20.5k unique visitors in the last 3 days

Thefts Force Suspension of Jap Mobile Payment Service on Third Day after Launch

Criminals took control of 900 accounts for a new payments app from the Japanese operators of 7-Eleven convenience stores.

Basic security flaws allowed JPY55mn (USD510k) to be stolen from 900 customer accounts during the first week of operations for a major Japanese mobile payment service. Seven & i Holdings Co., who manage 7-Eleven convenience stores in Japan, launched their 7pay service on Monday last week, but later issued a press release (in Japanese, see here) stating it had been withdrawn on Wednesday, following a spate of thefts from customer accounts. They promised to compensate all customers affected.

ZDNet reported that criminals could easily change the passwords of other users, allowing them to take over their accounts. They could then use these accounts to make large purchases.

The 7pay mobile app was designed to show a barcode on the phone’s screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user’s 7pay app and the customer’s credit or debit cards that have been saved in the account.

However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people’s accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.

Japan Today reported that 1.5mn customers had registered for the 7pay service, and that two suspected fraudsters were already in custody.

Police arrested two Chinese men on Thursday in connection with the problem, investigative sources said. They are suspected of illegally using the ID and password of a customer Wednesday in an attempt to buy electric cigarette cartridges worth around 200,000 yen at a 7-Eleven shop in Tokyo.

Japan Today explained that the fraudsters purchased cigarettes in order to sell them again.

The items included packs of cigarettes, which can be easily converted into cash… a huge quantity worth 100,000 yen was purchased all at once at one of its outlets.

Japanese businesses have been world leaders in many fields, including electronics and car manufacturing. However, anecdotal evidence suggests Japanese cultural norms may be a major inhibition to the adoption of modern risk management disciplines including revenue assurance, fraud management and cybersecurity. The failure of 7pay follows widespread abuse of a promotion of PayPay, another Japanese smartphone payments app, and the hacking of Japanese clothes manufacturer Uniqlo. Each incident reinforces the belief that the importance attached to face (mentsu) in Japanese culture makes it difficult for corporate staff to discuss the possibility of fundamental flaws in systems, making it less likely that businesses will invest in disciplines that would prevent mistakes or detect them after they have occurred.

Japanese business philosophies like Kaizen have shown the rest of the world how to continuously improve quality and curtail errors in physical processes like the making of automobiles. However, errors in the digital realm can remain hidden indefinitely, unless there is a genuine commitment to make them transparent. Businesses must actively search for flaws in digital processes in order to identify them, or else risk that enterprising criminals will exploit them first. Japanese corporations need to invest in risk disciplines that are fit for this century’s business models, or they will let customers down and fall behind in the race to deliver advanced digital services.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email