Hackers Slurp $500,000 Through 7-Eleven Mobile Payment AppPoor Password Reset Process Proves Too Convenient, as 900 Customers Affected
Hundreds of 7-Eleven customers in Japan collectively lost about $500,000 over the course of several days this week after hackers accessed a new mobile payment app that had poor password and user authentication security, according to several media reports and company statements.
On Thursday, 7-Eleven's corporate division in Japan released a statement acknowledging that about 900 customers had been affected, and the company is investigating. The mobile payment app, called "7pay," is no longer in use, the company added.
All together, the company estimates that customers lost about ¥55 million or approximately $507,000 over several days, according to the statement. 7-Eleven is also planning to reimburse customers for any losses.
Not Designed for Security
It's not clear yet what caused the problem with the app, which 7-Eleven only released July 1 for customers in Japan, but some customers told Yahoo Japan that if hackers knew or guessed the date of birth, email address and the phone number of a victim, they could reset and change 7pay passwords.
It also appears that 7-Eleven didn't design two-factor authentication into the app since the password reset did not require an SMS message or another notification to the user before changing the password, according to Yahoo Japan.
Instead, the password reset link would be sent to an email address that hackers could then use to reset the password and access the app, as well as credit card and other information stored within the platform, the Yahoo Japan article shows.
By Thursday, 7-Eleven customers took to Twitter in Japan to show how easily it is to bypass the 7pay password reset:
In addition, some users told Yahoo Japan that when registering for the iOS version of the 7pay app, if no date of birth was entered, the platform would default to January 1, 2019. This also shows that cybercriminals could reset the app and get a new password without the date of birth by only using an email address and phone number.
Data Breaches in Japan
After the issue first surfaced on social media and in local media over the course of the week, 7-Eleven in Japan updated its 7pay user agreement, which noted the problems and that the app would be suspended.
"Therefore, we will stop charging with credit card and debit card until the security of the transaction is confirmed, cash charge at Seven Bank ATM, charge at nanaco points, Seven-Eleven storefront cash register. We will only charge cash. We will inform you as soon as the prospect of reopening is reached," according to a translated version of the user agreement that the company posted.
It's not certain how hackers gained dates of birth, email addresses and phone numbers of the victims in this case, but Japan has seen a number of credential stuffing attacks in the past, where cybercriminals take personally identifiable information posted on dark net forums and attempt to match that data with the user in order to take more data.
In May, for example, Fast Retailing, which owns several of Japan's biggest retail clothing chains, warned customers of an incident that could have exposed personal information, including email addresses and partial credit card information, of more than 460,000 of the company's online customers (see: Hack of Japanese Retailer Exposes 460,000 Customer Accounts).
In that case, the company found that attackers used "list type account" - or credential stuffing - techniques to guess passwords and users names, to steal or access even more data.
These types of attacks are becoming much more common worldwide.
Security vendor Akamai released a study earlier this year that found approximately 30 billion credential stuffing attempts during the course of 2018. That comes to about 115 million credential stuffing attempts each day, with a spike of 250 million potential attacks each day during certain times of the year.