Lack of proper two-factor authentication and device linkage led to the hacking of 900 customer accounts and $509,000 fraudulent transactions in 7-Eleven’s mobile payment app, days after its launch
7-Eleven learned the hard way why it is critical to thoroughly test cyber security software applications before these are launched. The company introduced a new mobile payment feature on its 7Pay app in Japan on 1 July 2019 that enabled users to scan the barcode and charge the credit card details stored in the app. However, design flaws in the app allowed hackers to obtain reset password details on another email ID if they knew the customer’s date of birth, email and phone number. Information like these are often accessible on social media accounts. Furthermore, the app had a default reset on the date of birth to 1 January 2019 if this section was not filled. This made it easy for hackers to break into an account.
7-Eleven shut down the payment feature on its app after several customers complained by 4 July. But by then, 900 consumer accounts were already reported to have been hacked, resulting in a scam of around $509,000 (JPY 55 million).
“This was a business logic flaw. The password reset email could be sent to any email, rather than the email address of the account holder. It is possible to test for business logic flaws as part of a point in time ‘pen test’ or a continuous assessment like a ‘bug bounty program’,” said Laurie Mercer, a security FGP engineer at HackerOne, a cybersecurity company.
Mercer also pointed that “recent experience shows that when incentivised with a modest bounty - hackers can find loopholes like this within four minutes”.
The organization failed to meet the basic two-factor authentication and the device linkage logic. It is therefore surprising that this flaw was not diagnosed before the application was launched.
Proper penetration testing by security experts should have revealed this issue. “While penetration tests on their own are not enough for building secure applications, they are essential for ensuring that trivially, exploitable flaws like this are discovered before launch,” pointed Amit Sethi, senior principal consultant at Synopsys, a technology company operating in chip design, verification and application security.
“For regulatory controls in the future, requiring any application that handles payment credentials to undergo thorough application penetration tests could reduce the likelihood of such issues recurring,” he added.
To control the damage, the company promised to compensate the losses incurred by customers and also set up a support line. However, the incident could have larger repercussions in the country that is already lagging in its digital payment acceptance.
According to Japan’s Ministry of Economy, Trade and Industry, Japan is still very cash focused with just 20% cashless payment. Compare this with 90% cashless payment in neighboring South Korea, and between 40%-80% in other developed countries. The country still has a long way to catch up, as the government reportedly targets double digital payments to 40% by 2027.
Among other hacking incidents, Uniqlo, a leading Japanese retailer also reported earlier this year that data of 460,000 customers was hacked. The access to customer data is also more widely available in the dark net now as the credential stuffing attacks increase in the industry. Akamai reported 30 billion credential stuffing attacks in 2018, many of which it said, were perpetrated using botnets.
Fraud incidents like that of 7Pay can reduce the confidence of citizens in digital payments while the government is undertaking efforts to promote it. Nonetheless, an agile response, fast reimbursement and regulatory controls to prevent such frauds in the future could play an important role in restoring customer trust.