly idiotic security lapses in the app.
Yahoo Japan reports that 7-Eleven Japan released the 7pay app on July 1, and within a day customers started complaining about suspicious charges to their linked payment cards. On July 3, the company confirmed accounts could be accessed by third parties and announced it would stop charging credit and debit cards through the app.
According to the Yahoo report, hackers simply needed to input a customer’s birthdate, phone number, and email address to request a password reset link. But it seems that a hacker could even request that the reset link be sent to whatever email address they wanted. It also seems that if a customer hadn’t entered a birthdate, then the app would default to January 1, 2019, which would make it even easier for a fraudster to gain access.
According to 7-Eleven parent company Seven & I Holdings Co., 900 people were affected by the screw-up and about ¥55 million (a little more than $500,000, depending on exchange rates) was collectively stolen. “We will compensate for all the damage to the customers who suffered from this matter,” a translated version of the company’s statement reads. “We will thoroughly investigate the cause of this issue and plan improvement measures for a drastic solution.”
While U.S. residents may not expect much from a 7-Eleven payment app, the poor design is surprising considering 7-Eleven Japan’s parent company also owns Seven Bank, which operates ATMs at 7-Eleven stores throughout the country.
The Japan Times reports that the Japan Ministry of Economy, Trade and Industry decided that Seven & I Holdings Co. failed to follow proper financial guidelines and did not make sufficient effort to protect customers’ security.
According to the newspaper, Tokyo police have arrested at least two men suspected of illegally using the 7pay app to buy over $6,000 worth of e-cigarette pods. Police believe the men may be involved in a larger cybercrime ring.