7-Eleven mobile payment users lose ¥55 million by unauthorized access

An average of 61,000 yen per user.

Of direct debit functioned as it does in any other country and was accepted widely by stores there'd be no nees for the one hundred and one new payment formats now emerging. Rakuten pay, Fami pay, Pay pay, Line pay etc etc.

I'm sure they're all prime targets for hackers and savy fraudsters. Especially with Japan's rather patchy record of cyber security.

Due to the rigidity of the Japanese employment system and salary structure companies wind up with crap code writers allowing for frequent data breaches like this one. I was told by a recruiter some time ago that programmers and data analysts cannot earn more than their managers who are usually just paper pushers.

Sounds like 7-11 has no idea how it happened. There are no facts to this story except money was stolen.

About 1.5 million users have registered for the payment app. There is a possibility that their personal information, including email addresses and birthdates, might have been browsed.

Not such an ii kibun eh?

@Vernon Watts

Your post reminds me a poster on Gaijinpot a while ago. He was a young Silicon Valley hotshot programmer who one day married a Japanese woman.

She insisted they relocate to Japan (Nagoya!). He figured why not, Japan is such a hi-tech society, right? He goes job hunting, and is shocked by the salaries and working conditions he’s offered by several local IT firms: around 180K (reduced to around 140k after deductions) a month, 10 days off a year, and expected to hang around the office 10-12 hours a day. He stresses his outstanding experience and skills, and the fact he was earning nearly 10 times the amount in the US and they don’t budge. His wife says he should take one of the offers anyway. He wants to go home.

So, yeah, this critical programming work is done by underpaid, exploited workers. The firms, as in this case, are paying the price of being amateurish cheapskates and so are we.

There are those that will try to blame technology and say money/paper banking is safer.

Let them not forget that elderly people are targeted more by bank fraud and theft of their paper money more than this.

Seven & i is a gigantic retailer and one of the most famous companies in Japan. So there is no safety zone against the violent IT attack in Japan.

Google, Apple and Samsung pay have been in use for a while and haven't heard about any similar problems. As soon as these Japanese companies enter the market with crappy IT engineers they get hacked. What's worse is the identity theft which can have far more consequences in the long term. All your personal info is on the street and who knows what else these crooks will do with them in their possession. That's why I stick to cash and credit cards only. No smartphone payments for me till they have proven that they can protect your identity

insert meme here: Japanese IT specialist "is this a password?"

call Me old fashioned but I still believe ‘cash is king’

It's pretty scary how many of these cashless payment systems have been hacked in Japan. I guess it's a reflection of the quality of Japanese workmanship. If you pay peanuts you get monkeys that can only produce poop.

Japanese cyber security is based on a code that is grounded on harmony hacking is not "wa" therefore not done. These hacking people need to check ther fax machine about this.

Has anyone faxed the minister of cyber security about this. He might not know this happened.

Today i noticed that family mart also has their fami-pay system, following in the footsteps of Apple pay, google pay, samsung pay, Pay pay (lol), 7 pay....

Why would you sign up for more than one of these payment systems? Why put your trust, and money in the hands of a minor payment system that has just been released? Why must so many companies slavishly copy someone else's successful formula thinking that will work for them too?

Going cashless has many merits. We can accumulate points to get a little discount for future purchases not to mention the welcoming attitude of cashiers towards consumers swift in making transactions. That said this has to make one think twice before linking a bank account to some system.

Tsuyoshi Kobayashi, president of Seven Pay Co., told a press conference in Tokyo that he never heard of two-factor authentication

Fixed. True story though. He was completely puzzled when the reporter asked why he didn't use it.

I don't care how many advantages there are to a cashless society. The disadvantages are ENORMOUS and this is just one of them. If YOU want to be cashless fine. You do that. I don't want to be. Stop advocating this garbage for all. Just knock it off. I want to choose how my life and finances are run, okay?

Cashless flow means brainless blow to the society. Being old as before and will be not easy to access your personal data. It reminds me the science fiction movies where all human being is readable in any angle.

Due to the rigidity of the Japanese employment system and salary structure companies wind up with crap code writers allowing for frequent data breaches like this one. 

I don't think this is specific to Japanese companies, I can imagine it could happen in any software product where out-dated software practices prevail. No doubt this is the case in many Japanese companies, but others have certainly caught on with 21st century methodologies.

And it seems that more fundamental flaws in the system design (sub-standard verification of users registering) may have been at fault, rather than any code that was written.

With the proliferation of "cashless" services these days, I guess it won't be the last time that people end up being a little "cashless"!

If YOU want to be cashless fine. You do that. I don't want to be. Stop advocating this garbage for all. Just knock it off. I want to choose how my life and finances are run, okay?

This! But im afraid we will be forced to become cashless somehow in the near future so that the government can track all hidden cashflows and suck more money out of the sheeple.

Seems going cashless may leave you moneyless! I will just stick to using cash!

Fax-based payments – it's the only solution.

Why I prefer cash whenever possible.

chinese...again.

@papigiulio

you hit the nail on the head - the government wants to track who is spending how much & where

Sounds like 7-11 has no idea how it happened. There are no facts to this story except money was stolen.

The information I heard was that if you had the tuple of (email address, telephone number, birthdate) it was possible to reset a user's password directly without a second-factor authentication. And the birthdate defaulted to a known value if the user did not set it in their profile (it was not required data at signup).

The information I heard was that if you had the tuple of (email address, telephone number, birthdate) it was possible to reset a user's password directly without a second-factor authentication. And the birthdate defaulted to a known value if the user did not set it in their profile (it was not required data at signup).

Normally for password reset, a reset link is sent to the registered email, so that is authentication enough. 7 pay's genius system allowed you send it to a completely new email! And to top it off, after they found out about the unauthorized accesses, they directed users to said site to reset their passwords!

Come to think of it, I wonder if this "system" was outsourced through multiple vendors...

Come to think of it, I wonder if this "system" was outsourced through multiple vendors...

Good point. Maybe these vendors need to veto the nationality of their programmers.

Normally for password reset, a reset link is sent to the registered email, so that is authentication enough. 7 pay's genius system allowed you send it to a completely new email!

Facepalm.

"This note is legal tender for all debts public and private."

The real motive is to enable the government to track your every move, every purchase, every communication.... for "security" no doubt, or is that Control.

I’m by no means expert in these things, but I have been reading a lot about payment systems and security for many years. From my research, it seems Apple Pay is maybe the most secure payment method. Of course it’s not yet in Japan, but I use it often in USA. Six years ago while in Japan, someone in USA got my Visa card number and spent $1,500.00. Only cost me time and had to get a new card, but with Apple Pay that kind of thing cannot happen. Anyway, Japan is sure behind the world on banking and payment systems.

Seven Pay said it will try to fully resume the payment service as soon as possible after investigating if there were any defects in the system.

It would appear that there are.

Systems pay are not banks.

Even Apple pay may get hacked one day.

If it is not your job to be a bank, don't.

In France, banks. must legally pay back any expense told as unwanted when reported.

Other payment systems are just gold diggers making you think they are banks but have not the history nor strength to endure an attack.

I never used paypal because it is rubb8sh about your rights. And so are others...

Feels like a insider job if indeed that's how they allow you to reset password. It's outright moronic, and ffs literally cold hard cash is at stake and this is how 7-11 does ****?

The users lost money? Don't they mean 7-11 lost the money. Isn't it 7-11's responsibility to cover the loss?

Like Michael Bolton said in "OfficeSpace"....just a mundane decimal error.

Reminds me of the Animal Farm mantra, 'Four legs good, two legs bad'.

In this case: 'Electronic good, hard cash bad.'

Dishonesty rules. The world is becoming a hackers' paradise.

This is just another reminder that cash is still relevant in any society.

If you are not hiring the best cyber-security with employed hackers...

GAME OVER!

Buying $2000 worth of vape cartridges from a konbini might ring some alarm bells by itself.

I'm sorry to hear of this "mistake" with not properly consulting with Cybersecurity experts. It could also be an issue of programmers here in Japan not understanding English well enough to keep up to date on the worldwide security issues.

The "mistake" (if not an inside job) regarding the password reset feature doesn't require any Cybersecurity expert. There's a question regarding it on the Fundamental Information Technology Engineer Examination. But really, it's a common sense issue. 7-pay probably outsourced it and didn't even bother to understand how it works.

https://www.fe-siken.com/kakomon/28_haru/q40.html

Btw, I've used Edy and ID mobile payments and they are pretty secure. You can only charge/pay on the phone you set it up with and have to go through a process to transfer it to another phone. But now there are too many payment systems to keep track of. As if every shop having their own point card wasn't enough, now every shop wants to have their own payment system.. The government really needs to get a hold of this, but seeing as they don't use computers...

Just watched a snippet of Seven Pay's president responding to a question about why 2 Step Authentication was not part of the systems's security.

Both his reaction and the NHK reporter's comment indicated he had no idea what 2 Step Authentication (Verificatin) was.

Reminds me of news last November about good old boy, emphasis on 'old', Japanese Minister in charge of cyber security, Yoshitaka Sakurada. He admitted he has never used a computer.

Cronyism AND Amakudari ... both alive and well in Japan Inc.

Ha, when questioned he responded my "thumb doesn't drive"

Police arrested two Chinese men on Thursday in connection with the problem, investigative sources said. They are suspected of illegally using the ID and password of a customer

About 1.5 million users have registered for the payment app.

possibly some 900 customers using its mobile payment service have lost a total of 55 million yen ($510,000) due to unauthorized access to their accounts.

What was the maker of the phones of the 900 who lost money ?

Was it Huawei ?

This is just another reminder that cash is still relevant in any society.

It is essential for criminal activity for sure, particularly drug related crimes (including cigarettes).