Hackers nabbed $500K from customers from 7-Eleven mobile app.
The company has now suspended use of its mobile payment service while it investigates 7Pay’s security procedures, or lack thereof. In a statement released at the end of last week, 7-Eleven admitted that hackers had accessed the app and made bogus transactions affecting 900 customers to the tune of $506,000.
On Saturday, July 6, the Japan Times reported the arrest of two Chinese men who may be connected to the hack, with one of them suspected of attempted fraud after paying 730,000 yen (about $6,750) to purchase nearly 150 cartons of e-cigarette cartridges from a 7-Eleven store in Tokyo, allegedly using stolen IDs.
7Pay working using a bar code that appeared on the customer’s smartphone, with a cashier scanning it to charge the cost of the items to the customer’s linked debit or credit card.
ZDNet reported that the app was so poorly designed that it allowed anyone with knowledge of a customer’s email address, date of birth, and phone number to take over an account.
The hacker did this by using the data to reset an account’s password, with the reset link able to be sent to the hacker’s email address instead of the account owner’s. The hacker could then take control of the account.
Japanese government to got involved, with the Ministry of Economy, Trade, and Industry accusing 7-Eleven of failing to properly adhere to guidelines preventing such unauthorized access. The company, which operates more than 20,000 stores in Japan, has apologized for the mishap and promised to fully reimburse those affected.