[BreachExchange] Hackers Slurp $500, 000 Through 7-Eleven Mobile Payment App

Destry Winant destry at riskbasedsecurity.com
Mon Jul 8 10:00:44 EDT 2019


https://www.databreachtoday.com/hackers-slurp-500000-through-7-eleven-mobile-payment-app-a-12729

Hundreds of 7-Eleven customers in Japan collectively lost about
$500,000 over the course of several days this week after hackers
accessed a new mobile payment app that had poor password and user
authentication security, according to several media reports and
company statements.

On Thursday, 7-Eleven's corporate division in Japan released a
statement acknowledging that about 900 customers had been affected,
and the company is investigating. The mobile payment app, called
"7pay," is no longer in use, the company added.

All together, the company estimates that customers lost about ¥55
million or approximately $507,000 over several days, according to the
statement. 7-Eleven is also planning to reimburse customers for any
losses.

Not Designed for Security

It's not clear yet what caused the problem with the app, which
7-Eleven only released July 1for customers in Japan, but some
customers told Yahoo Japan that if hackers knew or guessed the date of
birth, email address and the phone number of a victim, they could
reset and change 7pay passwords.

It also appears that 7-Eleven didn't design two-factor authentication
into the app since the password reset did not require an SMS message
or another notification to the user before changing the password,
according to Yahoo Japan.

Instead, the password reset link would be sent to an email address
that hackers could then use to reset the password and access the app,
as well as credit card and other information stored within the
platform, the Yahoo Japan article shows.

By Thursday, 7-Eleven customers took to Twitter in Japan to show how
easily it is to bypass the 7pay password reset:


More information about the BreachExchange mailing list