$500K stolen from 7Pay app due to insufficient Mobile Payment security

International Chain of Convenience stores named 7-Eleven Inc, is known for its business in Japan with stores located in more than 6000 places. On July 1st this year the 7-Eleven Japan’s team opened up a ‘7pay’ app for making in-store payments to merchants and customers effortless- an initiative to propel ease of business.

But unfortunately, a vulnerability in the app made hackers steal more than $500,000 which made the parent company halt the operations of the payment app on an immediate note.

7Pay is basically a payment app which is in lines with Walmart pay and Amazon pay and allows customers to pay to merchants via a non-NFC payment gateway.

Cybercrooks found that the app has a password reset function which allows emails to be sent to 3rd parties by fraudulent means. So, if the threat actor knows a 7Pay user’s email address, date of birth and phone number then they can obtain full access to an account to steal money.

The logic behind this data breach is that 7-Eleven app users who did not reset their birthdates on the apps would find their dates automatically set to January 1st, 2019. This flaw was used by hackers to smartly siphon money worth 55 million yen worth $510,000 from over 900 accounts. As a result of which the services of 7Pay were shut down on July 3rd, 2019.

Note- Founded in 1927 as Tote’m Stores, Seven-Eleven Japan Co, LTD now has over 68,286 licensed stores operating in more than 17 countries.

On July 8th this year, the Ministry of Economy, Trade, and Industry of Japan have decided to warn the operator Seven &I Holdings Co, for showing laxity in its business operations with a flawed payment app.

Two Chinese suspects have been identified as culprits in the money steal and one out of the two were arrested on Saturday for buying 146 cartons of electronic cigarette cartridges at 7-Eleven outlets in Tokyo using the stolen currency.

Naveen Goud
Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display