7-eleven launches probe into mobile payments app hack

Convenience store chain 7-eleven has launched an investigation into its mobile payments security, after hackers stole 55 million yen (£400,000) from Japanese customers just a week after the firm’s payment app was launched across its 21,000 stores. 

The Japanese-American company confirmed 900 customers had been affected by the hack on Thursday, with the Japanese government also stepping into to declare the service was insecure. The mobile payment has been suspended and two men have been arrested.

One of the major flaws in the payment security appeared to be a lack of two-factor authentication. In a statement released on Friday, the firm said it will introduce a “7pay” two-step certification, review the upper limit per charge, introduce “comprehensive security” and review its current practice.  It said it “deeply apologises” for the inconvenience caused. 

It is not clear how the hackers obtained the dates of birth, email addresses and phone numbers of the victims necessary to hack into the app, which they may have obtained on the dark web.

Without two-factor authentication in place, passwords can be reset with no SMS or other notification to a separate email address used by hackers. Once reset, they can then access payment details stored on the platform.   

According to the Meeker Internet Trends 2019 report, 52% of websites globally supported two-factor authentication.

However, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb said that the vast majority of modern eCommerce websites and mobile apps have critical vulnerabilities allowing the take over clients’ accounts, the stealing of funds or access to sensitive data from other accounts.

Speaking to Essential Retail, he said: "Unfortunately these days, both major businesses and specialist start-ups are working in very aggressive and competitive marketplaces and they frequently have to release something as soon as possible without really thinking about security and privacy.”

The company has been keen to break into mobile payments, with plans to expand the service to other retailers. However, Kolochenko notes that in its eagerness to play catch up, it appears to have missed a couple of basic security points. 

Japan ranks lower than its Asian peers for cashless transactions, while the government has set a target of 40% for cashless transactions by the mid- 2020s, according to the the Nikkei Asian Review.

Consumer finance writer Akio Iwata, said Japan stands out for its generous reward programs. As a result, "the market has overheated, and the quality of services has declined in some cases," he said.