A Badly Designed Payment App Causes $500 Thousand in Damages for Japanese 7-Eleven Customers

As we all know, Japan is often among the first countries to embrace a new piece of technology and to implement it in people's everyday lives. In light of all this, many of you will probably be surprised to learn that the Land of the Rising Sun is severely lagging behind in one particular aspect of living in the 21st century – cashless payment.

It does sound strange at first, but the low crime rates and the Japanese's love of banknotes and coins mean that back in 2015, more than 80% of all payments in Japan were processed using cash. By contrast, during the same period, the rate in the traditionally conservative China stood at about 40%, and in South Korea, a whopping 89% of all payments were made with either banking cards or payment applications and services. The Japanese government and individual retailers like 7-Eleven are determined to change things.

The Japanese branch of the convenience store chain decided to launch its own application which would allow users to pay in every single one of the country's 21 thousand 7-Eleven stores. Rather predictably, the app's name is 7pay, and its idea is simple enough. The user registers an account and provides, among other things, their email address and their phone number. They then attach their banking card to the account, and every time they need to pay for goods at a 7-Eleven store, they launch the app, which generates a barcode. The barcode is scanned by the cashier, the user's card is charged automatically, and the payment is processed. That was the idea anyway.

A woefully bad password reset mechanism leaves 7pay users fuming

The 7pay app was launched on July 1, and people started complaining about it almost immediately. Shortly thereafter, it turned out that the application's developers had made a mistake that can only be described as unforgivable.

As many of you probably know, in most cases, in order to reset a password for an online account, the service provider sends a link to the email address associated with the said account. This ensures that only the account owner can reset the password.

7pay's password reset function requested the user's phone number and date of birth in addition to the email address, which sounds like a more secure approach. Then, however, it allowed the password reset link to be sent to an email address that is not associated with the account.

In other words, if you knew a 7pay user's email address, phone number, and date of birth, you had the option of having their password reset link sent to your own inbox. After resetting the password, you would be able to go to any 7-Eleven store in Japan, and enjoy a bit of shopping at your victim's expense. To make things worse, the application decided that all users who hadn't entered their dates of birth were born on January 1, 2019, which made the attackers' job even easier.

The crooks didn't need a second invitation

It didn't take long for the cybercriminals to find and exploit the security flaw. On July 2, 7-Eleven Japan received the first report from a user who had seen unauthorized charges to their banking card. On the next day, the convenience store giant realized what the problem was and immediately disabled the 7pay application, but by that time, approximately 900 users had already seen around 55 million Japanese Yen or just over $500 thousand getting siphoned off from their bank accounts.

Last week, ZDNet reported that two Chinese individuals had been arrested in Tokyo after trying to pay for some electronic cigarettes with a compromised 7pay account, though it's still unclear whether they are the only ones responsible for the attack. 7-Eleven promised that it will conduct a thorough investigation into what went wrong, and it said that all victims will get their money back, which is the only right thing to do at this point.

In the end, the innocent victims shouldn't suffer any long-lasting damages, and we can only hope that at least some of the crooks get what they deserve. Nothing will change the fact, however, that the 7pay application wasn't supposed to be on users' devices with such a gaping security hole waiting to be exploited.