Police in Japan have arrested two Chinese men who are accused of fraud linked to the 7-Eleven Japan 7pay app breach. The two man, named as Zhang Sheng, 22, and Wang Yunfei, 25 have denied that they were responsible for the breach of the 7pay app.
Zhang claims he responded to a request via WeChat for someone who wanted help doing some shopping. After registering as a ‘friend’ of that person he went to a 7-Eleven store to buy cigarettes. The police has said that Zhang used up to eight different IDs in one store alone. At that store he attempted to purchase 146 cartons of cigarettes worth ¥730,000 (£5,400).
Wang was arrested in a nearby car where police found an additional 19 cartons of cigarettes. He claims that a relative in China had told him there was a part-time job where he could make money quickly. He was put in touch with a man who told him he needed someone to drive a car in Shinjuku.
One question that police will want answered is why the shopkeeper allowed the Zhang to use multiple IDs to buy cigarettes.
What went wrong with the 7pay app?
7-Eleven Japan launched its own contactless payment smartphone app on July 1st. Like other payment apps such as Apple Pay, the app requires the user to associate it with a credit or debit card. All the user has to do is then show the barcode in the app to a shopkeeper when they reach the till. The app then charges the goods to 7pay.
Within a day, cyber criminals had worked out how to steal money from it. Over 900 customers lost around ¥55 million (£405,000) by the time 7-11 Japan shutdown the app on July 3rd. The company is promising to refund all the affected customers.
What made this theft easy for the cyber criminals was the way the app was designed to reset the password. The only information required was the users email address, date of birth and telephone number. According to ZDNET, the app used a default date-of-birth if the cyber criminal didn’t know the real one.
To compound this, the app also allowed a password reset to be sent to an alternative email address that was entered when the reset was requested.
The result was hundreds of compromised accounts. Had the criminals waited a little longer, however, they could have swept up thousands and made much more money.
7-Eleven order to tighten security
The report from Japan Today says that: “The Economy, Trade and Industry Ministry has determined the operator, Seven & i Holdings Co., failed to strictly follow guidelines to prevent unauthorized access and warned providers of similar services to ensure they confirm the identity of users.”
In April the Payments Japan Association (PJA) set out its guidelines for mobile payments (In Japanese). It requires merchants to verify that the app is being used on the device that the user downloaded it onto. This prevents third parties from installing the app and using stolen credentials. 7-Eleven chose not to do this.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb commented: “Such a flagrant password reset vulnerability notoriously stands out among common security flaws. However, the vast majority of modern e-commerce websites and mobile apps do have critical vulnerabilities allowing the take over clients’ accounts, the stealing of funds or access to sensitive data from other accounts.
“Customers should avoid entrusting large sums of money or credit cards to any websites or apps unless they are certain that the company thoughtfully invests in its application security and privacy. Companies on their side should implement continuous monitoring of all their external applications (including APIs) and consider enhancing automated monitoring with AI or human competence.”
Enterprise Times: What does this mean
Retailers are increasingly offering their own apps to speed up the buying process. They know that if they can reduce the thinking time between looking and buying, customers will spend more. To make this work, however, they need to get customers to provide them with payment information so that they can click and check-out.
On the whole, shoppers are happy with the process. They seem willing to input payment card details into apps and trust the retailer to keep them secure. In this case, however, the customers were fooled by a retailer who seemingly ignored all the basics of good security. A dodgy password reset mechanism, use of default data and the failure to follow industry guidelines all show that there was no duty of care or trust exercised by 7-Eleven Japan.
It will be interesting to see if 7-Eleven attempts to relaunch its 7pay app in the near future. If it does, will customers trust it? Will Japan’s Economy, Trade and Industry Ministry demand that 7-Eleven submit any future version of the apps for testing? Will the Payments Japan Association use this to create a list of tested and trusted payment applications? The latter could use this to create a certified scheme for retailers that would also protect the public.