7-Eleven Japan suffers $500,000 mobile payment hack

7-Eleven in Japan is hacked for half a million

In recent years, companies like Apple, Google, and Samsung have worked to mainstream mobile payment technology in the United States. However, a recent incident in Japan suggests digital wallets may not be as ultra-secure as they seem.

On July 1, 7-Eleven Japan launched a mobile payment system called 7Pay. Three days later, the company suspended the program after discovering hackers used it to steal ¥55 million ($507,619).

How Hackers Stole from 7-Eleven Japan Customers

Like most digital wallet systems, 7Pay allowed users to perform transactions at the point of sale (POS) using their payment card-linked smartphones. However, the company’s network architecture had a significant security flaw. Hackers could reset users’ passwords with publicly accessible data like date of birth, email address, and phone numbers. Even worse, consumers who didn’t supply their birthdates had it listed as January 1, 2019, by default.

Due to the program’s lack of security, malicious operators seized control of hundreds of 7Pay accounts and made over $500,000 in fraudulent purchases. Once affected, users told 7-Eleven Japan about the problem, and the company suspended the app’s payment functionality.

However, before that happened, Japanese authorities determined that criminals gained unauthorized access to 900 consumers’ accounts.

The Japanese Ministry of Economy, Trade, and Industry found that the convenience store franchise was at fault for the breach because it didn’t observe local cybersecurity mandates. The agency further stated the company didn’t take adequate steps to verify the identity of their users.

Currently, 7-Eleven Japan is in the process of contacting and compensating users who had their accounts accessed by the cyber attackers.

The severity of the 7Pay data breach may affect the Japanese government’s ongoing mobile payments initiative. Last year, Tokyo set a goal for the rate of nationwide cashless transactions to reach 40 percent by 2025.

The Perils of Branded Mobile Payment Systems

Mobile payment systems have the potential to make U.S. consumer transactions safer and more efficient. Because they utilize encryption schemes like tokenization at POS, cashless apps are theoretically more secure than credit cards.

For instance, in April, 2.15 million people had their credit card data stolen in a franchise restaurant data breach. However, if those individuals had used digital wallets, hackers would’ve been unable to capture their payment information. Similarly, Caribou Coffee and Marriott Hotel customers wouldn’t have had their data exposed last year if they had utilized a cashless payment solution.

But consumers don’t get that high-grade data insecurity if they do business with a quality mobile payments provider. Indeed, the Federal Deposit Insurance Corporation recently noted that more cashless app companies need to utilize robust cybersecurity tools to protect their users’ payment information. Furthermore, the agency stated that not all providers are following safety regulations regarding the handling of credit card data at the server level.

When multinational corporations release branded mobile payment systems but don’t account for those risks, consumers end up paying the price. As an example, British Airways suffered a mobile payment system data breach that affected 380,000 customers in late 2018.

Given their tech industry resources, companies like Apple and Google can provide consumers with robust data protection. Moreover, they have the skills and tools necessary for detecting patterns of fraudulent behavior. Historically, businesses without vast financial and digital infrastructural resources like 7-Eleven and British Airways don’t have those capabilities. Accordingly, large firms may benefit from depending on Visa and MasterCard in the mobile payment sector.