According to 7-Eleven Japan was forced to stop the 7Pay mobile payment feature, after a serious vulnerability appeared, allowing a third party to make payments on bogus transactions on hundreds of customer accounts.
The company has launched the mobile payment feature 7Pay on July 1, allowing customers to scan barcodes with the application and deduct money from the linked credit or debit card.
However, 7-Eleven received a complaint from the customer the next day: the account was charged while they did not make any transactions.
According to Yahoo News Japan, this application has a vulnerability, allowing hackers to request a password reset to send a new email, just provide the correct date of birth, email and phone number of the user.
The application also defaults to the birth date of 1/1/2019 if the customer does not fill in the declaration information. This makes it easier for hackers to enter your account.
There are about 900 customer accounts attacked by hackers and according to 7-Eleven Japan, the amount taken by hackers is 55 million yen (about 500,000 USD). The company said it had stopped operating 7Pay by stopping links to credit cards, putting alerts on the site and stopping new user registrations.
7-Eleven Japan said it will compensate users who have hacked accounts and set up a customer support hotline.
A member of Japan's Ministry of Economy, Trade and Industry told 7-Eleven that the company did not comply with the security guidelines, according to Japan Times. The Japanese government has arrested two individuals trying to use hacked accounts, suspecting that they cooperate (or have been hired) by a famous criminal group in China specializing in online theft.