7-Eleven in Japan caused hundreds of customers to lose about $600 each. Hackers stole the money via the convenience store’s newly launched mobile payments app, 7pay.

The app design had a frankly ludicrous flaw in its lost-password UX. As the reality of the stupendous error sinks in, infosec experts are left scratching their heads, dumbfounded.

How could this happen? And how can you prevent it from happening in your shop? In this week’s Security Blogwatch, we say 「現金は王です。」

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: magic.

Oh, thank heaven

What’s the craic? The anonymous Nikkei gnomes gnash Troubled start for 7pay:

[7-Eleven’s] new mobile payment service has been hacked just days after its launch, dealing a blow to a key element of the Japanese convenience store operator's digital strategy. … The parent of the chain confirmed that unauthorized charges had been made on some users' accounts.

…

This marks a setback for digital payments in Japan, which ranks lower than Asian peers in the rate of cashless transactions. … About 55 million yen ($510,000) [was] stolen from 900 or so 7pay users. The company has in effect suspended the service. … The Metropolitan Police Department suspects the involvement of an international criminal organization.

…

7pay did not have two-step authentication to verify the identity of users. … Rivals worry that the incident will hurt consumer confidence in digital payments. … The government's goal is for at least 40% of all payments to be cashless by the middle of the 2020s.

What went wrong? Catalin Cimpanu casts Hackers exploit 7-Eleven's poorly designed password reset function:

The incident was caused by an appalling security lapse in the design of the company's 7pay mobile payment app. [It] was designed to show a barcode … when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the … credit or debit cards that have been saved in the account.

…

[But] the app contained a password reset function that … allowed anyone to request a password reset … but have the password reset link sent to their email address, instead of the legitimate account owner. A hacker only needed to know a 7pay user's email address, date of birth, and phone number.

…

With so much data about Japanese users lying around the internet from the multitude of past breaches, a hacker only had to compile it and automate an attack. … 7-Eleven users began complaining about being locked out of their 7pay accounts a day after the app launched.

Got that? ARBG—@TheBlkGuyFrmWrk—checks his understanding:

Wait, so not only were the credentials pretty easy to obtain but just in case you by chance are locked out of the email you signed up with, you can send the reset link to another email address? Genius.

WTF? That was also the reaction of Dimitrios Kechagias:

I've never heard of a password reset ... that allows you to enter an alternate email before, that's got to be a first! … I'd like to know what geniuses designed/tested/approved this.

To which this Anonymous Coward extrapolates thuswise:

More likely a high dollar agency that subcontracted the work to someone who they didn't pay enough to give a **** about doing things right.

And Kevin Beaumont—@gossithedog—offers his thoughts:

Amazing. … I see three options:

- No pen test.

- No retest of pen test after remediation.

- Risk accepted.

…

Also malicious insider, as that got discovered really quickly.

…

They're having a bit of a nightmare trying to explain this one. The 7-Pay app didn't have two factor authentication, and when asked about it the CEO didn't appear to know what it meant.

But ロップ—@southro_p—explains how hackers found it so quickly:

The password reset flaw was for a service called omni7 that has existed for many years. Previously there was no value in attacking the service so it completely flew under the radar, but when 7pay launched with the same account system, the attack vector was already known.

And another local—AmiMoJo—has more:

Apparently there was another flaw that let you get infinite free rice balls. Every time you sign up for an account you get a coupon for a free rice ball, and all you need to sign up is an email address, and of course generating an infinite number of those is trivial.

So this Anonymous Coward has given up on the whole shebang:

I have no sympathy for people that use their phone to transact money. I will only use cash or a physical credit or debit card. Phones are insecure, easy to lose, and hackable.



And once someone is in, it's likely they will be able to infest the rest of your connected accounts. People that use phones for everyday transactions when cash is more than adequate deserve what they get.

Meanwhile, MoonyThinker thinks on:

7-11, a store for stoners.

7-11 app, made by stoners.

The moral of the story?

Red-team your apps—before someone else does.

And finally

Video magic





You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Aleister Kelman (cc:by)

Keep learning