According to web application security testing specialists, 7-Eleven Japan decided to suspend the mobile payment feature recently implemented for the 7Pay app after a third party exploited a vulnerability to make fraudulent charges, affecting hundreds of customers.
The mobile payments feature had just been
released on Monday, July 1 and allowed users to scan a barcode with the app to
make payments with the card linked to the app. A few hours after its release,
the company began receiving reports of unauthorized charges.
The vulnerability in the app was exploited by
unidentified hackers;
according to web application security testing experts, threat actors only
needed to know the date of birth of the victims, their email address and phone
number. The attack consisted of sending a password reset request, which would
be received at an email address controlled by hackers.
Hackers developed a way to automate hundreds of
password reset requests to compromise nearly a thousand accounts, which
represented a fraud of around ¥55M (AROUND $500k USD).
Through its website, the company reported that
the vulnerable feature was suspended and at the moment it is not possible to
register as a new 7Pay user. Users who have reported hacking their accounts will
be compensated by 7-Eleven and in addition the company implemented a special
support line to answer the doubts of users concerned about the state of the
security of their data.
Japan’s financial and data protection
regulators had already recommended to the company to strengthen the weakest
points of its IT infrastructure in the past, although it appears that the
company did not follow the recommendations made by the Japanese
Government.
According to web application security testing specialists
from the International Institute of Cyber Security (IICS), Japanese authorities
began an investigation immediately after receiving the report, finding two
individuals trying to use one of the compromised user accounts. Chances are
these people are somehow linked to the hacker or hacker group in charge of the
attack.
