TL;DR: 7-Eleven Japan announced its mobile payment service, 7pay, was recently compromised. The case involves some 900 customers and more than half of a million dollars in losses.

7-Eleven Japan Mobile Payment Service Hacked

The Japan Times reports government officials are none-too-pleased after 7pay was compromised. “The Ministry of Economy, Trade and Industry has determined the operator, Seven & I Holdings Co., failed to strictly follow guidelines to prevent unauthorized access and warned providers of similar services to ensure they confirm the identity of users,” the regional news outlet detailed.

Apparently, two men have been arrested in connection with the caper, which involved electronic cigarette cartridges and stolen IDs. It’s an inauspicious beginning for the new 7pay service, which was rolled out to 20,000 stores across Japan earlier this week. More than half a dozen stolen IDs were used to settle purchases of e-cigarettes, and have since been linked to a wider conspiracy.

This reaction by 7Pay boss Tsuyoshi Kobayashi has been widely noted as a sign of how inadequate management oversight must have been. He's asked about 二段階認証 (nidankai ninsho – two factor authentication) and repeats the term as if it's the first time he's ever heard it. pic.twitter.com/EXqKRFoIco — Mulboyne (@Mulboyne) July 5, 2019

The men were recruited in a WeChat group, where they were offered the chance to make easy money by simply shopping in desired, targeted districts within Tokyo. They appear to have been used in the scheme rather than masterminds. “The police suspect possible involvement of an international group that includes a hacker, a person who gives instructions and others who engage in the purchase and collection of the merchandise,” The Japan Times explained.

At some point, hackers were able to exploit a password reset function which ultimately allowed for unauthorized transactions. The app displayed a barcode for cashiers to scan, which were then linked to credit or debit cards. The password reset, however, evidently allowed for anyone to request a change, which could be relayed back to a hacker email account … undetected. With a user’s date of birth, phone number, and email address, hackers could do their dirty work without the trouble of manipulating code or online redirects. In response, the company shut down the service after only two days, promising to compensate users.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.

CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.