Basic security flaws allowed JPY55mn (USD510k) to be stolen from 900 customer accounts during the first week of operations for a major Japanese mobile payment service. Seven & i Holdings Co., who manage 7-Eleven convenience stores in Japan, launched their 7pay service on Monday last week, but later issued a press release (in Japanese, see here) stating it had been withdrawn on Wednesday, following a spate of thefts from customer accounts. They promised to compensate all customers affected.
ZDNet reported that criminals could easily change the passwords of other users, allowing them to take over their accounts. They could then use these accounts to make large purchases.
The 7pay mobile app was designed to show a barcode on the phone’s screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user’s 7pay app and the customer’s credit or debit cards that have been saved in the account.
However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people’s accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.
Japan Today reported that 1.5mn customers had registered for the 7pay service, and that two suspected fraudsters were already in custody.
Police arrested two Chinese men on Thursday in connection with the problem, investigative sources said. They are suspected of illegally using the ID and password of a customer Wednesday in an attempt to buy electric cigarette cartridges worth around 200,000 yen at a 7-Eleven shop in Tokyo.
Japan Today explained that the fraudsters purchased cigarettes in order to sell them again.
The items included packs of cigarettes, which can be easily converted into cash… a huge quantity worth 100,000 yen was purchased all at once at one of its outlets.
Japanese businesses have been world leaders in many fields, including electronics and car manufacturing. However, anecdotal evidence suggests Japanese cultural norms may be a major inhibition to the adoption of modern risk management disciplines including revenue assurance, fraud management and cybersecurity. The failure of 7pay follows widespread abuse of a promotion of PayPay, another Japanese smartphone payments app, and the hacking of Japanese clothes manufacturer Uniqlo. Each incident reinforces the belief that the importance attached to face (mentsu) in Japanese culture makes it difficult for corporate staff to discuss the possibility of fundamental flaws in systems, making it less likely that businesses will invest in disciplines that would prevent mistakes or detect them after they have occurred.
Japanese business philosophies like Kaizen have shown the rest of the world how to continuously improve quality and curtail errors in physical processes like the making of automobiles. However, errors in the digital realm can remain hidden indefinitely, unless there is a genuine commitment to make them transparent. Businesses must actively search for flaws in digital processes in order to identify them, or else risk that enterprising criminals will exploit them first. Japanese corporations need to invest in risk disciplines that are fit for this century’s business models, or they will let customers down and fall behind in the race to deliver advanced digital services.