Japanese banks, payment providers and even the government have been forced to respond to a spate of thefts from e-money bank accounts linked to phone apps that permit instant withdrawals, reports The Japan Times. The thefts have occurred because weak identity checks allowed fraudsters to create unauthorized accounts with their apps before linking them to the bank accounts of other people.
It has been confirmed that JPY26.76mn (USD260,000) has been stolen from bank accounts using the e-money app of NTT Docomo, Japan’s largest mobile phone operator. Thefts using the NTT Docomo service have been reported from 11 of the 35 banks that they had partnered with; the majority of those thefts came from accounts held with Japan Post Bank. NTT Docomo Senior Executive Vice President Seiji Maruyama admitted that identity checks were insufficient during a press conference at the telco’s Tokyo headquarters.
Japan Post Bank responded to the revelations by suspending registrations of new accounts and transfers for eight e-money services that have not implemented two-factor authentication. Internal Affairs Minister Sanae Takaichi gave a statement confirming that five other payment providers have joined NTT Docomo in reviewing the extent of thefts using their service, with Z Holdings, a subsidiary of Softbank, reporting that JPY1.41mn (USD13,500) was stolen using their PayPay mobile phone service.
Japan’s financial regulator stated it will talk to all 77 of Japan’s online fund transfer services to determine if there is further evidence of theft, and has asked for improvements in identity checks. In the meantime, Minister Takaichi urged Japan Post Bank customers to check their accounts for unexpected withdrawals.
Anyone can register for the NTT Docomo e-money service by providing an email address, and they do not need to sign a contract with the telco, meaning it is easier to obtain the e-money service than to subscribe to a new mobile phone connection. It is believed the criminals obtained the bank account numbers and passwords of their victims in advance of registering for the e-money service, which was then used to make withdrawals. Customers of the e-money service can use it to transfer up to JPY300,000 from linked bank accounts per month, as well as making payments at shops using their smartphones.
Japan has a bad reputation for lax controls surrounding its phone-based money services. Last year Japan’s 7-Eleven convenience stores had to suspend use of a new payment service just three days after its launch following the theft of JPY55mn (USD510,000) from customers. And last year there were also multiple cases of improper withdrawals from Resona Bank and Saitama Resona Bank accounts linked to NTT Docomo’s e-money service, but the telco seemingly failed to improve identity checks in response and did not inform other partner banks about the frauds.