Posted on July 5, 2019 at 10:11 AM
7-Eleven’s Flawed App Exploited: Japanese Users Lose $510,000 to Hackers
Hacking incidents continue just as strongly as before, with the newest victims being Japan’s 7-Eleven customers. According to recent reports, around 900 of them were hit by a new hacking attack that targeted the flawed 7pay app, hijacking accounts and making illegal charges in their names. The victims were robbed of around ¥55 million, or $510,000.
What happened?
As mentioned, the incident is a result of a security flaw in the payment app’s design. The app itself is rather new, only being launched this Monday, July 1st, by 7-Eleven Japan. The app, known as 7pay, was designed to show a barcode on the screen of users’ smartphones once they reach the cashier counters within 7-Eleven stores.
The cashier would then scan the barcode, and the user would be charged for the bought goods through their apps. If they have their credit or debit cards saved as part of their accounts, the amount would be taken from them, and the process would be completed.
The problem was caused due to the fact that the app contained a password reset function, which was very poorly designed. Simply put, it allowed pretty much anyone to request a password reset. Even worse, the new password would be sent to the email address, instead of reaching the app user directly.
In other words, if the hacker happened to know the users’ email addresses, phone numbers, and birth dates, they would be able to reset the password. Furthermore, they also had the ability to enter a third-party email address and demand that the reset links are sent to this email, instead of that owned by the legitimate user.
Not only that, but if a user failed to provide their actual birth date, the app would just use a default one — January 1st, 2019. Reports of the incident say that this made the attacks even easier, and that it reduced the number of specific information that the hacker needed to acquire about the users. Not that it would be difficult to get most of the necessary data, as Japanese users fell victim to numerous hacking attacks and breaches that were targeting large websites and companies. It is rather easy for any hacker to obtain this information and misuse it for their own purposes.
7-Eleven promises compensation
As the news of the incident spread, more and more users started complaining to 7-Eleven, claiming that they were locked out of their accounts. The company’s branch in Japan, 7-Eleven Japan, acted on these reports on July 3rd, shutting down the service in hopes of stopping further incidents.
One day after that, on July 4th, the company released an official statement explaining what happened in the past few days, and admitting that hackers stole around ¥55 million after hijacking around 900 accounts. Not only that, but 7-Eleven also promised to compensate the victims.
Meanwhile, it is unknown whether anyone will try to seek out the hackers, but it is known that two Chinese men were arrested in Tokyo yesterday for attempting to buy cigarettes with someone else’s 7pay account. Many now speculate that the two may have been behind the attack, or that they are at least somehow connected to it.