¥27mn Stolen from NTT Docomo E-Money Accounts

Japanese banks, payment providers and even the government have been forced to respond to a spate of thefts from e-money bank accounts linked to phone apps that permit instant withdrawals, reports The Japan Times. The thefts have occurred because weak identity checks allowed fraudsters to create unauthorized accounts with their apps before linking them to the bank accounts of other people.

It has been confirmed that JPY26.76mn (USD260,000) has been stolen from bank accounts using the e-money app of NTT Docomo, Japan’s largest mobile phone operator. Thefts using the NTT Docomo service have been reported from 11 of the 35 banks that they had partnered with; the majority of those thefts came from accounts held with Japan Post Bank. NTT Docomo Senior Executive Vice President Seiji Maruyama admitted that identity checks were insufficient during a press conference at the telco’s Tokyo headquarters.

Japan Post Bank responded to the revelations by suspending registrations of new accounts and transfers for eight e-money services that have not implemented two-factor authentication. Internal Affairs Minister Sanae Takaichi gave a statement confirming that five other payment providers have joined NTT Docomo in reviewing the extent of thefts using their service, with Z Holdings, a subsidiary of Softbank, reporting that JPY1.41mn (USD13,500) was stolen using their PayPay mobile phone service.

Japan’s financial regulator stated it will talk to all 77 of Japan’s online fund transfer services to determine if there is further evidence of theft, and has asked for improvements in identity checks. In the meantime, Minister Takaichi urged Japan Post Bank customers to check their accounts for unexpected withdrawals.

Anyone can register for the NTT Docomo e-money service by providing an email address, and they do not need to sign a contract with the telco, meaning it is easier to obtain the e-money service than to subscribe to a new mobile phone connection. It is believed the criminals obtained the bank account numbers and passwords of their victims in advance of registering for the e-money service, which was then used to make withdrawals. Customers of the e-money service can use it to transfer up to JPY300,000 from linked bank accounts per month, as well as making payments at shops using their smartphones.

Japan has a bad reputation for lax controls surrounding its phone-based money services. Last year Japan’s 7-Eleven convenience stores had to suspend use of a new payment service just three days after its launch following the theft of JPY55mn (USD510,000) from customers. And last year there were also multiple cases of improper withdrawals from Resona Bank and Saitama Resona Bank accounts linked to NTT Docomo’s e-money service, but the telco seemingly failed to improve identity checks in response and did not inform other partner banks about the frauds.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.