If you’re going to release an app that involves not only private information about your users but also their financial information, you better make sure that the app is secure and hacker proof. But apparently, the developers of 7-Eleven’s new 7pay mobile payment app forgot that part. After launching last July 1 in Japan, around 900 customers had their accounts hijacked and lost a collective half a million dollars to hackers. 7-Eleven immediately reacted by shutting down the app and promises to compensate the affected users.
The reason why this happened in the first place is because the app had a poorly designed password reset function, according to an article on ZDNet. How the app works is pretty simple. You create an account and link your credit or debit card to it. When you buy stuff at 7-Eleven, you show a barcode to the cashier and they scan it, therefore charging your purchases to your card. It sounds pretty cut and dried yes?
But the aforementioned function allowed a user to request a password reset for an account and have it sent to a different 3rd-party email address instead of the registered one from the actual user. So if a person knows your email, date of birth, and phone number. And if a user didn’t enter a birthday upon registration, the app would be default January 1, 2019. Given that there have been numerous past breaches of apps and services in Japan, all that information can be easily acquired by hackers.
A day after the launch, users began complaining that they got locked out of their accounts and some noticed unauthorised charges. 7-Eleven immediately shut down the app after the complaints and a review of the app’s security protocols (which they should have done before launch). They also admitted that almost 900 accounts were compromised and illegal charges were made amounting to 55 million yen or $510,000.
Two Chinese men in their 20s were arrested in Tokyo for trying to use another person’s 7pay account to buy cigarettes. However, there is no information yet if they are the ones responsible for the hack or they just had access to a couple of hacked 7pay accounts.